"keyword","metadata_keyword_regex","metadata_keyword_type","metadata_tool","metadata_description","metadata_tool_techniques","metadata_tool_tactics","metadata_malwares_name","metadata_groups_name","metadata_category","metadata_link","metadata_enable_endpoint_detection","metadata_enable_proxy_detection","metadata_tags","metadata_comment","metadata_severity_score","metadata_popularity_score","metadata_github_stars","metadata_github_forks","metadata_github_updated_at","metadata_github_created_at","metadata_entry_id"
"* $domain sirtunnel $domain $serverPort*",".{0,1000}\s\$domain\ssirtunnel\s\$domain\s\$serverPort.{0,1000}","greyware_tool_keyword","SirTunnel","SirTunnel enables you to securely expose a webserver running on your computer to a public URL using HTTPS.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/anderspitman/SirTunnel","1","0","N/A","N/A","10","10","1436","119","2024-03-24T20:15:50Z","2020-09-23T00:15:26Z","16"
"* ,exec(__import__('base64').b64decode(""*",".{0,1000}\s,exec\(__import__\(\'base64\'\)\.b64decode\(\"".{0,1000}","greyware_tool_keyword","python","suspicious way of exeuting code","T1059","TA0005","pytoileur","N/A","Defense Evasion","https://x.com/Ax_Sharma/status/1795813203500322953/photo/4","1","0","N/A","Cool package campaign","8","10","N/A","N/A","N/A","N/A","22"
"* ./level-darwin-bundle-amd64.pkg*",".{0,1000}\s\.\/level\-darwin\-bundle\-amd64\.pkg.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","23"
"* ./level-linux-amd64 *",".{0,1000}\s\.\/level\-linux\-amd64\s.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","24"
"* ./level-linux-arm64 *",".{0,1000}\s\.\/level\-linux\-arm64\s.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","25"
"* /bin/nc * -e /bin/bash* > cron && crontab cron*",".{0,1000}\s\/bin\/nc\s.{0,1000}\s\-e\s\/bin\/bash.{0,1000}\s\>\scron\s\&\&\scrontab\scron.{0,1000}","greyware_tool_keyword","nc","Linux Persistence Shell cron","T1053 - T1037","TA0003","N/A","Calypso - GALLIUM","Persistence","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","38"
"* /bin/nc * -e /bin/bash*> * crontab cron*",".{0,1000}\s\/bin\/nc\s.{0,1000}\s\-e\s\/bin\/bash.{0,1000}\>\s.{0,1000}\scrontab\scron.{0,1000}","greyware_tool_keyword","nc","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","Calypso - GALLIUM","Exploitation tool","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","39"
"* /c echo mar3pora *",".{0,1000}\s\/c\secho\smar3pora\s.{0,1000}","greyware_tool_keyword","anydesk","command line used with anydesk in the notes of the ransomware group","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41"
"* /c echo Pa$$w0rd | C:\ProgramData\anydesk.exe*",".{0,1000}\s\/c\secho\sPa\$\$w0rd\s\|\sC\:\\ProgramData\\anydesk\.exe.{0,1000}","greyware_tool_keyword","anydesk","command line used with anydesk in the notes of the ransomware group","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","42"
"* /c sc query WinDefend*",".{0,1000}\s\/c\ssc\squery\sWinDefend.{0,1000}","greyware_tool_keyword","sc","Get information about Windows Defender service","T1518.001 - T1049","TA0007 - TA0009","N/A","Snatch","Discovery","https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","44"
"* /c start /min powershell -noprofile -w H -c *irw*",".{0,1000}\s\/c\sstart\s\/min\spowershell\s\-noprofile\s\-w\sH\s\-c\s.{0,1000}irw.{0,1000}","greyware_tool_keyword","powershell","Suspicious PowerShell execution behavior often observed in FakeCaptcha phishing attempts","T1059.001 - T1027 - T1564.003","TA0005 - TA0002 - TA0009","N/A","N/A","Collection","https://x.com/malware_traffic/status/1884476331821326816/photo/2","1","0","N/A","N/A","7","6","N/A","N/A","N/A","N/A","45"
"* /config:netscan.xml *",".{0,1000}\s\/config\:netscan\.xml\s.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","51"
"* /Create /RU SYSTEM /TN MicrosoftEdgeUpdateTaskMachine /TR *",".{0,1000}\s\/Create\s\/RU\sSYSTEM\s\/TN\sMicrosoftEdgeUpdateTaskMachine\s\/TR\s.{0,1000}","greyware_tool_keyword","schtasks","SSH backdoor creation with schtasks","T1053 - T1059.004 - T1090","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52"
"* /create /tn ""SysChecks"" /tr c:\temp\sch.bat *",".{0,1000}\s\/create\s\/tn\s\""SysChecks\""\s\/tr\sc\:\\temp\\sch\.bat\s.{0,1000}","greyware_tool_keyword","schtasks","SSH backdoor creation with schtasks","T1053 - T1059.004 - T1090","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54"
"* /Create /TN sch.bat /TR ""c:\temp\script.vbs"" *",".{0,1000}\s\/Create\s\/TN\ssch\.bat\s\/TR\s\""c\:\\temp\\script\.vbs\""\s.{0,1000}","greyware_tool_keyword","schtasks","SSH backdoor creation with schtasks","T1053 - T1059.004 - T1090","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56"
"* /EV""NetSupport School""*",".{0,1000}\s\/EV\""NetSupport\sSchool\"".{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","66"
"* /f /im RemotePCS*",".{0,1000}\s\/f\s\/im\sRemotePCS.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","67"
"* /F /TN ""Level\Level Watchdog""*",".{0,1000}\s\/F\s\/TN\s\""Level\\Level\sWatchdog\"".{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","68"
"* /monitor /from_service /cpu_memory_refresh * /disk_space_refresh * /proc_list_refresh * /semkey *",".{0,1000}\s\/monitor\s\/from_service\s\/cpu_memory_refresh\s.{0,1000}\s\/disk_space_refresh\s.{0,1000}\s\/proc_list_refresh\s.{0,1000}\s\/semkey\s.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","81"
"* /r /proxy  /proxyport  /proxyusername  /proxypasswd *",".{0,1000}\s\/r\s\/proxy\s\s\/proxyport\s\s\/proxyusername\s\s\/proxypasswd\s.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","93"
"* /register  /proxy  /proxyport  /proxyusername  /proxypasswd*",".{0,1000}\s\/register\s\s\/proxy\s\s\/proxyport\s\s\/proxyusername\s\s\/proxypasswd.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","95"
"* /usr/local/bin/expose*",".{0,1000}\s\/usr\/local\/bin\/expose.{0,1000}","greyware_tool_keyword","expose","tunneling service - written in pure PHP","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/beyondcode/expose","1","0","#linux","N/A","10","10","4367","280","2025-04-04T13:57:03Z","2020-04-14T19:18:38Z","114"
"* /v ""DisableAntiSpyware"" /t REG_DWORD /d ""1"" /f*",".{0,1000}\s\/v\s\""DisableAntiSpyware\""\s\/t\sREG_DWORD\s\/d\s\""1\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable protection features of Windows Defender","T1562.001 - T1112 ","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","115"
"* /v ""DisableAntiVirus"" /t REG_DWORD /d ""1"" /f*",".{0,1000}\s\/v\s\""DisableAntiVirus\""\s\/t\sREG_DWORD\s\/d\s\""1\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable protection features of Windows Defender","T1562.001 - T1112 ","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","116"
"* /v ""DisableIOAVProtection"" /t REG_DWORD /d ""1"" /f*",".{0,1000}\s\/v\s\""DisableIOAVProtection\""\s\/t\sREG_DWORD\s\/d\s\""1\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable protection features of Windows Defender","T1562.001 - T1112 ","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","117"
"* /v ""DisableOnAccessProtection"" /t REG_DWORD /d ""1"" /f*",".{0,1000}\s\/v\s\""DisableOnAccessProtection\""\s\/t\sREG_DWORD\s\/d\s\""1\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable protection features of Windows Defender","T1562.001 - T1112 ","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","118"
"* /v ""DisableRealtimeMonitoring"" /t REG_DWORD /d ""1"" /f*",".{0,1000}\s\/v\s\""DisableRealtimeMonitoring\""\s\/t\sREG_DWORD\s\/d\s\""1\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable protection features of Windows Defender","T1562.001 - T1112 ","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","119"
"* /v ""DisableScanOnRealtimeEnable"" /t REG_DWORD /d ""1"" /f*",".{0,1000}\s\/v\s\""DisableScanOnRealtimeEnable\""\s\/t\sREG_DWORD\s\/d\s\""1\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable protection features of Windows Defender","T1562.001 - T1112 ","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","120"
"* /v ""MpEnablePus"" /t REG_DWORD /d ""0"" /f*",".{0,1000}\s\/v\s\""MpEnablePus\""\s\/t\sREG_DWORD\s\/d\s\""0\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable protection features of Windows Defender","T1562.001 - T1112 ","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","121"
"* /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f*",".{0,1000}\s\/v\sDisableRealtimeMonitoring\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","reg command used to disabled real time monitoring defender - often abused by attackers","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","126"
"* /var/log -type f -exec */tr* -s 0 {} \*",".{0,1000}\/\?\?\?\/\?\?\?\/f\?n\?\s\/var\/log\s\-type\sf\s\-exec\s\/\?\?\?\/\?\?\?\/tr\?\?\?\?\?e\s\-s\s0\s\{\}\s\\.{0,1000}","greyware_tool_keyword","find","truncate every file under /var/log to size 0 - no log content = no forensic.","T1486 - T1553 - T1592.002 - T1081","TA0005 - TA0007 - TA0009","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","128"
"* \\\\localhost /user:Username /pwd:Password  \""C:\\InstallMe.bat*",".{0,1000}\s\\\\\\\\localhost\s\/user\:Username\s\/pwd\:Password\s\s\\\""C\:\\\\InstallMe\.bat.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","131"
"* | clbin*",".{0,1000}\s\|\sclbin.{0,1000}","greyware_tool_keyword","clbin.com","clbin.com be used for C&C purposes. The attacker will place commands on a textbin paste and have the malware fetch the commands.","T1567.002","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://clbin.com/","1","0","#PastebinLike","N/A","8","8","N/A","N/A","N/A","N/A","134"
"* <Data>Received Request Run command *</Data>*",".{0,1000}\s\<Data\>Received\sRequest\sRun\scommand\s.{0,1000}\<\/Data\>.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","138"
"* > /var/log/syslog*",".{0,1000}\s\>\s\/var\/log\/syslog.{0,1000}","greyware_tool_keyword","bash","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","143"
"* >/var/log/syslog*",".{0,1000}\s\>\/var\/log\/syslog.{0,1000}","greyware_tool_keyword","bash","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","150"
"* -a tcrmtshellagentmodule_*",".{0,1000}\s\-a\stcrmtshellagentmodule_.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","174"
"* a.pinggy.io*",".{0,1000}\sa\.pinggy\.io.{0,1000}","greyware_tool_keyword","pinggy","Create HTTP/TCP or TLS tunnels to your Mac/PC. Even if it is sitting behind firewalls and NATs.","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://pinggy.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","175"
"* -accepteula -nobanner -d cmd.exe /c *",".{0,1000}\s\-accepteula\s\-nobanner\s\-d\scmd\.exe\s\/c\s.{0,1000}","greyware_tool_keyword","psexec","Adversaries may place the PsExec executable in the temp directory and execute it from there as part of their offensive activities. By doing so. they can leverage PsExec to execute commands or launch processes on remote systems. enabling Lateral Movement. privilege escalation. or the execution of malicious payloads.","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0008 - TA0009 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Lateral Movement","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","178"
"* adaudit.ps1*",".{0,1000}\sadaudit\.ps1.{0,1000}","greyware_tool_keyword","adaudit","Powershell script to do domain auditing automation","T1482 - T1087","TA0007","N/A","N/A","Discovery","https://github.com/phillips321/adaudit","1","0","N/A","N/A","8","4","389","106","2025-04-08T06:17:54Z","2018-04-20T11:29:06Z","201"
"* admin create frontend sqJRAINSiB public *",".{0,1000}\sadmin\screate\sfrontend\ssqJRAINSiB\spublic\s.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","231"
"* ADRecon.ps1*",".{0,1000}\sADRecon\.ps1.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","239"
"* advfirewall firewall add rule * dir=in protocol=tcp localport=3389 action=allow*",".{0,1000}\sadvfirewall\sfirewall\sadd\srule\s.{0,1000}\sdir\=in\sprotocol\=tcp\slocalport\=3389\saction\=allow.{0,1000}","greyware_tool_keyword","netsh","Opens port 3389 for RDP inbound access through the firewall","T1021.001 - T1562.004 ","TA0008 - TA0005","N/A","N/A","Lateral Movement","N/A","1","0","N/A","N/A","8","8","N/A","N/A","N/A","N/A","240"
"* aeroadmin.exe*",".{0,1000}\saeroadmin\.exe.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","241"
"* Ahk2Exe.exe*",".{0,1000}\sAhk2Exe\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","250"
"* -altgw *.zohoassist.com *",".{0,1000}\s\-altgw\s.{0,1000}\.zohoassist\.com\s.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","260"
"* --bin sshx-server*",".{0,1000}\s\-\-bin\ssshx\-server.{0,1000}","greyware_tool_keyword","sshx","Fast collaborative live terminal sharing over the web","T1021.004 - T1041 - T1059 - T1071.001","TA0002 - TA0009 - TA0011 - TA0010","N/A","N/A","C2","https://github.com/ekzhang/sshx","1","0","N/A","N/A","10","10","6379","220","2025-02-12T20:40:30Z","2022-02-12T23:29:33Z","390"
"* boringproxy-client.service*",".{0,1000}\sboringproxy\-client\.service.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","425"
"* boringproxy-server.service*",".{0,1000}\sboringproxy\-server\.service.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","426"
"* -c 'import pty;pty.spawn(""/bin/bash*",".{0,1000}\s\-c\s\'import\spty\;pty\.spawn\(\""\/bin\/bash.{0,1000}","greyware_tool_keyword","python","interactive shell","T1059","TA0002 - TA0011","N/A","N/A","C2","N/A","1","0","#linux","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A","505"
"* -c 'import pty;pty.spawn(""/bin/sh*",".{0,1000}\s\-c\s\'import\spty\;pty\.spawn\(\""\/bin\/sh.{0,1000}","greyware_tool_keyword","python","interactive shell","T1059","TA0002 - TA0011","N/A","N/A","C2","N/A","1","0","#linux","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A","507"
"* -c 'import pty;pty.spawn(\""/bin/sh*",".{0,1000}\s\-c\s\'import\spty\;pty\.spawn\(\\\""\/bin\/sh.{0,1000}","greyware_tool_keyword","python","interactive shell","T1059","TA0002 - TA0011","N/A","N/A","C2","N/A","1","0","#linux","greyware_tools high risks of false positives","6","4","N/A","N/A","N/A","N/A","508"
"* -c rest_client_zrok -t*",".{0,1000}\s\-c\srest_client_zrok\s\-t.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","512"
"* -c1 * --data-string * --icmp *",".{0,1000}\s\-c1\s.{0,1000}\s\-\-data\-string\s.{0,1000}\s\-\-icmp\s.{0,1000}","greyware_tool_keyword","nping","icmp exfiltration with nping (comes with nmap)","T1041 - T1095","TA0010 - TA0011","N/A","N/A","Data Exfiltration","http://nmap.org/nping/","1","0","N/A","N/A","7","9","N/A","N/A","N/A","N/A","524"
"* -c1 * --icmp * --data-string *",".{0,1000}\s\-c1\s.{0,1000}\s\-\-icmp\s.{0,1000}\s\-\-data\-string\s.{0,1000}","greyware_tool_keyword","nping","icmp exfiltration with nping (comes with nmap)","T1041 - T1095","TA0010 - TA0011","N/A","N/A","Data Exfiltration","http://nmap.org/nping/","1","0","N/A","N/A","7","9","N/A","N/A","N/A","N/A","525"
"* c3pool_miner*",".{0,1000}\sc3pool_miner.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","531"
"* chrome-remote-desktop@*",".{0,1000}\schrome\-remote\-desktop\@.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","578"
"* CN=Quasar Server CA*",".{0,1000}\sCN\=Quasar\sServer\sCA.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","#content","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","621"
"* --coin *--nicehash *",".{0,1000}\s\-\-coin\s.{0,1000}\-\-nicehash\s.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","633"
"* --coin=monero*",".{0,1000}\s\-\-coin\=monero.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","634"
"* --config=*c3pool*config_background.json*",".{0,1000}\s\-\-config\=.{0,1000}c3pool.{0,1000}config_background\.json.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","675"
"* Connection #*. Connection to ""*"" established. Mode: <Remote control>.*",".{0,1000}\sConnection\s\#.{0,1000}\.\sConnection\sto\s\"".{0,1000}\""\sestablished\.\sMode\:\s\<Remote\scontrol\>\..{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#content","N/A","10","10","N/A","N/A","N/A","N/A","686"
"* Connection #*. Connection to ""*"". Security check - OK. Mode:  <Inventory manager>*",".{0,1000}\sConnection\s\#.{0,1000}\.\sConnection\sto\s\"".{0,1000}\""\.\sSecurity\scheck\s\-\sOK\.\sMode\:\s\s\<Inventory\smanager\>.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#content","N/A","10","10","N/A","N/A","N/A","N/A","687"
"* Connection #*. Connection to ""*"". Security check - OK. Mode: <Command (command: *)>",".{0,1000}\sConnection\s\#.{0,1000}\.\sConnection\sto\s\"".{0,1000}\""\.\sSecurity\scheck\s\-\sOK\.\sMode\:\s\<Command\s\(command\:\s.{0,1000}\)\>","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#content","N/A","10","10","N/A","N/A","N/A","N/A","688"
"* Connection #*. Direct connection to * (*:5650).*",".{0,1000}\sConnection\s\#.{0,1000}\.\sDirect\sconnection\sto\s.{0,1000}\s\(.{0,1000}\:5650\)\..{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#content","N/A","10","10","N/A","N/A","N/A","N/A","689"
"* create RPCService start=*",".{0,1000}\screate\sRPCService\sstart\=.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","725"
"* create ViewerService start=auto*",".{0,1000}\screate\sViewerService\sstart\=auto.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","726"
"* croc-entrypoint.sh*",".{0,1000}\scroc\-entrypoint\.sh.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#linux","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","739"
"* -csrc C:\\Windows\\notepad.exe -c cmd.exe*",".{0,1000}\s\-csrc\sC\:\\\\Windows\\\\notepad\.exe\s\-c\scmd\.exe.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","746"
"* Dameware Mini Remote Control x64 -- Installation completed successfully*",".{0,1000}\sDameware\sMini\sRemote\sControl\sx64\s\-\-\sInstallation\scompleted\ssuccessfully.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","776"
"* --data-string * -c1 * --icmp *",".{0,1000}\s\-\-data\-string\s.{0,1000}\s\-c1\s.{0,1000}\s\-\-icmp\s.{0,1000}","greyware_tool_keyword","nping","icmp exfiltration with nping (comes with nmap)","T1041 - T1095","TA0010 - TA0011","N/A","N/A","Data Exfiltration","http://nmap.org/nping/","1","0","N/A","N/A","7","9","N/A","N/A","N/A","N/A","781"
"* --data-string * --icmp * -c1 *",".{0,1000}\s\-\-data\-string\s.{0,1000}\s\-\-icmp\s.{0,1000}\s\-c1\s.{0,1000}","greyware_tool_keyword","nping","icmp exfiltration with nping (comes with nmap)","T1041 - T1095","TA0010 - TA0011","N/A","N/A","Data Exfiltration","http://nmap.org/nping/","1","0","N/A","N/A","7","9","N/A","N/A","N/A","N/A","782"
"* dclist *",".{0,1000}\sdclist\s.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","796"
"* del C:\Windows\temp\1 /F /Q*",".{0,1000}\sdel\sC\:\\Windows\\temp\\1\s\/F\s\/Q.{0,1000}","greyware_tool_keyword","del","suspicious deletion made by the Russian Foreign Intelligence Service","T1059.003","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/ThreatIntel-Reports","1","0","N/A","N/A","8","2","109","9","2025-04-22T03:37:27Z","2024-10-23T11:27:13Z","814"
"* denied AXFR from *",".{0,1000}\sdenied\sAXFR\sfrom\s.{0,1000}","greyware_tool_keyword","dns","Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts","T1071.004 - T1078.004","TA0011 - TA0006","N/A","N/A","Exploitation tool","https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","4692","1051","2025-01-22T01:58:36Z","2013-09-17T17:07:58Z","824"
"* dir /s */ Microsoft.ActiveDirectory.Management.dll*",".{0,1000}\sdir\s\/s\s.{0,1000}\/\sMicrosoft\.ActiveDirectory\.Management\.dll.{0,1000}","greyware_tool_keyword","dir","threat actors searched for Active Directory related DLLs in directories","T1059 - T1083 - T1018","TA0002 - TA0009 - TA0040","N/A","N/A","Discovery","https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","844"
"* --donate-level=*",".{0,1000}\s\-\-donate\-level\=.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","922"
"* --doNotTestSMBv1*",".{0,1000}\s\-\-doNotTestSMBv1.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","924"
"* downloads.level.io*",".{0,1000}\sdownloads\.level\.io.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","945"
"* DownloadServer=https://www.gotomypc.com *",".{0,1000}\sDownloadServer\=https\:\/\/www\.gotomypc\.com\s.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","946"
"* dropping source port zero packet from *",".{0,1000}\sdropping\ssource\sport\szero\spacket\sfrom\s.{0,1000}","greyware_tool_keyword","dns","Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts","T1071.004 - T1078.004","TA0011 - TA0006","N/A","N/A","Exploitation tool","https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","4692","1051","2025-01-22T01:58:36Z","2013-09-17T17:07:58Z","967"
"* DumpS1.ps1*",".{0,1000}\sDumpS1\.ps1.{0,1000}","greyware_tool_keyword","SentinelAgent","dump a process with SentinelAgent.exe","T1003 - T1055","TA0006 - TA0005","N/A","N/A","Credential Access","https://gist.github.com/adamsvoboda/8e248c6b7fb812af5d04daba141c867e","1","0","N/A","N/A","8","7","N/A","N/A","N/A","N/A","1004"
"* ecivreS-potS*",".{0,1000}\secivreS\-potS.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","1019"
"* -ep Bypass -nop function *[System.Security.Cryptography.Aes]::Create()*.CreateDecryptor()*.TransformFinalBlock*[System.Text.Encoding]::Utf8.GetString*",".{0,1000}\s\-ep\sBypass\-nop\sfunction\s.{0,1000}\[System\.Security\.Cryptography\.Aes\]\:\:Create\(\).{0,1000}\.CreateDecryptor\(\).{0,1000}\.TransformFinalBlock.{0,1000}\[System\.Text\.Encoding\]\:\:Utf8\.GetString.{0,1000}","greyware_tool_keyword","powershell","obfuscation techniques with powershell","T1059.001 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","1067"
"* -ep Unrestricted -nop function *[System.Security.Cryptography.Aes]::Create()*.CreateDecryptor()*.TransformFinalBlock*[System.Text.Encoding]::Utf8.GetString*",".{0,1000}\s\-ep\sUnrestricted\s\-nop\sfunction\s.{0,1000}\[System\.Security\.Cryptography\.Aes\]\:\:Create\(\).{0,1000}\.CreateDecryptor\(\).{0,1000}\.TransformFinalBlock.{0,1000}\[System\.Text\.Encoding\]\:\:Utf8\.GetString.{0,1000}","greyware_tool_keyword","powershell","obfuscation techniques with powershell","T1059.001 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","1068"
"* erase /quiet /method=* data dir=*",".{0,1000}\serase\s\/quiet\s\/method\=.{0,1000}\sdata\sdir\=.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","1071"
"* erase /quiet /methodName=* data dir=*",".{0,1000}\serase\s\/quiet\s\/methodName\=.{0,1000}\sdata\sdir\=.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","1072"
"* -exec bypass -nop -c whoami*",".{0,1000}\s\-exec\sbypass\s\-nop\s\-c\swhoami.{0,1000}","greyware_tool_keyword","whoami","whoami is a legitimate command used to identify the current user executing the command in a terminal or command prompt.whoami can be used to gather information about the current user's privileges. credentials. and account name. which can then be used for Lateral Movement. privilege escalation. or targeted attacks within the compromised network.","T1003.001 - T1087 - T1057 ","TA0007","N/A","Black Basta","Discovery","N/A","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","1101"
"* exiting (due to fatal error)*",".{0,1000}\sexiting\s\(due\sto\sfatal\serror\).{0,1000}","greyware_tool_keyword","dns","Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts","T1071.004 - T1078.004","TA0011 - TA0006","N/A","N/A","Exploitation tool","https://github.com/ossec/ossec-hids/blob/master/etc/rules/named_rules.xml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","4692","1051","2025-01-22T01:58:36Z","2013-09-17T17:07:58Z","1131"
"* -f ""(objectcategory=computer)"" -s subtree dn operatingSystem*",".{0,1000}\s\-f\s\""\(objectcategory\=computer\)\""\s\-s\ssubtree\sdn\soperatingSystem.{0,1000}","greyware_tool_keyword","adfind","Enumerate All Computers in the Domain","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://www.virustotal.com/gui/file/484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","1143"
"* -f ""(objectcategory=person)"" -s subtree samaccountname userPrincipalName*",".{0,1000}\s\-f\s\""\(objectcategory\=person\)\""\s\-s\ssubtree\ssamaccountname\suserPrincipalName.{0,1000}","greyware_tool_keyword","adfind","Enumerate All Users in the Domain","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://www.virustotal.com/gui/file/484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","1144"
"* -f ""(objectcategory=trustedDomain)"" -s subtree name trustAttributes trustDirection trustType*",".{0,1000}\s\-f\s\""\(objectcategory\=trustedDomain\)\""\s\-s\ssubtree\sname\strustAttributes\strustDirection\strustType.{0,1000}","greyware_tool_keyword","adfind","Dump All Domain Trusts","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://www.virustotal.com/gui/file/484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","1145"
"* -f *.dmp windows.cmdline*",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.cmdline.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1148"
"* -f *.dmp windows.dlllist --pid *",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.dlllist\s\-\-pid\s.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1149"
"* -f *.dmp windows.filescan*",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.filescan.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1150"
"* -f *.dmp windows.handles --pid *",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.handles\s\-\-pid\s.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1151"
"* -f *.dmp windows.info*",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.info.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1152"
"* -f *.dmp windows.malfind*",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.malfind.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1153"
"* -f *.dmp windows.netscan*",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.netscan.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1154"
"* -f *.dmp windows.netstat*",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.netstat.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1155"
"* -f *.dmp windows.pslist*",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.pslist.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1156"
"* -f *.dmp windows.psscan*",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.psscan.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1157"
"* -f *.dmp windows.pstree*",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.pstree.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1158"
"* -f *.dmp windows.registry.hivelist*",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.registry\.hivelist.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1159"
"* -f *.dmp windows.registry.hivescan*",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.registry\.hivescan.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1160"
"* -f *.dmp windows.registry.printkey*",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.registry\.printkey.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1161"
"* -f *.dmp windows.registry.printkey*Software\Microsoft\Windows\CurrentVersion*",".{0,1000}\s\-f\s.{0,1000}\.dmp\swindows\.registry\.printkey.{0,1000}Software\\Microsoft\\Windows\\CurrentVersion.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","#registry","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1162"
"* Get-AVStatus.ps1*",".{0,1000}\sGet\-AVStatus\.ps1.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","1315"
"* gifnoc cs*",".{0,1000}\sgifnoc\scs.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","1340"
"* gost.tar.gz*",".{0,1000}\sgost\.tar\.gz.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","1363"
"* gost/cmd/gost*",".{0,1000}\sgost\/cmd\/gost.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","1364"
"* gotoopener://launch.getgo.com/*",".{0,1000}\sgotoopener\:\/\/launch\.getgo\.com\/.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","1366"
"* gt-win-x86_64.exe*",".{0,1000}\sgt\-win\-x86_64\.exe.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","N/A","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","1396"
"* host -p * --allow-anonymous --protocol https*",".{0,1000}\shost\s\-p\s.{0,1000}\s\-\-allow\-anonymous\s\-\-protocol\shttps.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","1432"
"* host -p 443 -allow-anonymous*",".{0,1000}\shost\s\-p\s443\s\-allow\-anonymous.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","1433"
"* hostPath=""c:\"" writable=""true"" autoMount=""true""*",".{0,1000}\shostPath\=\""c\:\\\""\swritable\=\""true\""\sautoMount\=\""true\"".{0,1000}","greyware_tool_keyword","VirtualBox","adding the entire C drive as a shared folder for a VM","T1021.001 - T1137 - T1072","TA0006 - TA0008 - TA0005","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","1440"
"* http-put-server.py*",".{0,1000}\shttp\-put\-server\.py.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","1525"
"* -i remotepc.deb*",".{0,1000}\s\-i\sremotepc\.deb.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","1599"
"* --icmp * -c1 * --data-string *",".{0,1000}\s\-\-icmp\s.{0,1000}\s\-c1\s.{0,1000}\s\-\-data\-string\s.{0,1000}","greyware_tool_keyword","nping","icmp exfiltration with nping (comes with nmap)","T1041 - T1095","TA0010 - TA0011","N/A","N/A","Data Exfiltration","http://nmap.org/nping/","1","0","N/A","N/A","7","9","N/A","N/A","N/A","N/A","1608"
"* --icmp * --data-string * -c1 *",".{0,1000}\s\-\-icmp\s.{0,1000}\s\-\-data\-string\s.{0,1000}\s\-c1\s.{0,1000}","greyware_tool_keyword","nping","icmp exfiltration with nping (comes with nmap)","T1041 - T1095","TA0010 - TA0011","N/A","N/A","Data Exfiltration","http://nmap.org/nping/","1","0","N/A","N/A","7","9","N/A","N/A","N/A","N/A","1609"
"* install bore-cli*",".{0,1000}\sinstall\sbore\-cli.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","N/A","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","1678"
"* install -c conda-forge sshtunnel*",".{0,1000}\sinstall\s\-c\sconda\-forge\ssshtunnel.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","0","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","1679"
"* install c3pool_miner *",".{0,1000}\sinstall\sc3pool_miner\s.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","1680"
"* install localtunnel*",".{0,1000}\sinstall\slocaltunnel.{0,1000}","greyware_tool_keyword","localtunnels","client for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/localtunnel","1","0","N/A","N/A","8","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","1694"
"* install meshcentral*",".{0,1000}\sinstall\smeshcentral.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","1695"
"* install pgrok*",".{0,1000}\sinstall\spgrok.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","1698"
"* install requests_ntlm*",".{0,1000}\sinstall\srequests_ntlm.{0,1000}","greyware_tool_keyword","requests-ntlm","HTTP NTLM Authentication for Requests Library","T1003 - T1547.005 - T1055 - T1557","TA0008 - TA0006","N/A","N/A","Credential Access","https://pypi.org/project/requests-ntlm/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","1699"
"* install shadowsocks-rust*",".{0,1000}\sinstall\sshadowsocks\-rust.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","1701"
"* install softether5*",".{0,1000}\sinstall\ssoftether5.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","1702"
"* install sshuttle*",".{0,1000}\sinstall\ssshuttle.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","1704"
"* install tailscale*",".{0,1000}\sinstall\stailscale.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","1705"
"* install tmate*",".{0,1000}\sinstall\stmate.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","1706"
"* install tunnelto*",".{0,1000}\sinstall\stunnelto.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","1709"
"* install wireguard*",".{0,1000}\sinstall\swireguard.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","1712"
"* install wireguard-tools*",".{0,1000}\sinstall\swireguard\-tools.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","1713"
"* install xvnc4viewer netcat-traditional socat*",".{0,1000}\sinstall\sxvnc4viewer\snetcat\-traditional\ssocat.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","1715"
"* install-fleetctl.sh*",".{0,1000}\sinstall\-fleetctl\.sh.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","1716"
"* Invoke-WebRequest -Uri http://download.anydesk.com/AnyDesk.exe*",".{0,1000}\sInvoke\-WebRequest\s\-Uri\shttp\:\/\/download\.anydesk\.com\/AnyDesk\.exe.{0,1000}","greyware_tool_keyword","anydesk","command line used with anydesk in the notes of the Dispossessor ransomware group","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Collection","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","1753"
"* IObitUnlocker.exe*",".{0,1000}\sIObitUnlocker\.exe.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","1756"
"* -jar ipscan.exe*",".{0,1000}\s\-jar\sipscan\.exe.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","network exploitation tool","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","1798"
"* jprq-windows-386.exe*",".{0,1000}\sjprq\-windows\-386\.exe.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","1826"
"* jprq-windows-amd64.exe*",".{0,1000}\sjprq\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","1827"
"* list-recycle-bin.ps1*",".{0,1000}\slist\-recycle\-bin\.ps1.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","1963"
"* localgroup Administrators localadm /ADD *",".{0,1000}\slocalgroup\sAdministrators\slocaladm\s\/ADD\s.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2021"
"* localtunnel-server*",".{0,1000}\slocaltunnel\-server.{0,1000}","greyware_tool_keyword","localtunnels","server for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/server","1","0","N/A","N/A","8","10","3163","1033","2024-03-20T09:14:46Z","2013-06-16T22:30:48Z","2033"
"* LoggingServer=logging.getgo.com ProxyHost=*",".{0,1000}\sLoggingServer\=logging\.getgo\.com\sProxyHost\=.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2036"
"* -log-level trace -dre -log-path *",".{0,1000}\s\-log\-level\strace\s\-dre\s\-log\-path\s.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","2038"
"* -m boringproxy*",".{0,1000}\s\-m\sboringproxy.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","2058"
"* -m SimpleHTTPServer *",".{0,1000}\s\-m\sSimpleHTTPServer\s.{0,1000}","greyware_tool_keyword","simplehttpserver","quick web server in python","T1021.002 - T1059.006","TA0002 - TA0005","N/A","N/A","Data Exfiltration","https://docs.python.org/2/library/simplehttpserver.html","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","2093"
"* -m sshtunnel *",".{0,1000}\s\-m\ssshtunnel\s.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","0","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","2098"
"* -ma lssas.exe*",".{0,1000}\s\-ma\slssas\.exe.{0,1000}","greyware_tool_keyword","Procdump","dump lsass process with procdump","T1003.001","TA0006","N/A","LockBit - Kimsuky - Conti - Quantum - PYSA - NetWalker - 8BASE - APT1 - APT15 - APT20 - APT27 - APT28 - Antlion - FIN13 - GOBLIN PANDA - Lazarus Group - PowerPool - PARINACOTA - Scattered Spider - BERSERK BEAR - Dispossessor","Credential Access","https://learn.microsoft.com/en-us/sysinternals/downloads/procdump","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2109"
"* MEGAcmd.sh*",".{0,1000}\sMEGAcmd\.sh.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","2126"
"* megasync.exe*",".{0,1000}\smegasync\.exe.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2127"
"* MEGAsyncSetup32.exe*",".{0,1000}\sMEGAsyncSetup32\.exe.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2128"
"* MEGAsyncSetup64.exe*",".{0,1000}\sMEGAsyncSetup64\.exe.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2129"
"* meshcentral.service*",".{0,1000}\smeshcentral\.service.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","2141"
"* -ms assist.zoho.com -p 443*",".{0,1000}\s\-ms\sassist\.zoho\.com\s\-p\s443.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2189"
"* -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force*",".{0,1000}\s\-Name\sDisableAntiSpyware\s\-Value\s1\s\-PropertyType\sDWORD\s\-Force.{0,1000}","greyware_tool_keyword","powershell","Defense evasion technique In order to avoid detection at any point of the kill chain. attackers use several ways to disable anti-virus. disable Microsoft firewall and clear logs.","T1562.001 - T1562.002 - T1070.004","TA0007 - TA0040 - TA0005","N/A","Dispossessor","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","2245"
"* --name localtunnel *",".{0,1000}\s\-\-name\slocaltunnel\s.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/NoahShen/gotunnelme","1","0","N/A","N/A","10","10","171","45","2018-01-06T04:41:15Z","2013-10-18T02:46:51Z","2247"
"* -name:* -password:* -remoteexecute -filename*",".{0,1000}\s\-name\:.{0,1000}\s\-password\:.{0,1000}\s\-remoteexecute\s\-filename.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2250"
"* nc termbin.com *",".{0,1000}\snc\stermbin\.com\s.{0,1000}","greyware_tool_keyword","termbin.com","sending data to a pastebin","T1567.002","TA0010","N/A","N/A","Data Exfiltration","termbin.com","1","0","#PastebinLike","N/A","8","8","N/A","N/A","N/A","N/A","2267"
"* ncat * -e /bin/bash*|crontab*",".{0,1000}\sncat\s.{0,1000}\s\-e\s\/bin\/bash.{0,1000}\|crontab.{0,1000}","greyware_tool_keyword","ncat","reverse shell persistence","T1059.004 - T1053.005 - T1059.005","TA0002  - TA0005","N/A","Calypso - GALLIUM","Persistence","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","2269"
"* neoreg.py *",".{0,1000}\sneoreg\.py\s.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","2284"
"* netcat termbin.com *",".{0,1000}\snetcat\stermbin\.com\s.{0,1000}","greyware_tool_keyword","termbin.com","sending data to a pastebin","T1567.002","TA0010","N/A","N/A","Data Exfiltration","termbin.com","1","0","#PastebinLike","N/A","8","8","N/A","N/A","N/A","N/A","2292"
"* netscan.exe *",".{0,1000}\snetscan\.exe\s.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","2301"
"* netscan64.exe *",".{0,1000}\snetscan64\.exe\s.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","2302"
"* net-vpn/tailscale*",".{0,1000}\snet\-vpn\/tailscale.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","2303"
"* --nicehash *--coin *",".{0,1000}\s\-\-nicehash\s.{0,1000}\-\-coin\s.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","2311"
"* NimScan.exe*",".{0,1000}\sNimScan\.exe.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","N/A","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","2317"
"* NimScan.nim*",".{0,1000}\sNimScan\.nim.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","N/A","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","2318"
"* nircmd.exe*",".{0,1000}\snircmd\.exe.{0,1000}","greyware_tool_keyword","nircmd","Nirsoft tool - NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface","T1059 - T1036","TA0005 - TA0002 - TA0003","N/A","N/A","Defense Evasion","https://www.nirsoft.net/utils/nircmd.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2334"
"* nircmdc.exe*",".{0,1000}\snircmdc\.exe.{0,1000}","greyware_tool_keyword","nircmd","Nirsoft tool - NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface","T1059 - T1036","TA0005 - TA0002 - TA0003","N/A","N/A","Defense Evasion","https://www.nirsoft.net/utils/nircmd.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2335"
"* -NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*",".{0,1000}\s\-NoExit\s\-Command\s\[Console\]\:\:OutputEncoding\=\[Text\.UTF8Encoding\]\:\:UTF8.{0,1000}","greyware_tool_keyword","powershell","powershell command pattern used by sliver - an open source cross-platform adversary emulation/red team framework","T1105 - T1071.004 - T1021 - T1573.001 - T1132 - T1095 - T1041 - T1074.002 - T1568.002 - T1204 - T1055.012","TA0001 - TA0002 - TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0008 - TA0009 - TA0010 - TA0011 - TA0040 - TA0042 - TA0043","N/A","AvosLocker - APT29 - Cinnamon Tempest - GOLD CABIN - COZY BEAR","C2","https://github.com/BishopFox/sliver","1","0","N/A","N/A","10","10","9218","1249","2025-04-21T17:52:43Z","2019-01-17T22:07:38Z","2346"
"* noitcetorPAUP*",".{0,1000}\snoitcetorPAUP.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2349"
"* -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient*",".{0,1000}\s\-NoP\s\-NonI\s\-W\sHidden\s\-Exec\sBypass\s\-Command\sNew\-Object\sSystem\.Net\.Sockets\.TCPClient.{0,1000}","greyware_tool_keyword","powershell","reverse shell powershell","T1059.001 - T1203 - T1105 - T1562.001","TA0002 - TA0011","N/A","Black Basta","C2","https://github.com/mthbernardes/rsg","1","0","N/A","N/A","10","10","561","126","2024-05-03T16:33:20Z","2017-12-12T02:57:07Z","2352"
"* -NOP -WIND HIDDeN -eXeC BYPASS -NONI *",".{0,1000}\s\-NOP\s\-WIND\sHIDDeN\s\-eXeC\sBYPASS\s\-NONI\s.{0,1000}","greyware_tool_keyword","powershell","suspicious powershell arguments order used by many exploitation tools","T1059.001 - T1059.003 - T1027.009","TA0002 - TA0005","N/A","N/A","Exploitation tool","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2356"
"* OfflineSamTool.h*",".{0,1000}\sOfflineSamTool\.h.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2436"
"* -omeshcmd.exe -imodule1.js*",".{0,1000}\s\-omeshcmd\.exe\s\-imodule1\.js.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","2439"
"* on http://localhost:7777*",".{0,1000}\son\shttp\:\/\/localhost\:7777.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","2444"
"* oshi.at *",".{0,1000}\soshi\.at\s.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","0","#filehostingservice","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","2462"
"* pacman -S wireguard-tools*",".{0,1000}\spacman\s\-S\swireguard\-tools.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","2502"
"* PAExec service*",".{0,1000}\sPAExec\sservice.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","2504"
"* pagekite.logging*",".{0,1000}\spagekite\.logging.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","2505"
"* pagekite.py*",".{0,1000}\spagekite\.py.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","2506"
"* pagekite-gtk.py*",".{0,1000}\spagekite\-gtk\.py.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","2507"
"* PCMonitorManager.exe*",".{0,1000}\sPCMonitorManager\.exe.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2573"
"* PCMonitorSrv.exe*",".{0,1000}\sPCMonitorSrv\.exe.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2574"
"* pcmontask.exe*",".{0,1000}\spcmontask\.exe.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2575"
"* -perm -4000 -o -perm -2000*",".{0,1000}\s\-perm\s\-4000\s\-o\s\-perm\s\-2000.{0,1000}","greyware_tool_keyword","find","Look for files with the SGID (Set Group ID) bit set","T1083 - T1069 - T1202","TA0004 - TA0007","N/A","N/A","Discovery","N/A","1","0","#linux","N/A","7","10","N/A","N/A","N/A","N/A","2584"
"* pgrok.exe*",".{0,1000}\spgrok\.exe.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/jerson/pgrok","1","0","N/A","N/A","10","10","283","55","2022-05-30T14:53:46Z","2019-07-31T13:23:51Z","2599"
"* pgrokd.exe*",".{0,1000}\spgrokd\.exe.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/jerson/pgrok","1","0","N/A","N/A","10","10","283","55","2022-05-30T14:53:46Z","2019-07-31T13:23:51Z","2600"
"* Portr inspector running on *",".{0,1000}\sPortr\sinspector\srunning\son\s.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","2637"
"* portr.exe*",".{0,1000}\sportr\.exe.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","2638"
"* privoxy.exe*",".{0,1000}\sprivoxy\.exe.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","2675"
"* process call create *cmd.exe /c powershell.exe -nop -w hidden -c *IEX ((new-object net.webclient).downloadstring('https://*",".{0,1000}\sprocess\scall\screate\s.{0,1000}cmd\.exe\s\/c\spowershell\.exe\s\-nop\s\-w\shidden\s\-c\s.{0,1000}IEX\s\(\(new\-object\snet\.webclient\)\.downloadstring\(\'https\:\/\/.{0,1000}","greyware_tool_keyword","wmic","Threat Actors ran the following command to download and execute a PowerShell payload","T1059.001 - T1059.003 - T1569.002 - T1021.006","TA0002 - TA0005","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR - Dispossessor","Collection","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2676"
"* ps2exe.ps1*",".{0,1000}\sps2exe\.ps1.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","2688"
"* pulseway_x64.deb*",".{0,1000}\spulseway_x64\.deb.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2702"
"* Pulseway_x64.msi*",".{0,1000}\sPulseway_x64\.msi.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2703"
"* pulseway_x86.deb*",".{0,1000}\spulseway_x86\.deb.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2704"
"* pwn_tclsh.me*",".{0,1000}\spwn_tclsh\.me.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","N/A","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","2732"
"* py2exe*",".{0,1000}\spy2exe.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","0","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","2734"
"* py39-sshuttle*",".{0,1000}\spy39\-sshuttle.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","2735"
"* -r rclone:* init*",".{0,1000}\s\-r\srclone\:.{0,1000}\sinit.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","2757"
"* rathole.exe",".{0,1000}\srathole\.exe","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","2772"
"* RDPWInst.exe*",".{0,1000}\sRDPWInst\.exe.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","2794"
"* rdpwrap.dll*",".{0,1000}\srdpwrap\.dll.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","2795"
"* RemCom.exe*",".{0,1000}\sRemCom\.exe.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","2825"
"* RemComSvc.exe*",".{0,1000}\sRemComSvc\.exe.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","2826"
"* RemComSvc.h*",".{0,1000}\sRemComSvc\.h.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","2827"
"* RemoteDesktop.exe*",".{0,1000}\sRemoteDesktop\.exe.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2833"
"* remoteit.exe*",".{0,1000}\sremoteit\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","2838"
"* remoteit.x86-win.exe*",".{0,1000}\sremoteit\.x86\-win\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","2839"
"* remoteit-desktop.exe*",".{0,1000}\sremoteit\-desktop\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","2840"
"* RemotePC.exe*",".{0,1000}\sRemotePC\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2844"
"* RemotePCAttendedService *",".{0,1000}\sRemotePCAttendedService\s.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2845"
"* remotepclauncher.exe*",".{0,1000}\sremotepclauncher\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2846"
"* remotepcuiu.exe*",".{0,1000}\sremotepcuiu\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2847"
"* RemotePCViewer.msi*",".{0,1000}\sRemotePCViewer\.msi.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2848"
"* restic.exe*",".{0,1000}\srestic\.exe.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","2870"
"* restic/restic *",".{0,1000}\srestic\/restic\s.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","2871"
"* rmm-installer.ps1*",".{0,1000}\srmm\-installer\.ps1.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","2911"
"* rpcdownloader.exe*",".{0,1000}\srpcdownloader\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2923"
"* rpcperfviewer.exe*",".{0,1000}\srpcperfviewer\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2927"
"* RPCWinXP.exe*",".{0,1000}\sRPCWinXP\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2928"
"* -rr_flag * -group * -fileTransferGateways *.zohoassist.com -ADMINAGENT*",".{0,1000}\s\-rr_flag\s.{0,1000}\s\-group\s.{0,1000}\s\-fileTransferGateways\s.{0,1000}\.zohoassist\.com\s\-ADMINAGENT.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2929"
"* rsocks.pool*",".{0,1000}\srsocks\.pool.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","N/A","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","2931"
"* rsocks.server*",".{0,1000}\srsocks\.server.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","N/A","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","2932"
"* rsync.stunnel.org::stunnel *",".{0,1000}\srsync\.stunnel\.org\:\:stunnel\s.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","0","N/A","N/A","7","8","N/A","N/A","N/A","N/A","2933"
"* rtun-server-windows-amd64.exe*",".{0,1000}\srtun\-server\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","2939"
"* rtun-windows-amd64.exe*",".{0,1000}\srtun\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","2940"
"* RustDesk.exe*",".{0,1000}\sRustDesk\.exe.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","2953"
"* -s rest_server_zrok -t*",".{0,1000}\s\-s\srest_server_zrok\s\-t.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","2966"
"* s3://sshx/*",".{0,1000}\ss3\:\/\/sshx\/.{0,1000}","greyware_tool_keyword","sshx","Fast collaborative live terminal sharing over the web","T1021.004 - T1041 - T1059 - T1071.001","TA0002 - TA0009 - TA0011 - TA0010","N/A","N/A","C2","https://github.com/ekzhang/sshx","1","0","N/A","N/A","10","10","6379","220","2025-02-12T20:40:30Z","2022-02-12T23:29:33Z","2968"
"* -sc getacls -sddlfilter *",".{0,1000}\s\-sc\sgetacls\s\-sddlfilter\s.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2984"
"* -sc trustdump*",".{0,1000}\s\-sc\strustdump.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","2987"
"* --scanner aclcheck*",".{0,1000}\s\-\-scanner\saclcheck.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","2993"
"* --scanner laps_bitlocker*",".{0,1000}\s\-\-scanner\slaps_bitlocker.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","2994"
"* --scanner nullsession-trust*",".{0,1000}\s\-\-scanner\snullsession\-trust.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","2995"
"* --scanner smb3querynetwork*",".{0,1000}\s\-\-scanner\ssmb3querynetwork.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","2996"
"* --scanner zerologon*",".{0,1000}\s\-\-scanner\szerologon.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","2997"
"* --script smb-vuln-ms08-067,smb-vuln-ms17-010*",".{0,1000}\s\-\-script\ssmb\-vuln\-ms08\-067,smb\-vuln\-ms17\-010.{0,1000}","greyware_tool_keyword","nmap","nmap vuln scan of most used vulnerabilities","T1046 - T1203 - T1210","TA0007","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3011"
"* SELECT ProcessId FROM Win32_Process * Name='ZAAudioClient.exe'*",".{0,1000}\sSELECT\sProcessId\sFROM\sWin32_Process\s.{0,1000}\sName\=\'ZAAudioClient\.exe\'.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3035"
"* -service TightVNC Server*",".{0,1000}\s\-service\sTightVNC\sServer.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3049"
"* -ServiceName ""AADInternals""*",".{0,1000}\s\-ServiceName\s\""AADInternals\"".{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","#servicename","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","3050"
"* set xmrig Type SERVICE_WIN32_OWN_PROCESS*",".{0,1000}\sset\sxmrig\sType\sSERVICE_WIN32_OWN_PROCESS.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","3057"
"* set-proxy.ps1*",".{0,1000}\sset\-proxy\.ps1.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","3064"
"* shadowsocks-divert*",".{0,1000}\sshadowsocks\-divert.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","3073"
"* shadowsocks-rust.sslocal-daemon*",".{0,1000}\sshadowsocks\-rust\.sslocal\-daemon.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","3074"
"* shadowsocks-tproxy-mark*",".{0,1000}\sshadowsocks\-tproxy\-mark.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","3075"
"* sharedfolder add * -hostpath c:\ -automount*",".{0,1000}\ssharedfolder\sadd\s.{0,1000}\s\-hostpath\sc\:\\\s\-automount.{0,1000}","greyware_tool_keyword","VirtualBox","adding the entire C drive as a shared folder for a VM","T1021.001 - T1137 - T1072","TA0006 - TA0008 - TA0005","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3076"
"* sirtunnel.py*",".{0,1000}\ssirtunnel\.py.{0,1000}","greyware_tool_keyword","SirTunnel","SirTunnel enables you to securely expose a webserver running on your computer to a public URL using HTTPS.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/anderspitman/SirTunnel","1","0","N/A","N/A","10","10","1436","119","2024-03-24T20:15:50Z","2020-09-23T00:15:26Z","3151"
"* sish -c date*",".{0,1000}\ssish\s\-c\sdate.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","0","N/A","N/A","10","10","4203","325","2025-04-10T20:04:08Z","2019-02-15T15:36:23Z","3152"
"* --socks5-hostname 127.0.0.1:9050*",".{0,1000}\s\-\-socks5\-hostname\s127\.0\.0\.1\:9050.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","0","#filehostingservice","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","3292"
"* SoftEtherVPN-*.tar.xz*",".{0,1000}\sSoftEtherVPN\-.{0,1000}\.tar\.xz.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","3297"
"* ssh -R* remote.moe*",".{0,1000}\sssh\s\-R.{0,1000}\sremote\.moe.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","0","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","3354"
"* sshtunnel.py*",".{0,1000}\ssshtunnel\.py.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","0","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","3362"
"* SSHTunnelForwarder(*",".{0,1000}\sSSHTunnelForwarder\(.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","0","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","3363"
"* sshuttle:sshuttle *",".{0,1000}\ssshuttle\:sshuttle\s.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","3364"
"* start rustdesk://*",".{0,1000}\sstart\srustdesk\:\/\/.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","3390"
"* start SupremoService*",".{0,1000}\sstart\sSupremoService.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3391"
"* start uvnc_service*",".{0,1000}\sstart\suvnc_service.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3392"
"* Starting tunneling server*",".{0,1000}\sStarting\stunneling\sserver.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","3399"
"* stop ProxifierDrv*",".{0,1000}\sstop\sProxifierDrv.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","3413"
"* stop uvnc_service*",".{0,1000}\sstop\suvnc_service.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3414"
"* Supremo.exe*",".{0,1000}\sSupremo\.exe.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3432"
"* tacticalrmm.exe*",".{0,1000}\stacticalrmm\.exe.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","3459"
"* tailscale.exe*",".{0,1000}\stailscale\.exe.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","3460"
"* tailscale-archive-keyring*",".{0,1000}\stailscale\-archive\-keyring.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","3461"
"* termbin.com 9999*",".{0,1000}\stermbin\.com\s9999.{0,1000}","greyware_tool_keyword","termbin.com","sending data to a pastebin","T1567.002","TA0010","N/A","N/A","Data Exfiltration","termbin.com","1","0","#PastebinLike","N/A","8","8","N/A","N/A","N/A","N/A","3501"
"* the servers Wireguard interface.*",".{0,1000}\sthe\sservers\sWireguard\sinterface\..{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3512"
"* tkc_agent_dre.deb*",".{0,1000}\stkc_agent_dre\.deb.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3523"
"* --to bore.pub*",".{0,1000}\s\-\-to\sbore\.pub.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","N/A","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","3529"
"* tunneld.service*",".{0,1000}\stunneld\.service.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","N/A","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","3570"
"* tunnelmole.bundle.js*",".{0,1000}\stunnelmole\.bundle\.js.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","3571"
"* tunwg.exe*",".{0,1000}\stunwg\.exe.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","3574"
"* ultravnc.ini *",".{0,1000}\sultravnc\.ini\s.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3610"
"* upload*.systemmonitor.eu.com*/command/agentprocessor*",".{0,1000}\supload.{0,1000}\.systemmonitor\.eu\.com.{0,1000}\/command\/agentprocessor.{0,1000}","greyware_tool_keyword","Nsight RMM","Nsight RMM usage","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Scattered Spider*","RMM","https://www.n-able.com/products/n-sight-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3626"
"* vnc.ini *",".{0,1000}\svnc\.ini\s.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3673"
"* VSAX_x64.msi*",".{0,1000}\sVSAX_x64\.msi.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3679"
"* -W Hidden -command *https://*Invoke-WebRequest*; iex $*",".{0,1000}\s\-W\sHidden\s\-command\s.{0,1000}https\:\/\/.{0,1000}Invoke\-WebRequest.{0,1000}\;\siex\s\$.{0,1000}","greyware_tool_keyword","powershell","A PowerShell process downloaded and launched a remote file","T1059.001 - T1105 - T1203","TA0001 - TA0002","Lumma Stealer","N/A","Collection","N/A","1","0","N/A","N/A","8","8","N/A","N/A","N/A","N/A","3685"
"* -W Hidden -command *Invoke-WebRequest*https://*; iex $*",".{0,1000}\s\-W\sHidden\s\-command\s.{0,1000}Invoke\-WebRequest.{0,1000}https\:\/\/.{0,1000}\;\siex\s\$.{0,1000}","greyware_tool_keyword","powershell","A PowerShell process downloaded and launched a remote file","T1059.001 - T1105 - T1203","TA0001 - TA0002","Lumma Stealer","N/A","Collection","N/A","1","0","N/A","N/A","8","8","N/A","N/A","N/A","N/A","3686"
"* -w hidden -ep bypass -nop -Command ""iex ((New-Object System.Net.WebClient).DownloadString(*",".{0,1000}\s\-w\shidden\s\-ep\sbypass\s\-nop\s\-Command\s\""iex\s\(\(New\-Object\sSystem\.Net\.WebClient\)\.DownloadString\(.{0,1000}","greyware_tool_keyword","powershell","suspicious powershell command often used in recaptcha phishing campaign (run dialog)","T1086 - T1105 - T1218.003 - T1569.002","TA0002 - TA0009","Lumma Stealer","N/A","Collection","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3687"
"* We have found at least * potential SUID exploitable file(s)*",".{0,1000}\sWe\shave\sfound\sat\sleast\s.{0,1000}\spotential\sSUID\sexploitable\sfile\(s\).{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","N/A","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","3696"
"* --webview-exe-name=QuickAssist.exe*",".{0,1000}\s\-\-webview\-exe\-name\=QuickAssist\.exe.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","3700"
"* where /r C:\Windows\WinSxS\ *Microsoft.ActiveDirectory.Management.dll*",".{0,1000}\swhere\s\/r\sC\:\\Windows\\WinSxS\\\s.{0,1000}Microsoft\.ActiveDirectory\.Management\.dll.{0,1000}","greyware_tool_keyword","where","threat actors searched for Active Directory related DLLs in directories","T1059 - T1083 - T1018","TA0002 - TA0009 - TA0040","N/A","N/A","Discovery","https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","3704"
"* wireguard-installer.exe*",".{0,1000}\swireguard\-installer\.exe.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","3736"
"* wireproxy.service*",".{0,1000}\swireproxy\.service.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#linux","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","3737"
"* wiretap.exe*",".{0,1000}\swiretap\.exe.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","3738"
"* xmrig.exe*",".{0,1000}\s\sxmrig\.exe.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","3781"
"* ZA_Connect.exe*",".{0,1000}\sZA_Connect\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3788"
"* ZAAudioClient.exe*",".{0,1000}\sZAAudioClient\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3789"
"* ZAFileTransfer.exe*",".{0,1000}\sZAFileTransfer\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3790"
"* ZAService.exe*",".{0,1000}\sZAService\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3791"
"* zrok.listener*",".{0,1000}\szrok\.listener.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","3792"
"*""%~dp0RDPWInst"" -i -o*",".{0,1000}\""\%\~dp0RDPWInst\""\s\-i\s\-o.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","3813"
"*""[IO.File]::WriteAllBytes($*,[Convert]::FromBase64String(""*",".{0,1000}\""\[IO\.File\]\:\:WriteAllBytes\(\$.{0,1000},\[Convert\]\:\:FromBase64String\(\"".{0,1000}","greyware_tool_keyword","powershell","suspicious behavior powershell script","T1059.001 - T1105 - T1204.002","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","3814"
"*""appName"":""eHorus Agent""*",".{0,1000}\""appName\""\:\""eHorus\sAgent\"".{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","3820"
"*""-----BEGIN OpenVPN Static key*",".{0,1000}\""\-\-\-\-\-BEGIN\sOpenVPN\sStatic\skey.{0,1000}","greyware_tool_keyword","OPENVPN","OpenVPN is a legitimate tool that might be used by an adversary to maintain persistence or exfiltrate data","T1071  - T1573 - T1133","TA0003 - TA0008 - TA0011","N/A","N/A","Defense Evasion","https://openvpn.net/","1","0","#content #VPN","N/A","6","8","N/A","N/A","N/A","N/A","3822"
"*""C:\Windows\system32\ARP.EXE"" /a*",".{0,1000}\""C\:\\Windows\\system32\\ARP\.EXE\""\s\/a.{0,1000}","greyware_tool_keyword","arp","Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache","T1018","TA0007","N/A","Turla - APT32 - Orangeworm","Discovery","N/A","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A","3825"
"*""gost installation completed!""*",".{0,1000}\""gost\sinstallation\scompleted!\"".{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","3840"
"*""http://mitm""*",".{0,1000}\""http\:\/\/mitm\"".{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","3845"
"*""message"":""ably connection state: CONNECTED""}*",".{0,1000}\""message\""\:\""ably\sconnection\sstate\:\sCONNECTED\""\}.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3853"
"*""PageKite system service""*",".{0,1000}\""PageKite\ssystem\sservice\"".{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","3858"
"*""publisher"":""uvnc bvba*",".{0,1000}\""publisher\""\:\""uvnc\sbvba.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","#registry","registry value","10","10","N/A","N/A","N/A","N/A","3860"
"*""RemotePCAttendedService""*",".{0,1000}\""RemotePCAttendedService\"".{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3863"
"*""SimpleHelp Remote Printer""*",".{0,1000}\""SimpleHelp\sRemote\sPrinter\"".{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3870"
"*""User-Agent"", ""tunnelto-client""*",".{0,1000}\""User\-Agent\"",\s\""tunnelto\-client\"".{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","3880"
"*# adiskreader *",".{0,1000}\#\sadiskreader\s.{0,1000}","greyware_tool_keyword","adiskreader","Async Python library to parse local and remote disk images","T1020 - T1048 - T1074 - T1560.001","TA0005 - TA0009 - TA0010","N/A","N/A","Data Exfiltration","https://github.com/skelsec/adiskreader","1","0","N/A","N/A","4","1","76","7","2025-03-15T19:48:39Z","2023-12-18T11:54:31Z","3885"
"*$(mega-whoami)*",".{0,1000}\$\(mega\-whoami\).{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","3935"
"*$base64adrecon*",".{0,1000}\$base64adrecon.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","#content","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","3945"
"*$EHORUS_HOME/.vnc/passwd*",".{0,1000}\$EHORUS_HOME\/\.vnc\/passwd.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","3959"
"*$env:LEVEL_API_KEY = ""*"";*",".{0,1000}\$env\:LEVEL_API_KEY\s\=\s\"".{0,1000}\""\;.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","3963"
"*$HOME/.zrok*",".{0,1000}\$HOME\/\.zrok.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","3985"
"*$MEGACMDSHELL*",".{0,1000}\$MEGACMDSHELL.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","3998"
"*$outputPath = ""C:\AnyDesk.exe""*",".{0,1000}\$outputPath\s\=\s\""C\:\\AnyDesk\.exe\"".{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1","1","0","N/A","simple backdoor with anydesk","10","1","1","0","2025-04-17T19:04:37Z","2023-12-05T22:08:51Z","4004"
"*$tempFile = Join-Path ([System.IO.Path]::GetTempPath()) ""install_windows.exe"";*",".{0,1000}\$tempFile\s\=\sJoin\-Path\s\(\[System\.IO\.Path\]\:\:GetTempPath\(\)\)\s\""install_windows\.exe\""\;.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4021"
"*%~dp0RDPWInst.exe*",".{0,1000}\%\~dp0RDPWInst\.exe.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","4028"
"*%COMSPEC%*echo*\pipe\*",".{0,1000}\%COMSPEC\%.{0,1000}echo.{0,1000}\\pipe\\.{0,1000}","greyware_tool_keyword","echo","Detects the use of getsystem Meterpreter/Cobalt Strike command. Getsystem is used to elevate privilege to SYSTEM account.","T1068.003 - T1078.002","TA0004 - TA0008","N/A","N/A","Exploitation tool","https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","9115","2316","2025-04-17T19:43:35Z","2016-12-24T09:48:49Z","4036"
"*%LOCALAPPDATA%\MEGAcmd*",".{0,1000}\%LOCALAPPDATA\%\\MEGAcmd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","4038"
"*%SystemRoot%\\MEMORY.DMP*",".{0,1000}\%SystemRoot\%\\\\MEMORY\.DMP.{0,1000}","greyware_tool_keyword","CIMplant","C# port of WMImplant which uses either CIM or WMI to query remote systems","T1047 - T1059.001 - T1021.006","TA0002 - TA0007 - TA0008","N/A","Scattered Spider*","Lateral Movement","https://github.com/RedSiege/CIMplant","1","0","N/A","N/A","10","2","199","29","2021-07-14T18:18:42Z","2021-01-29T21:41:58Z","4041"
"*%SYSTEMROOT%\PAExec-*",".{0,1000}\%SYSTEMROOT\%\\PAExec\-.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","4042"
"*%tooRmetsyS%*",".{0,1000}\%tooRmetsyS\%.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4044"
"*%USERPROFILE%\\nssm.zip*",".{0,1000}\%USERPROFILE\%\\\\nssm\.zip.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","4046"
"*&& telnet * 2>&1 </dev/console*",".{0,1000}\&\&\stelnet\s.{0,1000}\s2\>\&1\s\<\/dev\/console.{0,1000}","greyware_tool_keyword","telnet","suspicious shell commands used in various Equation Group scripts and tools","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/lnx_apt_equationgroup_lnx.yml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","9115","2316","2025-04-17T19:43:35Z","2016-12-24T09:48:49Z","4048"
"*&browser=tor&api=false*",".{0,1000}\&browser\=tor\&api\=false.{0,1000}","greyware_tool_keyword","browser.lol","Virtual Browser - Safely visit blocked or risky websites - can be used to bypass network restrictions within a corporate environment","T1071 - T1090 - T1562","TA0005","N/A","N/A","Defense Evasion","https://browser.lol","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A","4049"
"*(&(&(objectCategory=person)(objectClass=user))(|(description=*pass*)(comment=*pass*)))*",".{0,1000}\(\&\(\&\(objectCategory\=person\)\(objectClass\=user\)\)\(\|\(description\=.{0,1000}pass.{0,1000}\)\(comment\=.{0,1000}pass.{0,1000}\)\)\).{0,1000}","greyware_tool_keyword","ldap queries","metasploit enum_ad_user_comments","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726","1","0","N/A","N/A","8","4","N/A","N/A","N/A","N/A","4053"
"*(&(objectCategory=computer)(msDS-isRODC=TRUE))*",".{0,1000}\(\&\(objectCategory\=computer\)\(msDS\-isRODC\=TRUE\)\).{0,1000}","greyware_tool_keyword","ldap queries","Enumerate Read-Only Domain Controllers (RODC)","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/mthcht/ThreatHunting-Keywords","1","0","N/A","N/A","8","6","563","61","2025-03-03T15:48:41Z","2023-05-16T15:38:26Z","4057"
"*(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName="" + target + ""))*",".{0,1000}\(\&\(objectCategory\=computer\)\(ms\-MCS\-AdmPwd\=.{0,1000}\)\(sAMAccountName\=\""\s\+\starget\s\+\s\""\)\).{0,1000}","greyware_tool_keyword","ldap queries","LAPS passwords (from SharpLAPS)","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://gist.github.com/jsecurity101/9c7e94f95b8d90f9252d64949562ba5d","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4058"
"*(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)(memberOf=CN=Administrators*",".{0,1000}\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=65536\)\(memberOf\=CN\=Administrators.{0,1000}","greyware_tool_keyword","ldap queries","Enumerate Accounts with Non-Expiring Passwords and Administrative Privileges","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/mthcht/ThreatHunting-Keywords","1","0","N/A","N/A","8","6","563","61","2025-03-03T15:48:41Z","2023-05-16T15:38:26Z","4059"
"*(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)*",".{0,1000}\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=65536\).{0,1000}","greyware_tool_keyword","ldap queries","Enumerate all users with the account configuration 'Password never expires'","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://gist.github.com/jsecurity101/9c7e94f95b8d90f9252d64949562ba5d","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4060"
"*(&(objectClass=group)(managedBy=*)(groupType:1.2.840.113556.1.4.803:=2147483648))*",".{0,1000}\(\&\(objectClass\=group\)\(managedBy\=.{0,1000}\)\(groupType\:1\.2\.840\.113556\.1\.4\.803\:\=2147483648\)\).{0,1000}","greyware_tool_keyword","ldap queries","metasploit  enum_ad_managedby_groups.rb","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/rapid7/metasploit-framework/blob/d37a82500d1d08f9d8ab3da9b194653835748fae/modules/post/windows/gather/enum_ad_managedby_groups.rb#L59","1","0","N/A","N/A","8","10","35400","14272","2025-04-22T20:14:59Z","2011-08-30T06:13:20Z","4061"
"*(&(objectclass=group)(samaccountname=*domain admins*))*",".{0,1000}\(\&\(objectclass\=group\)\(samaccountname\=.{0,1000}domain\sadmins.{0,1000}\)\).{0,1000}","greyware_tool_keyword","ldap queries","Enumerate Domain Administrators Group","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://jsecurity101.medium.com/uncovering-adversarial-ldap-tradecraft-658b2deca384","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4062"
"*(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))*",".{0,1000}\(\&\(samAccountType\=805306368\)\(servicePrincipalName\=.{0,1000}\)\(!samAccountName\=krbtgt\)\(!\(UserAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\(!msds\-supportedencryptiontypes\:1\.2\.840\.113556\.1\.4\.804\:\=24\)\).{0,1000}","greyware_tool_keyword","ldap queries","Kerberoasting","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://gist.github.com/jsecurity101/9c7e94f95b8d90f9252d64949562ba5d","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4063"
"*(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))*",".{0,1000}\(\&\(samAccountType\=805306368\)\(servicePrincipalName\=.{0,1000}\)\(!samAccountName\=krbtgt\)\(!\(UserAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\(msds\-supportedencryptiontypes\:1\.2\.840\.113556\.1\.4\.804\:\=24\)\).{0,1000}","greyware_tool_keyword","ldap queries","Kerberoasting","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://gist.github.com/jsecurity101/9c7e94f95b8d90f9252d64949562ba5d","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4064"
"*(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))*",".{0,1000}\(\&\(samAccountType\=805306368\)\(servicePrincipalName\=.{0,1000}\)\(!samAccountName\=krbtgt\)\(!\(UserAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\).{0,1000}","greyware_tool_keyword","ldap queries","Kerberoasting","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://gist.github.com/jsecurity101/9c7e94f95b8d90f9252d64949562ba5d","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4065"
"*([adsisearcher]'(&(objectCategory=computer)(!(primaryGroupID=516)(userAccountControl:1.2.840.113556.1.4.803:=524288)))').FindAll()*",".{0,1000}\(\[adsisearcher\]\'\(\&\(objectCategory\=computer\)\(!\(primaryGroupID\=516\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=524288\)\)\)\'\)\.FindAll\(\).{0,1000}","greyware_tool_keyword","ldap queries","Enumerate all servers configured for Unconstrained Delegation","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","4067"
"*([adsisearcher]'(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))').FindAll()*",".{0,1000}\(\[adsisearcher\]\'\(\&\(objectCategory\=computer\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=8192\)\)\'\)\.FindAll\(\).{0,1000}","greyware_tool_keyword","ldap queries","Enumerate all Domain Controllers","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://web.archive.org/web/20240109000256/https://cyberdom.blog/2024/01/07/defender-for-identity-hunting-for-ldap/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","4068"
"*([adsisearcher]'(&(objectCategory=user)(!(samAccountName=krbtgt)(servicePrincipalName=*)))').FindAll()*",".{0,1000}\(\[adsisearcher\]\'\(\&\(objectCategory\=user\)\(!\(samAccountName\=krbtgt\)\(servicePrincipalName\=.{0,1000}\)\)\)\'\)\.FindAll\(\).{0,1000}","greyware_tool_keyword","ldap queries","Search for user accounts with SPN but not TGT accounts","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://jsecurity101.medium.com/uncovering-adversarial-ldap-tradecraft-658b2deca384","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4069"
"*([adsisearcher]'(adminCount=1)').FindAll()*",".{0,1000}\(\[adsisearcher\]\'\(adminCount\=1\)\'\)\.FindAll\(\).{0,1000}","greyware_tool_keyword","ldap queries","Search for all objects with AdminSHHolder","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://jsecurity101.medium.com/uncovering-adversarial-ldap-tradecraft-658b2deca384","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4070"
"*([DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).Domains*",".{0,1000}\(\[DirectoryServices\.ActiveDirectory\.Forest\]\:\:GetCurrentForest\(\)\)\.Domains.{0,1000}","greyware_tool_keyword","ldap queries","Queries for domain level and mode information","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","4071"
"*([DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).Sites | *",".{0,1000}\(\[DirectoryServices\.ActiveDirectory\.Forest\]\:\:GetCurrentForest\(\)\)\.Sites\s\|\s.{0,1000}","greyware_tool_keyword","ldap queries","enumeration of AD Forest Sites","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","4072"
"*([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).FindAllDomainControllers() | Select-Object -Property *",".{0,1000}\(\[System\.DirectoryServices\.ActiveDirectory\.Domain\]\:\:GetCurrentDomain\(\)\)\.FindAllDomainControllers\(\)\s\|\sSelect\-Object\s\-Property\s.{0,1000}","greyware_tool_keyword","ldap queries","querying all domain controllers with detailed properties","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","4073"
"*([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()*",".{0,1000}\(\[System\.DirectoryServices\.ActiveDirectory\.Domain\]\:\:GetCurrentDomain\(\)\)\.GetAllTrustRelationships\(\).{0,1000}","greyware_tool_keyword","ldap queries","get all trust relationships in the current domain","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","4074"
"*([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()*",".{0,1000}\(\[System\.DirectoryServices\.ActiveDirectory\.Domain\]\:\:GetCurrentDomain\(\)\)\.GetAllTrustRelationships\(\).{0,1000}","greyware_tool_keyword","powershell","Powershell enumerate domains and forests","T1482 - T1069.002","TA0007 - TA0008","N/A","Black Basta","Discovery","https://medium.com/@simone.kraus/black-basta-playbook-chat-leak-d5036936166d","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4075"
"*(Get-ADForest).Domains | %{ Get-ADDomainController -Filter * -Server $_ }*",".{0,1000}\(Get\-ADForest\)\.Domains\s\|\s\%\{\sGet\-ADDomainController\s\-Filter\s.{0,1000}\s\-Server\s\$_\s\}.{0,1000}","greyware_tool_keyword","ldap queries","Enumerate all of the domain controllers for all domains in a forest","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","6","6","N/A","N/A","N/A","N/A","4077"
"*(msds-supportedencryptiontypes=0)(msds-supportedencryptiontypes:1.2.840.113556.1.4.803:=4)))*",".{0,1000}\(msds\-supportedencryptiontypes\=0\)\(msds\-supportedencryptiontypes\:1\.2\.840\.113556\.1\.4\.803\:\=4\)\)\).{0,1000}","greyware_tool_keyword","ldap queries","used by Rubeus and S4UTomato tools","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4081"
"*(objectCategory=person)(objectClass=user)(serviceAccount=TRUE)*",".{0,1000}\(objectCategory\=person\)\(objectClass\=user\)\(serviceAccount\=TRUE\).{0,1000}","greyware_tool_keyword","ldap queries","Query to find service accounts which are typically high-privileged and targeted for privilege escalation","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/mthcht/ThreatHunting-Keywords","1","0","N/A","N/A","8","6","563","61","2025-03-03T15:48:41Z","2023-05-16T15:38:26Z","4085"
"*(objectclass=group)(samaccountname=domain admins)*",".{0,1000}\(objectclass\=group\)\(samaccountname\=domain\sadmins\).{0,1000}","greyware_tool_keyword","ldap queries","Enumerate Domain Admins","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://gist.github.com/jsecurity101/9c7e94f95b8d90f9252d64949562ba5d","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4086"
"*(userAccountControl:1.2.840.113556.1.4.803:=524288)*",".{0,1000}\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=524288\).{0,1000}","greyware_tool_keyword","ldap queries","Accounts Trusted for Delegation","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://gist.github.com/jsecurity101/9c7e94f95b8d90f9252d64949562ba5d","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4091"
"*...::$index_allocation*",".{0,1000}\.\.\.\:\:\$index_allocation.{0,1000}","greyware_tool_keyword","$index_allocation","creation of hidden folders (and file) via ...$.......::$index_allocation","T1027.001 - T1564.001","TA0005 ","N/A","N/A","Defense Evasion","https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4096"
"*../tunnelto_lib*",".{0,1000}\.\.\/tunnelto_lib.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","#linux","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","4099"
"*..\..\..\..\..\..\Windows\System32\cmd.exe*",".{0,1000}\.\.\\\.\.\\\.\.\\\.\.\\\.\.\\\.\.\\Windows\\System32\\cmd\.exe.{0,1000}","greyware_tool_keyword","_","attempt to bypass security controls or execute commands from an unexpected location","T1036 - T1059","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://twitter.com/malwrhunterteam/status/1737220172220620854/photo/1","1","0","N/A","N/A","7","9","N/A","N/A","N/A","N/A","4101"
"*./boringproxy server*",".{0,1000}\.\/boringproxy\sserver.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#linux","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","4109"
"*./capsh --gid=0 --uid=0 --*",".{0,1000}\.\/capsh\s\-\-gid\=0\s\-\-uid\=0\s\-\-.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","4112"
"*./chisel client *",".{0,1000}\.\/chisel\sclient\s.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#linux","chisel","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","4114"
"*./chroot / /bin/sh -p*",".{0,1000}\.\/chroot\s\/\s\/bin\/sh\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","4115"
"*./dropbear *",".{0,1000}\.\/dropbear\s.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","4128"
"*./env /bin/sh -p*",".{0,1000}\.\/env\s\/bin\/sh\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","4131"
"*./expect -c 'spawn /bin/sh -p;interact'*",".{0,1000}\.\/expect\s\-c\s\'spawn\s\/bin\/sh\s\-p\;interact\'.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","4134"
"*./flock -u / /bin/sh -p*",".{0,1000}\.\/flock\s\-u\s\/\s\/bin\/sh\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","4139"
"*./nice /bin/sh -p*",".{0,1000}\.\/nice\s\/bin\/sh\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","4171"
"*./nmap*",".{0,1000}\.\/nmap.{0,1000}","greyware_tool_keyword","nmap","A very common tool. Network host vuln and port detector.","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","https://github.com/nmap/nmap","1","1","#linux","greyware tool - risks of False positive !","8","10","10953","2505","2025-04-21T20:45:05Z","2012-03-09T14:47:43Z","4173"
"*./rview -c ':py3 import os*os.execl(\""/bin/sh\*",".{0,1000}\.\/rview\s\-c\s\'\:py3\simport\sos.{0,1000}os\.execl\(\\\""\/bin\/sh\\.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","4195"
"*./staqlab-tunnel *",".{0,1000}\.\/staqlab\-tunnel\s.{0,1000}","greyware_tool_keyword","staqlab-tunnel","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/cocoflan/Staqlab-tunnel","1","0","#linux","N/A","10","10","1","0","2020-05-19T06:43:14Z","2020-05-19T06:19:31Z","4211"
"*./test/nmap*/*.nse*",".{0,1000}\.\/test\/nmap.{0,1000}\/.{0,1000}\.nse.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","0","#linux","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","4216"
"*./tunwg --*",".{0,1000}\.\/tunwg\s\-\-.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#linux","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","4217"
"*./wiretap remove*",".{0,1000}\.\/wiretap\sremove.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#linux","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","4221"
"*.\RemComSvc\*",".{0,1000}\.\\RemComSvc\\.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","4229"
"*.\TightVNC1*",".{0,1000}\.\\TightVNC1.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","4231"
"*.\TightVNC2*",".{0,1000}\.\\TightVNC2.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","4232"
"*.\TightVNC3*",".{0,1000}\.\\TightVNC3.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","4233"
"*._tcp.argotunnel.com*",".{0,1000}\._tcp\.argotunnel\.com.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","1","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","4234"
"*.a.pinggy.online*",".{0,1000}\.a\.pinggy\.online.{0,1000}","greyware_tool_keyword","pinggy","Create HTTP/TCP or TLS tunnels to your Mac/PC. Even if it is sitting behind firewalls and NATs.","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://pinggy.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4237"
"*.api.mega.co.nz*",".{0,1000}\.api\.mega\.co\.nz.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","#filehostingservice #P2P","N/A","10","10","N/A","N/A","N/A","N/A","4242"
"*.api.splashtop.com*",".{0,1000}\.api\.splashtop\.com.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://hybrid-analysis.com/sample/18c10b0235bd341e065ac5c53ca04b68eaeacd98a120e043fb4883628baf644e/6267eb693836e7217b1a3c72","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4243"
"*.apitest.barracudamsp.com*",".{0,1000}\.apitest\.barracudamsp\.com.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4244"
"*.asse.devtunnels.ms*",".{0,1000}\.asse\.devtunnels\.ms.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4249"
"*.aweray.net*",".{0,1000}\.aweray\.net.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4252"
"*.bash_history >/dev/null 2>&1*",".{0,1000}\.bash_history\s\>\/dev\/null\s2\>\&1.{0,1000}","greyware_tool_keyword","bash","Indicator Removal on Host","T1070.002 - T1562.004 - T1059.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4255"
"*.beyondtrustcloud.com/session_complete*",".{0,1000}\.beyondtrustcloud\.com\/session_complete.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4258"
"*.bin/tmole*",".{0,1000}\.bin\/tmole.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","4265"
"*.bin/tunnelmole*",".{0,1000}\.bin\/tunnelmole.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","4266"
"*.chrome-remote-desktop-session*",".{0,1000}\.chrome\-remote\-desktop\-session.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4269"
"*.comodo.com/static/frontend/static-pages/enroll-wizard/token*",".{0,1000}\.comodo\.com\/static\/frontend\/static\-pages\/enroll\-wizard\/token.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4275"
"*.config/systemd/user/remotemoe.service*",".{0,1000}\.config\/systemd\/user\/remotemoe\.service.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","0","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","4276"
"*.config/telebit/telebitd.yml*",".{0,1000}\.config\/telebit\/telebitd\.yml.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4277"
"*.configrclonerclone.conf*",".{0,1000}\.configrclonerclone\.conf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","4278"
"*.console.gotoassist.com*",".{0,1000}\.console\.gotoassist\.com.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4279"
"*.d.requestbin.net*",".{0,1000}\.d\.requestbin\.net.{0,1000}","greyware_tool_keyword","requestbin.net","allows users to create a unique URL to collect and inspect HTTP requests. It is commonly used for debugging webhooks - it can also be abused by attackers for verifying the reachability and effectiveness of their payloads","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","http://requestbin.net","1","1","N/A","Out of band interaction domains","10","10","N/A","N/A","N/A","N/A","4282"
"*.dev1.fleetdeck.io*",".{0,1000}\.dev1\.fleetdeck\.io.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","4285"
"*.dnslog.cn:*",".{0,1000}\.dnslog\.cn\:.{0,1000}","greyware_tool_keyword","dnslog.cn","allows users to create a unique URL to collect and inspect HTTP requests. It is commonly used for debugging webhooks - it can also be abused by attackers for verifying the reachability and effectiveness of their payloads","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","http://dnslog.cn","1","1","N/A","Out of band interaction domains","10","10","N/A","N/A","N/A","N/A","4289"
"*.exe * /hide * /range:* /auto:*.*",".{0,1000}\.exe\s.{0,1000}\s\/hide\s.{0,1000}\s\/range\:.{0,1000}\s\/auto\:.{0,1000}\..{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4325"
"*.exe /hide /range:all*",".{0,1000}\.exe\s\/hide\s\/range\:all.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4334"
"*.exe /i /s cmd *",".{0,1000}\.exe\s\/i\s\/s\scmd\s.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4336"
"*.exe /i /s cmd.exe*",".{0,1000}\.exe\s\/i\s\/s\scmd\.exe.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4337"
"*.exe /i /s powershell*",".{0,1000}\.exe\s\/i\s\/s\spowershell.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4338"
"*.exe /i /s pwsh*",".{0,1000}\.exe\s\/i\s\/s\spwsh.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4339"
"*.exe /s /i cmd.exe*",".{0,1000}\.exe\s\/s\s\/i\scmd\.exe.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4344"
"*.exe /s /i powershell*",".{0,1000}\.exe\s\/s\s\/i\spowershell.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4345"
"*.exe /s /i pwsh*",".{0,1000}\.exe\s\/s\s\/i\spwsh.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4346"
"*.exe /s:ip_ranges.txt /f:scan_results.txt*",".{0,1000}\.exe\s\/s\:ip_ranges\.txt\s\/f\:scan_results\.txt.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","4347"
"*.exe /wakeall*",".{0,1000}\.exe\s\/wakeall.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4348"
"*.exe delete shadows*",".{0,1000}\.exe\sdelete\sshadows.{0,1000}","greyware_tool_keyword","vssadmin","inhibiting recovery by deleting backup and recovery data to prevent system recovery after an attack","T1490","TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4424"
"*.exe -gcb -sc trustdmp > *",".{0,1000}\.exe\s\-gcb\s\-sc\strustdmp\s\>\s.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://github.com/aancw/community-threats/blob/82ece2dec931d175ed47276d426f526610aa8262/Ryuk/VFS/adf.bat#L4","1","0","N/A","N/A","10","1","0","0","2022-02-15T23:58:54Z","2022-02-24T18:51:11Z","4443"
"*.exe host -p * - allow-anonymous*",".{0,1000}\.exe\shost\s\-p\s.{0,1000}\s\-\sallow\-anonymous.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4468"
"*.exe -i -s cmd *",".{0,1000}\.exe\s\-i\s\-s\scmd\s.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4471"
"*.exe -i -s cmd *",".{0,1000}\.exe\s\-i\s\-s\scmd\s.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4472"
"*.exe -i -s cmd.exe*",".{0,1000}\.exe\s\-i\s\-s\scmd\.exe.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4473"
"*.exe -i -s powershell*",".{0,1000}\.exe\s\-i\s\-s\spowershell.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4474"
"*.exe -i -s pwsh*",".{0,1000}\.exe\s\-i\s\-s\spwsh.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4475"
"*.exe --IPCport 5939 --Module 1*",".{0,1000}\.exe\s\-\-IPCport\s5939\s\-\-Module\s1.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","https://github.com/SigmaHQ/sigma/pull/4759","10","10","N/A","N/A","N/A","N/A","4487"
"*.exe --pn dre_video_uploader --logpath logs*",".{0,1000}\.exe\s\-\-pn\sdre_video_uploader\s\-\-logpath\slogs.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4570"
"*.exe port create -p *",".{0,1000}\.exe\sport\screate\s\-p\s.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","4571"
"*.exe -s -i cmd.exe*",".{0,1000}\.exe\s\-s\s\-i\scmd\.exe.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4591"
"*.exe -s -i powershell*",".{0,1000}\.exe\s\-s\s\-i\spowershell.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4592"
"*.exe -s -i pwsh*",".{0,1000}\.exe\s\-s\s\-i\spwsh.{0,1000}","greyware_tool_keyword","psexec","privilege escalation to local system with psexec","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Privilege Escalation","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4593"
"*.exe -sc adinfo > *",".{0,1000}\.exe\s\-sc\sadinfo\s\>\s.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://github.com/aancw/community-threats/blob/82ece2dec931d175ed47276d426f526610aa8262/Ryuk/VFS/adf.bat#L4","1","0","N/A","N/A","10","1","0","0","2022-02-15T23:58:54Z","2022-02-24T18:51:11Z","4598"
"*.exe -sc dclist > *",".{0,1000}\.exe\s\-sc\sdclist\s\>\s.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://github.com/aancw/community-threats/blob/82ece2dec931d175ed47276d426f526610aa8262/Ryuk/VFS/adf.bat#L4","1","0","N/A","N/A","10","1","0","0","2022-02-15T23:58:54Z","2022-02-24T18:51:11Z","4599"
"*.exe -sc getacls -sddlfilter *",".{0,1000}\.exe\s\-sc\sgetacls\s\-sddlfilter\s.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4600"
"*.exe -sc trustdmp > *",".{0,1000}\.exe\s\-sc\strustdmp\s\>\s.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://github.com/aancw/community-threats/blob/82ece2dec931d175ed47276d426f526610aa8262/Ryuk/VFS/adf.bat#L4","1","0","N/A","N/A","10","1","0","0","2022-02-15T23:58:54Z","2022-02-24T18:51:11Z","4601"
"*.exe shadowcopy delete*",".{0,1000}\.exe\sshadowcopy\sdelete.{0,1000}","greyware_tool_keyword","wmic","VSS is a feature in Windows that allows for the creation of snapshots of a volume capturing its state at a specific point in time. Adversaries may abuse the wmic shadowcopy command to interact with these shadow copies for defense evasion purposes.","T1490 - T1562.002","TA0040 - TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR - Dispossessor","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","4608"
"*.exe -subnets -f (objectCategory=subnet) > *",".{0,1000}\.exe\s\-subnets\s\-f\s\(objectCategory\=subnet\)\s\>\s.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://github.com/aancw/community-threats/blob/82ece2dec931d175ed47276d426f526610aa8262/Ryuk/VFS/adf.bat#L4","1","0","N/A","N/A","10","1","0","0","2022-02-15T23:58:54Z","2022-02-24T18:51:11Z","4623"
"*.exec*.interact.sh*",".{0,1000}\.exec.{0,1000}\.interact\.sh.{0,1000}","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C4","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","1","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","4660"
"*.free.pinggy.online*",".{0,1000}\.free\.pinggy\.online.{0,1000}","greyware_tool_keyword","pinggy","Create HTTP/TCP or TLS tunnels to your Mac/PC. Even if it is sitting behind firewalls and NATs.","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://pinggy.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4665"
"*.gofile.io/uploadFile*",".{0,1000}\.gofile\.io\/uploadFile.{0,1000}","greyware_tool_keyword","gofile.io","legitimate service abused by lots of stealer to exfiltrate data","T1567.002","TA0010","N/A","Hive - Royal - LockBit - Vice Society - BlackSuit - Conti","Data Exfiltration","https://gofile.io","1","1","#filehostingservice","N/A","8","10","N/A","N/A","N/A","N/A","4670"
"*.in.zrok.io*",".{0,1000}\.in\.zrok\.io.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","4677"
"*.interactsh.com",".{0,1000}\.interactsh\.com","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C7","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","0","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","4678"
"*.l.tunwg.com*",".{0,1000}\.l\.tunwg\.com.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","1","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","4686"
"*.localltunnel.me*",".{0,1000}\.localltunnel\.me.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/localtunnel/localtunnel","1","1","N/A","N/A","10","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","4696"
"*.loclx.io:*",".{0,1000}\.loclx\.io\:.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","1","N/A","N/A","10","1","N/A","N/A","N/A","N/A","4697"
"*.meshagent.pid*",".{0,1000}\.meshagent\.pid.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","4701"
"*.mspa.n-able.com*",".{0,1000}\.mspa\.n\-able\.com.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4703"
"*.myftp.biz*",".{0,1000}\.myftp\.biz.{0,1000}","greyware_tool_keyword","myftp.biz","dyndns - lots of subdomains associated with malwares - could be used in various ways for both legitimate and malicious activities (malicious mostly)","T1071 - T1021 - T1095 - T1059","TA0010 - TA0008 - TA0009 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/hagezi/dns-blocklists/blob/9d6562bddc175b59241d5935531f648cd6b6d9c8/rpz/dyndns.txt#L103","1","1","#filehostingservice #P2P","N/A","10","10","10725","340","2025-04-22T19:18:32Z","2022-04-25T07:13:09Z","4704"
"*.myftp.org*",".{0,1000}\.myftp\.org.{0,1000}","greyware_tool_keyword","myftp.org","dyndns - lots of subdomains associated with malwares - myftp.org could be used in various ways for both legitimate and malicious activities (malicious mostly)","T1071 - T1021 - T1095 - T1059","TA0010 - TA0008 - TA0009 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/pan-unit42/iocs/blob/master/rat_nest/iocs.csv","1","1","#filehostingservice #P2P","N/A","10","8","711","152","2025-04-05T02:03:37Z","2015-06-04T13:37:09Z","4705"
"*.ngrok.me*",".{0,1000}\.ngrok\.me.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","4709"
"*.ps1 -sysinfo Enum*",".{0,1000}\.ps1\s\-sysinfo\sEnum.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","4766"
"*.py *--proxy socks5://*",".{0,1000}\.py\s.{0,1000}\-\-proxy\ssocks5\:\/\/.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","4811"
"*.rclone.exe config*",".{0,1000}\.rclone\.exe\sconfig.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","4860"
"*.realtime.services.box.net*",".{0,1000}\.realtime\.services\.box\.net.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","1","#dnsquery","N/A","6","7","N/A","N/A","N/A","N/A","4861"
"*.rel.tunnels.api.visualstudio.com*",".{0,1000}\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","vscode","built-in port forwarding. This feature allows you to share locally running services over the internet to other people and devices.","T1090 - T1003 - T1571","TA0010 - TA0002 - TA0009","N/A","N/A","C2","https://twitter.com/code/status/1699869087071899669","0","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4862"
"*.relay.splashtop.com*",".{0,1000}\.relay\.splashtop\.com.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://hybrid-analysis.com/sample/18c10b0235bd341e065ac5c53ca04b68eaeacd98a120e043fb4883628baf644e/6267eb693836e7217b1a3c72","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4863"
"*.remotepc.com*",".{0,1000}\.remotepc\.com.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4864"
"*.remotepc.com*",".{0,1000}\.remotepc\.com.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","network","10","10","N/A","N/A","N/A","N/A","4865"
"*.remoteutilities.com*",".{0,1000}\.remoteutilities\.com.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4866"
"*.remoteview.logmein.com*",".{0,1000}\.remoteview\.logmein\.com.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4867"
"*.router.teamviewer.com*",".{0,1000}\.router\.teamviewer\.com.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","1","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","4871"
"*.rsocks.plist*",".{0,1000}\.rsocks\.plist.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","N/A","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","4872"
"*.server_DoElevationRequest((Get-NtProcess -ProcessId $pid)*""cmd.exe""*C:\""*",".{0,1000}\.server_DoElevationRequest\(\(Get\-NtProcess\s\-ProcessId\s\$pid\).{0,1000}\""cmd\.exe\"".{0,1000}C\:\\\"".{0,1000}","greyware_tool_keyword","sudo","sudo on windows allowing privilege escalation","T1068 - T1548","TA0004 - TA0005","N/A","N/A","Privilege Escalation","https://www.tiraniddo.dev/2024/02/sudo-on-windows-quick-rundown.html","1","0","#linux","N/A","7","8","N/A","N/A","N/A","N/A","4884"
"*.servicedesk.atera.com/GetAgent*",".{0,1000}\.servicedesk\.atera\.com\/GetAgent.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4885"
"*.share.zrok.io*",".{0,1000}\.share\.zrok\.io.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","4904"
"*.srv.browser.lol*",".{0,1000}\.srv\.browser\.lol.{0,1000}","greyware_tool_keyword","browser.lol","Virtual Browser - Safely visit blocked or risky websites - can be used to bypass network restrictions within a corporate environment","T1071 - T1090 - T1562","TA0005","N/A","N/A","Defense Evasion","https://browser.lol","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A","4910"
"*.static.mega.co.nz*",".{0,1000}\.static\.mega\.co\.nz.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","#filehostingservice #P2P","N/A","10","10","N/A","N/A","N/A","N/A","4915"
"*.tailscale-keyring.list*",".{0,1000}\.tailscale\-keyring\.list.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","4920"
"*.trycloudfare.com*DavWWWRoot*",".{0,1000}\.trycloudfare\.com.{0,1000}DavWWWRoot.{0,1000}","greyware_tool_keyword","trycloudflare.com","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4923"
"*.tunnel.pyjam.as*",".{0,1000}\.tunnel\.pyjam\.as.{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4924"
"*.tunnelto.dev*",".{0,1000}\.tunnelto\.dev.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","1","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","4929"
"*.userstorage.mega.co.nz/ul/*",".{0,1000}\.userstorage\.mega\.co\.nz\/ul\/.{0,1000}","greyware_tool_keyword","mega.co.nz","uploading data to mega cloud","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR - Dispossessor","Data Exfiltration","https://mega.io/","1","1","#filehostingservice #P2P","N/A","10","10","N/A","N/A","N/A","N/A","4944"
"*.v2.argotunnel.com*",".{0,1000}\.v2\.argotunnel\.com.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","1","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","4945"
"*.vm.sshx.internal:8051*",".{0,1000}\.vm\.sshx\.internal\:8051.{0,1000}","greyware_tool_keyword","sshx","Fast collaborative live terminal sharing over the web","T1021.004 - T1041 - T1059 - T1071.001","TA0002 - TA0009 - TA0011 - TA0010","N/A","N/A","C2","https://github.com/ekzhang/sshx","1","0","N/A","N/A","10","10","6379","220","2025-02-12T20:40:30Z","2022-02-12T23:29:33Z","4948"
"*.vsax.net*",".{0,1000}\.vsax\.net.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4950"
"*.xeox.com*",".{0,1000}\.xeox\.com.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4956"
"*.zohoassist.com.cn*",".{0,1000}\.zohoassist\.com\.cn.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4979"
"*.zohoassist.jp*",".{0,1000}\.zohoassist\.jp.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","4980"
"*.zrok.quigley.com*",".{0,1000}\.zrok\.quigley\.com.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","4981"
"*/*.loclx.io*",".{0,1000}\/.{0,1000}\.loclx\.io.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","1","N/A","N/A","10","1","N/A","N/A","N/A","N/A","4983"
"*/.anydesk/.anydesk.trace*",".{0,1000}\/\.anydesk\/\.anydesk\.trace.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","#linux","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","5004"
"*/.anydesk/service.conf*",".{0,1000}\/\.anydesk\/service\.conf.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","#linux","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","5005"
"*/.anydesk/system.conf*",".{0,1000}\/\.anydesk\/system\.conf.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","#linux","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","5006"
"*/.anydesk/user.conf*",".{0,1000}\/\.anydesk\/user\.conf.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","#linux","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","5007"
"*/.btunnel.*",".{0,1000}\/\.btunnel\..{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","#linux","N/A","9","8","N/A","N/A","N/A","N/A","5008"
"*/.fleetctl/fleetctl*",".{0,1000}\/\.fleetctl\/fleetctl.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#linux","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","5015"
"*/.ltproxy.yml*",".{0,1000}\/\.ltproxy\.yml.{0,1000}","greyware_tool_keyword","LTProxy","Linux Transparent Proxy (Similar to Proxifiter)","T1090 - T1573.001 - T1571 - T1071.001","TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://github.com/L-codes/LTProxy","1","0","#linux","N/A","10","1","31","5","2024-11-27T05:09:47Z","2021-11-11T15:17:54Z","5022"
"*/.ssh/dropbear*",".{0,1000}\/\.ssh\/dropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","5038"
"*/.tmate.conf*",".{0,1000}\/\.tmate\.conf.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","5040"
"*/.tunneld/*.key*",".{0,1000}\/\.tunneld\/.{0,1000}\.key.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#linux","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","5041"
"*/.zrok/*.json*",".{0,1000}\/\.zrok\/.{0,1000}\.json.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","5043"
"*/.zrok:/.zrok*",".{0,1000}\/\.zrok\:\/\.zrok.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","5044"
"*// NewHTTPClient creates a new zrok HTTP client.*",".{0,1000}\/\/\sNewHTTPClient\screates\sa\snew\szrok\sHTTP\sclient\..{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#content #linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","5049"
"*// Package tunnel is a server/client package that enables to proxy public*",".{0,1000}\/\/\sPackage\stunnel\sis\sa\sserver\/client\spackage\sthat\senables\sto\sproxy\spublic.{0,1000}","greyware_tool_keyword","tunnel","Tunnel is a server/client package that enables to proxy public connections to your local machine over a tunnel connection from the local machine to the public server. What this means is, you can share your localhost even if it doesn't have a Public IP or if it's not reachable from outside","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/koding/tunnel","1","0","#linux #content","N/A","10","10","328","72","2023-10-20T13:43:58Z","2015-05-28T07:26:42Z","5050"
"*/_sish/console*",".{0,1000}\/_sish\/console.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","0","#linux","N/A","10","10","4203","325","2025-04-10T20:04:08Z","2019-02-15T15:36:23Z","5065"
"*/3proxy-*.deb*",".{0,1000}\/3proxy\-.{0,1000}\.deb.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","1","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","5088"
"*/3proxy-*.rpm*",".{0,1000}\/3proxy\-.{0,1000}\.rpm.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","1","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","5089"
"*/3proxy-*.zip*",".{0,1000}\/3proxy\-.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","1","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","5090"
"*/3proxy.exe*",".{0,1000}\/3proxy\.exe.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","1","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","5091"
"*/3proxy.git*",".{0,1000}\/3proxy\.git.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","1","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","5092"
"*/3proxy.log*",".{0,1000}\/3proxy\.log.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","1","#logfile #linux","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","5093"
"*/a.pinggy.io*",".{0,1000}\/a\.pinggy\.io.{0,1000}","greyware_tool_keyword","pinggy","Create HTTP/TCP or TLS tunnels to your Mac/PC. Even if it is sitting behind firewalls and NATs.","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://pinggy.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5100"
"*/AADInternals.git*",".{0,1000}\/AADInternals\.git.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","5102"
"*/action1_agent(My_Organization).msi*",".{0,1000}\/action1_agent\(My_Organization\)\.msi.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","1","N/A","product name","10","10","N/A","N/A","N/A","N/A","5123"
"*/AD_Miner.git*",".{0,1000}\/AD_Miner\.git.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","1","N/A","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","5127"
"*/AD_Miner/releases/*",".{0,1000}\/AD_Miner\/releases\/.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","1","N/A","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","5128"
"*/adaudit.git*",".{0,1000}\/adaudit\.git.{0,1000}","greyware_tool_keyword","adaudit","Powershell script to do domain auditing automation","T1482 - T1087","TA0007","N/A","N/A","Discovery","https://github.com/phillips321/adaudit","1","1","N/A","N/A","8","4","389","106","2025-04-08T06:17:54Z","2018-04-20T11:29:06Z","5138"
"*/adaudit.ps1*",".{0,1000}\/adaudit\.ps1.{0,1000}","greyware_tool_keyword","adaudit","Powershell script to do domain auditing automation","T1482 - T1087","TA0007","N/A","N/A","Discovery","https://github.com/phillips321/adaudit","1","1","N/A","N/A","8","4","389","106","2025-04-08T06:17:54Z","2018-04-20T11:29:06Z","5140"
"*/AD-common-queries.git*",".{0,1000}\/AD\-common\-queries\.git.{0,1000}","greyware_tool_keyword","AD-common-queries","Collection of common ADSI queries for Domain Account enumeration","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","1","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","5147"
"*/AdFind.zip*",".{0,1000}\/AdFind\.zip.{0,1000}","greyware_tool_keyword","adfind","adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers are abusing it to gather valuable information about the network environment","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://www.virustotal.com/gui/file/484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384/behavior","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5186"
"*/ADGet.exe*",".{0,1000}\\ADGet\.exe.{0,1000}","greyware_tool_keyword","adget","gather valuable informations about the AD environment","T1018 - T1027 - T1046 - T1057 - T1069 - T1087 - T1098 - T1482","TA0001 - TA0002 - TA0003 - TA0007 - TA0011","N/A","N/A","Discovery","https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5198"
"*/ADRecon*",".{0,1000}\/ADRecon.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner and Earth Lusca Operations Tools and commands","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/sense-of-security/ADRecon","1","1","N/A","N/A","10","10","1786","292","2020-06-15T05:23:14Z","2017-11-29T23:01:53Z","5212"
"*/ADRecon.git*",".{0,1000}\/ADRecon\.git.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","5213"
"*/ADRecon.ps1*",".{0,1000}\/ADRecon\.ps1.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","1","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","5214"
"*/Advanced_Port_Scanner_*.exe*",".{0,1000}\/Advanced_Port_Scanner_.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","5218"
"*/aeroadmin.exe*",".{0,1000}\/aeroadmin\.exe.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5219"
"*/Agent/AcknowledgeCommands/*",".{0,1000}\/Agent\/AcknowledgeCommands\/.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5229"
"*/Agent/GetCommandsFallback/*",".{0,1000}\/Agent\/GetCommandsFallback\/.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5231"
"*/Agent/GetEnvironmentStatus/*",".{0,1000}\/Agent\/GetEnvironmentStatus\/.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5232"
"*/Agent/GetRecurringPackages/*",".{0,1000}\/Agent\/GetRecurringPackages\/.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5233"
"*/Ahk2Exe.exe*",".{0,1000}\/Ahk2Exe\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","1","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","5255"
"*/Ahk2Exe.git*",".{0,1000}\/Ahk2Exe\.git.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","1","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","5256"
"*/Ahk2Exe.zip*",".{0,1000}\/Ahk2Exe\.zip.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","1","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","5257"
"*/Ahk2Exe1.*.zip*",".{0,1000}\/Ahk2Exe1\..{0,1000}\.zip.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","1","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","5258"
"*/ahk-install.exe*",".{0,1000}\/ahk\-install\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","1","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","5259"
"*/ahk-v2.exe*",".{0,1000}\/ahk\-v2\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","1","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","5260"
"*/Alpemix.zip*",".{0,1000}\/Alpemix\.zip.{0,1000}","greyware_tool_keyword","Alpemix","connect to your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.alpemix.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5281"
"*/amalshaji/portr-admin/*",".{0,1000}\/amalshaji\/portr\-admin\/.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","5282"
"*/amidaware/rmmagent/releases/download/*",".{0,1000}\/amidaware\/rmmagent\/releases\/download\/.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","5288"
"*/Amperage.exe*",".{0,1000}\/Amperage\.exe.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","1","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","5291"
"*/AmperageKit.git*",".{0,1000}\/AmperageKit\.git.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","1","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","5292"
"*/AmperageKit/releases/*",".{0,1000}\/AmperageKit\/releases\/.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","1","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","5293"
"*/Anydesk.exe",".{0,1000}\/Anydesk\.exe","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","1","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","5333"
"*/anyplace-control/data2/*.exe*",".{0,1000}\/anyplace\-control\/data2\/.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","AnyplaceControl","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyplace-control[.]com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5334"
"*/anyproxy.log*",".{0,1000}\/anyproxy\.log.{0,1000}","greyware_tool_keyword","CursedChrome","Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies allowing you to browse sites as your victims","T1176 - T1219 - T1090","TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/mandatoryprogrammer/CursedChrome","1","0","#linux","anyproxy","10","10","1533","226","2024-10-26T19:06:54Z","2020-04-26T20:55:05Z","5335"
"*/AnyViewerSetup.exe*",".{0,1000}\/AnyViewerSetup\.exe.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5336"
"*/apache-megacmd.conf*",".{0,1000}\/apache\-megacmd\.conf.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","5338"
"*/Apemix.exe*",".{0,1000}\/Apemix\.exe.{0,1000}","greyware_tool_keyword","Alpemix","connect to your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.alpemix.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5342"
"*/api/latest/fleet/mdm/bootstrap?token=*",".{0,1000}\/api\/latest\/fleet\/mdm\/bootstrap\?token\=.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","5350"
"*/api/v1/fleet/mdm/sso/callback*",".{0,1000}\/api\/v1\/fleet\/mdm\/sso\/callback.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","5365"
"*/app/pgrokd/*",".{0,1000}\/app\/pgrokd\/.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#linux","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","5381"
"*/AppFiles/ipscan.exe*",".{0,1000}\/AppFiles\/ipscan\.exe.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","5382"
"*/Applications/Anydesk.app/*",".{0,1000}\/Applications\/Anydesk\.app\/.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","#macos","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","5383"
"*/Applications/Managed Workplace/Onsite Manager/logs/*",".{0,1000}\/Applications\/Managed\sWorkplace\/Onsite\sManager\/logs\/.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","5384"
"*/Applications/MEGAcmd.app*",".{0,1000}\/Applications\/MEGAcmd\.app.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#macos","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","5385"
"*/Applications/remoteit.app/*",".{0,1000}\/Applications\/remoteit\.app\/.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","#macos","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","5386"
"*/Assistance rapide Installer.exe*",".{0,1000}\/Assistance\srapide\sInstaller\.exe.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","1","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","5428"
"*/Assistenza rapida Installer.exe*",".{0,1000}\/Assistenza\srapida\sInstaller\.exe.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","1","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","5429"
"*/atnow.exe*",".{0,1000}\/atnow\.exe.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","1","N/A","N/A","7","7","N/A","N/A","N/A","N/A","5454"
"*/atnow.zip*",".{0,1000}\/atnow\.zip.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","1","N/A","N/A","7","7","N/A","N/A","N/A","N/A","5455"
"*/AttendedUDP.zip*",".{0,1000}\/AttendedUDP\.zip.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5466"
"*/AutoHotkey.exe*",".{0,1000}\/AutoHotkey\.exe.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","1","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","5478"
"*/AutoHotkey.git*",".{0,1000}\/AutoHotkey\.git.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","1","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","5479"
"*/AutoHotkey/releases/download/*",".{0,1000}\/AutoHotkey\/releases\/download\/.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","1","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","5480"
"*/AutoHotkey_*.zip*",".{0,1000}\/AutoHotkey_.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","1","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","5481"
"*/AutoHotkey_1*_setup.exe*",".{0,1000}\/AutoHotkey_1.{0,1000}_setup\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","1","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","5482"
"*/AutoHotkey_2*_setup.exe*",".{0,1000}\/AutoHotkey_2.{0,1000}_setup\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","1","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","5483"
"*/AutoHotkey64.exe*",".{0,1000}\/AutoHotkey64\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","1","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","5484"
"*/AutoHotkey64.exe*",".{0,1000}\/AutoHotkey64\.exe.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","1","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","5485"
"*/Aweray_Remote_*.exe*",".{0,1000}\/Aweray_Remote_.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5505"
"*/Aweray_Remote_*.zip*",".{0,1000}\/Aweray_Remote_.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5506"
"*/bin/bash -c 'wg addconf *",".{0,1000}\/bin\/bash\s\-c\s\'wg\saddconf\s.{0,1000}","greyware_tool_keyword","tunnel.pyjam.as","SSL-terminated ephemeral HTTP tunnels to your local machine - no custom software required (thanks to wireguard)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","5623"
"*/bin/boringproxy*",".{0,1000}\/bin\/boringproxy.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#linux","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","5624"
"*/bin/dataplicity*",".{0,1000}\/bin\/dataplicity.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#linux","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","5625"
"*/bin/dropbear*",".{0,1000}\/bin\/dropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","5626"
"*/bin/meshagent*",".{0,1000}\/bin\/meshagent.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#linux","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","5635"
"*/bin/MeshCommander*",".{0,1000}\/bin\/MeshCommander.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#linux","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","5636"
"*/bin/portr*",".{0,1000}\/bin\/portr.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#linux","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","5638"
"*/bin/rsocks*",".{0,1000}\/bin\/rsocks.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","#linux","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","5651"
"*/bin/sh | nc*",".{0,1000}\/bin\/sh\s\|\snc.{0,1000}","greyware_tool_keyword","shell","Reverse Shell Command Line","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/lnx_shell_susp_rev_shells.yml","1","0","#linux","greyware tool - risks of False positive !","N/A","10","9115","2316","2025-04-17T19:43:35Z","2016-12-24T09:48:49Z","5652"
"*/bin/sh -i <&3 >&3 2>&3*",".{0,1000}\/bin\/sh\s\-i\s\<\&3\s\>\&3\s2\>\&3.{0,1000}","greyware_tool_keyword","shell","Reverse Shell Command Line","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/lnx_shell_susp_rev_shells.yml","1","0","#linux","greyware tool - risks of False positive !","N/A","10","9115","2316","2025-04-17T19:43:35Z","2016-12-24T09:48:49Z","5654"
"*/bin/staqlab-tunnel*",".{0,1000}\/bin\/staqlab\-tunnel.{0,1000}","greyware_tool_keyword","staqlab-tunnel","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/cocoflan/Staqlab-tunnel","1","0","#linux","N/A","10","10","1","0","2020-05-19T06:43:14Z","2020-05-19T06:19:31Z","5656"
"*/bin/syncthing*",".{0,1000}\/bin\/syncthing.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","0","#linux","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","5657"
"*/bin/tunnelmole.js*",".{0,1000}\/bin\/tunnelmole\.js.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","#linux","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","5661"
"*/bin/tunwg*",".{0,1000}\/bin\/tunwg.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#linux","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","5662"
"*/bin/wireproxy*",".{0,1000}\/bin\/wireproxy.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#linux","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","5665"
"*/bin/x64/connectd.exe*",".{0,1000}\/bin\/x64\/connectd\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","1","#linux","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","5666"
"*/BitLockerToGo.exe*",".{0,1000}\/BitLockerToGo\.exe.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Defense Evasion","https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/","0","1","N/A","high FP - hunting only","3","8","N/A","N/A","N/A","N/A","5676"
"*/bomgar-rep.exe*",".{0,1000}\/bomgar\-rep\.exe.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5761"
"*/bomgar-rep-installer.exe*",".{0,1000}\/bomgar\-rep\-installer\.exe.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5762"
"*/bomgar-scc-*.exe*",".{0,1000}\/bomgar\-scc\-.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5763"
"*/bomgar-scc.exe*",".{0,1000}\/bomgar\-scc\.exe.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","5764"
"*/boringproxy.git*",".{0,1000}\/boringproxy\.git.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","1","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","5767"
"*/boringproxy-client.service*",".{0,1000}\/boringproxy\-client\.service.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","1","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","5768"
"*/boringproxy-server.service*",".{0,1000}\/boringproxy\-server\.service.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","1","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","5769"
"*/BoxDrive.msi*",".{0,1000}\/BoxDrive\.msi.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","1","N/A","N/A","6","7","N/A","N/A","N/A","N/A","5770"
"*/btunnel.exe*",".{0,1000}\/btunnel\.exe.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","1","N/A","N/A","9","8","N/A","N/A","N/A","N/A","5847"
"*/btunnel.log*",".{0,1000}\/btunnel\.log.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","#linux","N/A","9","8","N/A","N/A","N/A","N/A","5848"
"*/cloud.telebit.remote.plist*",".{0,1000}\/cloud\.telebit\.remote\.plist.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","6086"
"*/cloudflared.git*",".{0,1000}\/cloudflared\.git.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","1","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","6091"
"*/cloudflared/tunnel/*",".{0,1000}\/cloudflared\/tunnel\/.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#linux","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","6092"
"*/cloudflared-linux-*.deb*",".{0,1000}\/cloudflared\-linux\-.{0,1000}\.deb.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","1","#linux","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","6093"
"*/cloudflared-linux-*.rpm*",".{0,1000}\/cloudflared\-linux\-.{0,1000}\.rpm.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","1","#linux","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","6094"
"*/cmd/tailscaled*",".{0,1000}\/cmd\/tailscaled.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","6105"
"*/com.tonyseek.rsocks.plist*",".{0,1000}\/com\.tonyseek\.rsocks\.plist.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","#linux","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","6153"
"*/config/apps/http/servers/sirtunnel/routes*",".{0,1000}\/config\/apps\/http\/servers\/sirtunnel\/routes.{0,1000}","greyware_tool_keyword","SirTunnel","SirTunnel enables you to securely expose a webserver running on your computer to a public URL using HTTPS.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/anderspitman/SirTunnel","1","1","N/A","N/A","10","10","1436","119","2024-03-24T20:15:50Z","2020-09-23T00:15:26Z","6181"
"*/connectd.aarch64-win.exe*",".{0,1000}\/connectd\.aarch64\-win\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","1","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","6189"
"*/connectd.x86_64-win.exe*",".{0,1000}\/connectd\.x86_64\-win\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","1","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","6190"
"*/Create /TN TVInstallRestore /TR *",".{0,1000}\/Create\s\/TN\sTVInstallRestore\s\/TR\s.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","6229"
"*/croc.exe*",".{0,1000}\/croc\.exe.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","1","N/A","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","6271"
"*/croc.service*",".{0,1000}\/croc\.service.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#linux","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","6272"
"*/croc/releases/download/v10*",".{0,1000}\/croc\/releases\/download\/v10.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","1","N/A","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","6273"
"*/croc/releases/latest*",".{0,1000}\/croc\/releases\/latest.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","1","N/A","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","6274"
"*/croc-entrypoint.sh*",".{0,1000}\/croc\-entrypoint\.sh.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#linux","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","6275"
"*/crowbar.git*",".{0,1000}\/crowbar\.git.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","N/A","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6285"
"*/crowbar_1.0.0_darwin_386.zip*",".{0,1000}\/crowbar_1\.0\.0_darwin_386\.zip.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","#linux","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6286"
"*/crowbar_1.0.0_darwin_amd64.zip*",".{0,1000}\/crowbar_1\.0\.0_darwin_amd64\.zip.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","#linux","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6287"
"*/crowbar_1.0.0_freebsd_386.zip*",".{0,1000}\/crowbar_1\.0\.0_freebsd_386\.zip.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","N/A","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6288"
"*/crowbar_1.0.0_freebsd_amd64.zip*",".{0,1000}\/crowbar_1\.0\.0_freebsd_amd64\.zip.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","N/A","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6289"
"*/crowbar_1.0.0_freebsd_arm.zip*",".{0,1000}\/crowbar_1\.0\.0_freebsd_arm\.zip.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","N/A","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6290"
"*/crowbar_1.0.0_linux_386.tar.gz*",".{0,1000}\/crowbar_1\.0\.0_linux_386\.tar\.gz.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","#linux","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6291"
"*/crowbar_1.0.0_linux_amd64.tar.gz*",".{0,1000}\/crowbar_1\.0\.0_linux_amd64\.tar\.gz.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","#linux","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6292"
"*/crowbar_1.0.0_linux_arm.tar.gz*",".{0,1000}\/crowbar_1\.0\.0_linux_arm\.tar\.gz.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","#linux","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6293"
"*/crowbar_1.0.0_openbsd_386.zip*",".{0,1000}\/crowbar_1\.0\.0_openbsd_386\.zip.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","N/A","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6294"
"*/crowbar_1.0.0_openbsd_amd64.zip*",".{0,1000}\/crowbar_1\.0\.0_openbsd_amd64\.zip.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","N/A","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6295"
"*/crowbar_1.0.0_windows_386.zip*",".{0,1000}\/crowbar_1\.0\.0_windows_386\.zip.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","N/A","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6296"
"*/crowbar_1.0.0_windows_amd64.zip*",".{0,1000}\/crowbar_1\.0\.0_windows_amd64\.zip.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","N/A","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6297"
"*/damewareagent.exe*",".{0,1000}\/damewareagent\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","6397"
"*/dataplicity.app*",".{0,1000}\/dataplicity\.app.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#linux","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","6436"
"*/dataplicity.conf*",".{0,1000}\/dataplicity\.conf.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#linux","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","6437"
"*/dataplicity.log*",".{0,1000}\/dataplicity\.log.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#linux","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","6438"
"*/dataplicity-agent.git*",".{0,1000}\/dataplicity\-agent\.git.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","1","N/A","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","6439"
"*/dataplicity-agent/releases/download*",".{0,1000}\/dataplicity\-agent\/releases\/download.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","1","N/A","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","6440"
"*/docker/compose/zrok-instance/*",".{0,1000}\/docker\/compose\/zrok\-instance\/.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","6707"
"*/download*mediafire.com/",".{0,1000}\/download.{0,1000}mediafire\.com\/","greyware_tool_keyword","mediafire","downloading from mediafire","T1105 - T1083 - T1560","TA0009 ","N/A","Black Basta","Collection","N/A","1","1","#filehostingservice","N/A","7","8","N/A","N/A","N/A","N/A","6750"
"*/download/fiddler/fiddler-everywhere-windows*",".{0,1000}\/download\/fiddler\/fiddler\-everywhere\-windows.{0,1000}","greyware_tool_keyword","fiddler","fiddler - capture https requests","T1056 - T1040 - T1557","TA0009 - TA00010","N/A","N/A","Collection","https://www.telerik.com/","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","6751"
"*/download/pcunlocker*",".{0,1000}\/download\/pcunlocker.{0,1000}","greyware_tool_keyword","pcunlocker","Reset and unlock forgotten Windows login password","T1078","TA0005 - TA0006 - TA0009","N/A","N/A","Credential Access","https://www.pcunlocker.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","6754"
"*/downloads/ultravnc.html*",".{0,1000}\/downloads\/ultravnc\.html.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","6771"
"*/dropbear.git*",".{0,1000}\/dropbear\.git.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","1","N/A","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","6792"
"*/dropbear.init*",".{0,1000}\/dropbear\.init.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","6793"
"*/dropbear.log*",".{0,1000}\/dropbear\.log.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","6794"
"*/dropbear/releases/*",".{0,1000}\/dropbear\/releases\/.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","1","N/A","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","6795"
"*/dropbear_dss_host_key*",".{0,1000}\/dropbear_dss_host_key.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","6796"
"*/dropbear_rsa_host_key*",".{0,1000}\/dropbear_rsa_host_key.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","6797"
"*/dropbear-sshj.git*",".{0,1000}\/dropbear\-sshj\.git.{0,1000}","greyware_tool_keyword","SSH-J.com","This is Dropbear SSH server modified to be used as a public SSH jump & port forwarding service","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://bitbucket.org/ValdikSS/dropbear-sshj/src/master/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","6798"
"*/DuckDNS.7z*",".{0,1000}\/DuckDNS\.7z.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","1","N/A","N/A","5","10","N/A","N/A","N/A","N/A","6809"
"*/DuckDNS.git*",".{0,1000}\/DuckDNS\.git.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","1","N/A","N/A","5","10","N/A","N/A","N/A","N/A","6810"
"*/DuckDNS.zip""*",".{0,1000}\/DuckDNS\.zip\"".{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","1","N/A","N/A","5","10","N/A","N/A","N/A","N/A","6811"
"*/duckdns/duck.log*",".{0,1000}\/duckdns\/duck\.log.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","1","#logfile #linux","N/A","5","10","N/A","N/A","N/A","N/A","6812"
"*/duckdns/duck.sh*",".{0,1000}\/duckdns\/duck\.sh.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","1","N/A","N/A","5","10","N/A","N/A","N/A","N/A","6813"
"*/duckdns-powershell.git*",".{0,1000}\/duckdns\-powershell\.git.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","1","N/A","N/A","5","10","N/A","N/A","N/A","N/A","6814"
"*/DumpS1.ps1*",".{0,1000}\/DumpS1\.ps1.{0,1000}","greyware_tool_keyword","SentinelAgent","dump a process with SentinelAgent.exe","T1003 - T1055","TA0006 - TA0005","N/A","N/A","Credential Access","https://gist.github.com/adamsvoboda/8e248c6b7fb812af5d04daba141c867e","1","0","N/A","N/A","8","7","N/A","N/A","N/A","N/A","6841"
"*/dwagent.desktop*",".{0,1000}\/dwagent\.desktop.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","#linux","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","6857"
"*/dwagent.service*",".{0,1000}\/dwagent\.service.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","#linux","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","6858"
"*/dwagsystray*",".{0,1000}\/dwagsystray.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","#linux","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","6859"
"*/DWMRC_St_64.msi*",".{0,1000}\/DWMRC_St_64\.msi.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","1","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","6860"
"*/DWRCC.exe*",".{0,1000}\/DWRCC\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","1","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","6861"
"*/DWRCCMD.exe*",".{0,1000}\/DWRCCMD\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","1","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","6862"
"*/DWRCS.exe*",".{0,1000}\/DWRCS\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","1","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","6863"
"*/ehorus_agent_installer-*",".{0,1000}\/ehorus_agent_installer\-.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","6906"
"*/Eraser 5.8.8.exe*",".{0,1000}\/Eraser\s5\.8\.8\.exe.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","6979"
"*/Eraser 6.0.10.2620.exe*",".{0,1000}\/Eraser\s6\.0\.10\.2620\.exe.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","6980"
"*/Eraser 6.0.8.2273.exe*",".{0,1000}\/Eraser\s6\.0\.8\.2273\.exe.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","6981"
"*/Eraser 6.0.9.2343.exe*",".{0,1000}\/Eraser\s6\.0\.9\.2343\.exe.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","6982"
"*/Eraser 6.2.0.2994.exe*",".{0,1000}\/Eraser\s6\.2\.0\.2994\.exe.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","6983"
"*/EraserSetup.exe*",".{0,1000}\/EraserSetup\.exe.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","6984"
"*/etc/3proxy/conf*",".{0,1000}\/etc\/3proxy\/conf.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","#linux","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","6989"
"*/etc/capabilities/shadowsocks.json*",".{0,1000}\/etc\/capabilities\/shadowsocks\.json.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","#linux","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","6990"
"*/etc/crowbar/*",".{0,1000}\/etc\/crowbar\/.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#linux","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6993"
"*/etc/crowbard.conf*",".{0,1000}\/etc\/crowbard\.conf.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#linux","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","6994"
"*/etc/dataplicity*",".{0,1000}\/etc\/dataplicity.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#linux","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","6995"
"*/etc/default/dropbear*",".{0,1000}\/etc\/default\/dropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","6996"
"*/etc/dropbear/*",".{0,1000}\/etc\/dropbear\/.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","6998"
"*/etc/ehorus/ehorus_agent*",".{0,1000}\/etc\/ehorus\/ehorus_agent.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","6999"
"*/etc/fleet/fleet.env*",".{0,1000}\/etc\/fleet\/fleet\.env.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#linux","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","7000"
"*/etc/init.d/ehorus_agent_daemon*",".{0,1000}\/etc\/init\.d\/ehorus_agent_daemon.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","7002"
"*/etc/letsencrypt/live/jprq.site/*",".{0,1000}\/etc\/letsencrypt\/live\/jprq\.site\/.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#linux","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","7010"
"*/etc/level/config.yaml*",".{0,1000}\/etc\/level\/config\.yaml.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","7011"
"*/etc/ltproxy.yml*",".{0,1000}\/etc\/ltproxy\.yml.{0,1000}","greyware_tool_keyword","LTProxy","Linux Transparent Proxy (Similar to Proxifiter)","T1090 - T1573.001 - T1571 - T1071.001","TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://github.com/L-codes/LTProxy","1","0","#linux","N/A","10","1","31","5","2024-11-27T05:09:47Z","2021-11-11T15:17:54Z","7012"
"*/etc/pagekite.d*",".{0,1000}\/etc\/pagekite\.d.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#linux","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","7014"
"*/etc/pulseway/config.xml*",".{0,1000}\/etc\/pulseway\/config\.xml.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","7017"
"*/etc/remoteit/*",".{0,1000}\/etc\/remoteit\/.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","#linux","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","7018"
"*/etc/shadowsocks-rust*",".{0,1000}\/etc\/shadowsocks\-rust.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","#linux","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","7021"
"*/etc/sshuttle*",".{0,1000}\/etc\/sshuttle.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","7022"
"*/etc/systemd/system/anydesk.service*",".{0,1000}\/etc\/systemd\/system\/anydesk\.service.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","#linux","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","7026"
"*/etc/systemd/system/localtunnel.service*",".{0,1000}\/etc\/systemd\/system\/localtunnel\.service.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#linux","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","7028"
"*/etc/wireguard/*.conf*",".{0,1000}\/etc\/wireguard\/.{0,1000}\.conf.{0,1000}","greyware_tool_keyword","tunnel","Tunnel is a server/client package that enables to proxy public connections to your local machine over a tunnel connection from the local machine to the public server. What this means is, you can share your localhost even if it doesn't have a Public IP or if it's not reachable from outside","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/koding/tunnel","1","0","#linux","N/A","10","10","328","72","2023-10-20T13:43:58Z","2015-05-28T07:26:42Z","7031"
"*/etc/wireguard/*.conf*",".{0,1000}\/etc\/wireguard\/.{0,1000}\.conf.{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","7032"
"*/etc/wireguard/*.conf*",".{0,1000}\/etc\/wireguard\/.{0,1000}\.conf.{0,1000}","greyware_tool_keyword","tunnel.pyjam.as","SSL-terminated ephemeral HTTP tunnels to your local machine - no custom software required (thanks to wireguard)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","7033"
"*/etc/zrok.env*",".{0,1000}\/etc\/zrok\.env.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","7035"
"*/etc/zrok/*",".{0,1000}\/etc\/zrok\/.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","7036"
"*/expose/database/expose.db*",".{0,1000}\/expose\/database\/expose\.db.{0,1000}","greyware_tool_keyword","expose","tunneling service - written in pure PHP","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/beyondcode/expose","1","1","N/A","N/A","10","10","4367","280","2025-04-04T13:57:03Z","2020-04-14T19:18:38Z","7151"
"*/expose/raw/master/builds/expose*",".{0,1000}\/expose\/raw\/master\/builds\/expose.{0,1000}","greyware_tool_keyword","expose","tunneling service - written in pure PHP","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/beyondcode/expose","1","1","N/A","N/A","10","10","4367","280","2025-04-04T13:57:03Z","2020-04-14T19:18:38Z","7152"
"*/Fiddler Everywhere *.*.*.exe*",".{0,1000}\/Fiddler\sEverywhere\s.{0,1000}\..{0,1000}\..{0,1000}\.exe.{0,1000}","greyware_tool_keyword","fiddler","fiddler - capture https requests","T1056 - T1040 - T1557","TA0009 - TA00010","N/A","N/A","Collection","https://www.telerik.com/","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","7190"
"*/FileZilla_*_sponsored-setup.exe*",".{0,1000}\/FileZilla_.{0,1000}_sponsored\-setup\.exe.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","1","N/A","PUA risk of legitimate usage","5","7","N/A","N/A","N/A","N/A","7199"
"*/FileZilla_Server_*.deb*",".{0,1000}\/FileZilla_Server_.{0,1000}\.deb.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","1","N/A","PUA risk of legitimate usage","5","7","N/A","N/A","N/A","N/A","7200"
"*/fleet_v*_linux.tar.gz*",".{0,1000}\/fleet_v.{0,1000}_linux\.tar\.gz.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","#linux","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","7216"
"*/fleetd.crx*",".{0,1000}\/fleetd\.crx.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","7217"
"*/fleetdm/fleet/releases/download/*",".{0,1000}\/fleetdm\/fleet\/releases\/download\/.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","7218"
"*/fleetdm/fleet/releases/latest*",".{0,1000}\/fleetdm\/fleet\/releases\/latest.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","7219"
"*/FreeFileSync.exe*",".{0,1000}\/FreeFileSync\.exe.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","1","N/A","N/A","9","10","N/A","N/A","N/A","N/A","7247"
"*/FreeFileSync.tar.gz*",".{0,1000}\/FreeFileSync\.tar\.gz.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","1","N/A","N/A","9","10","N/A","N/A","N/A","N/A","7248"
"*/FreeFileSync_*.tar.gz*",".{0,1000}\/FreeFileSync_.{0,1000}\.tar\.gz.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","1","N/A","N/A","9","10","N/A","N/A","N/A","N/A","7249"
"*/FreeFileSync_*_Windows_Setup.exe*",".{0,1000}\/FreeFileSync_.{0,1000}_Windows_Setup\.exe.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","1","N/A","N/A","9","10","N/A","N/A","N/A","N/A","7250"
"*/FreeFileSync_x64.exe*",".{0,1000}\/FreeFileSync_x64\.exe.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","1","N/A","N/A","9","10","N/A","N/A","N/A","N/A","7251"
"*/FreeFileSyncPortable_*.exe*",".{0,1000}\/FreeFileSyncPortable_.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","1","N/A","N/A","9","10","N/A","N/A","N/A","N/A","7252"
"*/frp.git*",".{0,1000}\/frp\.git.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","7258"
"*/frp_0.*.*_darwin_amd64.tar.gz*",".{0,1000}\/frp_0\..{0,1000}\..{0,1000}_darwin_amd64\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","7259"
"*/frp_0.*.*_darwin_arm64.tar.gz*",".{0,1000}\/frp_0\..{0,1000}\..{0,1000}_darwin_arm64\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","7260"
"*/frp_0.*.*_freebsd_amd64.tar.gz*",".{0,1000}\/frp_0\..{0,1000}\..{0,1000}_freebsd_amd64\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","7261"
"*/frp_0.*.*_linux_amd64.tar.gz*",".{0,1000}\/frp_0\..{0,1000}\..{0,1000}_linux_amd64\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","7262"
"*/frp_0.*.*_linux_arm.tar.gz*",".{0,1000}\/frp_0\..{0,1000}\..{0,1000}_linux_arm\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","7263"
"*/frp_0.*.*_linux_arm64.tar.gz*",".{0,1000}\/frp_0\..{0,1000}\..{0,1000}_linux_arm64\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","7264"
"*/frp_0.*.*_linux_mips.tar.gz*",".{0,1000}\/frp_0\..{0,1000}\..{0,1000}_linux_mips\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","7265"
"*/frp_0.*.*_linux_mips64.tar.gz*",".{0,1000}\/frp_0\..{0,1000}\..{0,1000}_linux_mips64\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","7266"
"*/frp_0.*.*_linux_mips64le.tar.gz*",".{0,1000}\/frp_0\..{0,1000}\..{0,1000}_linux_mips64le\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","7267"
"*/frp_0.*.*_linux_mipsle.tar.gz*",".{0,1000}\/frp_0\..{0,1000}\..{0,1000}_linux_mipsle\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","7268"
"*/frpc.exe*",".{0,1000}\/frpc\.exe.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","7270"
"*/frpc-mem.log*",".{0,1000}\/frpc\-mem\.log.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#linux","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","7271"
"*/frps-mem.log*",".{0,1000}\/frps\-mem\.log.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#linux","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","7272"
"*/genacl_proxy_gfw_bypass_china_ip.py",".{0,1000}\/genacl_proxy_gfw_bypass_china_ip\.py","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","#linux","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","7347"
"*/github.com*.exe?raw=true*",".{0,1000}\/github\.com.{0,1000}\.exe\?raw\=true.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7414"
"*/github.com/*/archive/refs/tags/*.zip*",".{0,1000}\/github\.com\/.{0,1000}\/archive\/refs\/tags\/.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7415"
"*/github.com/*/raw/main/*.7z*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.7z.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7416"
"*/github.com/*/raw/main/*.apk*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.apk.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7417"
"*/github.com/*/raw/main/*.app*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.app.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7418"
"*/github.com/*/raw/main/*.as*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.as.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7419"
"*/github.com/*/raw/main/*.asc*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.asc.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7420"
"*/github.com/*/raw/main/*.asp*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.asp.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7421"
"*/github.com/*/raw/main/*.bash*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.bash.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","#linux","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7422"
"*/github.com/*/raw/main/*.bat*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.bat.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7423"
"*/github.com/*/raw/main/*.beacon*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.beacon.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7424"
"*/github.com/*/raw/main/*.bin*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.bin.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7425"
"*/github.com/*/raw/main/*.bpl*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.bpl.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7426"
"*/github.com/*/raw/main/*.c*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.c.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7427"
"*/github.com/*/raw/main/*.cer*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.cer.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7428"
"*/github.com/*/raw/main/*.cmd*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.cmd.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7429"
"*/github.com/*/raw/main/*.com*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.com.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7430"
"*/github.com/*/raw/main/*.cpp*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.cpp.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7431"
"*/github.com/*/raw/main/*.crt*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.crt.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7432"
"*/github.com/*/raw/main/*.cs*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.cs.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7433"
"*/github.com/*/raw/main/*.csh*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.csh.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7434"
"*/github.com/*/raw/main/*.dat*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.dat.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7435"
"*/github.com/*/raw/main/*.dll*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.dll.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7436"
"*/github.com/*/raw/main/*.docm*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.docm.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7437"
"*/github.com/*/raw/main/*.dos*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.dos.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7438"
"*/github.com/*/raw/main/*.exe*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7439"
"*/github.com/*/raw/main/*.go*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.go.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7440"
"*/github.com/*/raw/main/*.gz*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.gz.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7441"
"*/github.com/*/raw/main/*.hta*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.hta.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7442"
"*/github.com/*/raw/main/*.iso*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.iso.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7443"
"*/github.com/*/raw/main/*.jar*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.jar.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7444"
"*/github.com/*/raw/main/*.js*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.js.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7445"
"*/github.com/*/raw/main/*.lnk*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.lnk.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7446"
"*/github.com/*/raw/main/*.log*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.log.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7447"
"*/github.com/*/raw/main/*.mac*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.mac.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7448"
"*/github.com/*/raw/main/*.mam*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.mam.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7449"
"*/github.com/*/raw/main/*.msi*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7450"
"*/github.com/*/raw/main/*.msp*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.msp.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7451"
"*/github.com/*/raw/main/*.nexe*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.nexe.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7452"
"*/github.com/*/raw/main/*.nim*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.nim.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7453"
"*/github.com/*/raw/main/*.otm*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.otm.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7454"
"*/github.com/*/raw/main/*.out*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.out.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7455"
"*/github.com/*/raw/main/*.ova*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.ova.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7456"
"*/github.com/*/raw/main/*.pem*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.pem.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7457"
"*/github.com/*/raw/main/*.pfx*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.pfx.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7458"
"*/github.com/*/raw/main/*.pl*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.pl.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7459"
"*/github.com/*/raw/main/*.plx*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.plx.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7460"
"*/github.com/*/raw/main/*.pm*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.pm.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7461"
"*/github.com/*/raw/main/*.ppk*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.ppk.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7462"
"*/github.com/*/raw/main/*.ps1*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.ps1.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7463"
"*/github.com/*/raw/main/*.psm1*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.psm1.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7464"
"*/github.com/*/raw/main/*.pub*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.pub.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7465"
"*/github.com/*/raw/main/*.py*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.py.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7466"
"*/github.com/*/raw/main/*.pyc*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.pyc.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7467"
"*/github.com/*/raw/main/*.pyo*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.pyo.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7468"
"*/github.com/*/raw/main/*.rar*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.rar.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7469"
"*/github.com/*/raw/main/*.raw*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.raw.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7470"
"*/github.com/*/raw/main/*.reg*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.reg.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7471"
"*/github.com/*/raw/main/*.rgs*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.rgs.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7472"
"*/github.com/*/raw/main/*.RGS*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.RGS.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7473"
"*/github.com/*/raw/main/*.run*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.run.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7474"
"*/github.com/*/raw/main/*.scpt*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.scpt.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7475"
"*/github.com/*/raw/main/*.script*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.script.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7476"
"*/github.com/*/raw/main/*.sct*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.sct.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7477"
"*/github.com/*/raw/main/*.sh*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.sh.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7478"
"*/github.com/*/raw/main/*.ssh*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.ssh.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7479"
"*/github.com/*/raw/main/*.sys*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.sys.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7480"
"*/github.com/*/raw/main/*.teamserver*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.teamserver.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7481"
"*/github.com/*/raw/main/*.temp*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.temp.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7482"
"*/github.com/*/raw/main/*.tgz*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.tgz.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7483"
"*/github.com/*/raw/main/*.tmp*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.tmp.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7484"
"*/github.com/*/raw/main/*.vb*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.vb.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7485"
"*/github.com/*/raw/main/*.vbs*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.vbs.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7486"
"*/github.com/*/raw/main/*.vbscript*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.vbscript.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7487"
"*/github.com/*/raw/main/*.ws*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.ws.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7488"
"*/github.com/*/raw/main/*.wsf*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.wsf.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7489"
"*/github.com/*/raw/main/*.wsh*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.wsh.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7490"
"*/github.com/*/raw/main/*.X86*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.X86.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7491"
"*/github.com/*/raw/main/*.X86_64*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.X86_64.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7492"
"*/github.com/*/raw/main/*.xlam*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.xlam.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7493"
"*/github.com/*/raw/main/*.xlm*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.xlm.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7494"
"*/github.com/*/raw/main/*.xlsm*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.xlsm.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7495"
"*/github.com/*/raw/main/*.zip*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/main\/.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7496"
"*/github.com/*/raw/refs/heads/*.7z*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.7z.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7497"
"*/github.com/*/raw/refs/heads/*.apk*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.apk.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7498"
"*/github.com/*/raw/refs/heads/*.bat*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.bat.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7499"
"*/github.com/*/raw/refs/heads/*.cmd*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.cmd.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7500"
"*/github.com/*/raw/refs/heads/*.com*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.com.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7501"
"*/github.com/*/raw/refs/heads/*.cpl*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.cpl.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7502"
"*/github.com/*/raw/refs/heads/*.dll*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.dll.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7503"
"*/github.com/*/raw/refs/heads/*.exe*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7504"
"*/github.com/*/raw/refs/heads/*.hta*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.hta.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7505"
"*/github.com/*/raw/refs/heads/*.iso*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.iso.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7506"
"*/github.com/*/raw/refs/heads/*.jar*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.jar.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7507"
"*/github.com/*/raw/refs/heads/*.lnk*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.lnk.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7508"
"*/github.com/*/raw/refs/heads/*.msi*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7509"
"*/github.com/*/raw/refs/heads/*.pif*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.pif.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7510"
"*/github.com/*/raw/refs/heads/*.ps1*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.ps1.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7511"
"*/github.com/*/raw/refs/heads/*.py*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.py.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7512"
"*/github.com/*/raw/refs/heads/*.reg*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.reg.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7513"
"*/github.com/*/raw/refs/heads/*.scr*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.scr.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7514"
"*/github.com/*/raw/refs/heads/*.sh*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.sh.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7515"
"*/github.com/*/raw/refs/heads/*.vbs*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.vbs.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7516"
"*/github.com/*/raw/refs/heads/*.vbs*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.vbs.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7517"
"*/github.com/*/raw/refs/heads/*.zip*",".{0,1000}\/github\.com\/.{0,1000}\/raw\/refs\/heads\/.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","7518"
"*/go-gost/core/*",".{0,1000}\/go\-gost\/core\/.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","1","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","7563"
"*/go-http-tunnel.git.git*",".{0,1000}\/go\-http\-tunnel\.git\.git.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","1","N/A","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","7564"
"*/go-http-tunnel/cmd/*",".{0,1000}\/go\-http\-tunnel\/cmd\/.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","1","N/A","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","7565"
"*/go-localtunnel.git*",".{0,1000}\/go\-localtunnel\.git.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/NoahShen/gotunnelme","1","1","N/A","N/A","10","10","171","45","2018-01-06T04:41:15Z","2013-10-18T02:46:51Z","7570"
"*/GoodSync-vsub-Setup.exe*",".{0,1000}\/GoodSync\-vsub\-Setup\.exe.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","1","N/A","N/A","9","10","N/A","N/A","N/A","N/A","7579"
"*/gost.tar.gz*",".{0,1000}\/gost\.tar\.gz.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","1","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","7597"
"*/gost/raw/master/install.sh*",".{0,1000}\/gost\/raw\/master\/install\.sh.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","1","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","7598"
"*/gost/releases/download/*.tar.gz*",".{0,1000}\/gost\/releases\/download\/.{0,1000}\.tar\.gz.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","1","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","7599"
"*/gotunnelme.git*",".{0,1000}\/gotunnelme\.git.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/NoahShen/gotunnelme","1","1","N/A","N/A","10","10","171","45","2018-01-06T04:41:15Z","2013-10-18T02:46:51Z","7603"
"*/gt server -c ./config.yml*",".{0,1000}\/gt\sserver\s\-c\s\.\/config\.yml.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#linux","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","7671"
"*/gt-win-x86_64.exe*",".{0,1000}\/gt\-win\-x86_64\.exe.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","1","N/A","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","7682"
"*/home/*/.anydesk/*",".{0,1000}\/home\/.{0,1000}\/\.anydesk\/.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","#linux","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","7790"
"*/home/boringproxy*",".{0,1000}\/home\/boringproxy.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#linux","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","7792"
"*/home/sshuttle*",".{0,1000}\/home\/sshuttle.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","7798"
"*/home/user/rustdesk*",".{0,1000}\/home\/user\/rustdesk.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","#linux","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","7801"
"*/host-7.2.2.0.msi*",".{0,1000}\/host\-7\.2\.2\.0\.msi.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","7810"
"*/http-put-server.py*",".{0,1000}\/http\-put\-server\.py.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","#linux","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","7914"
"*/hypertunnel.git*",".{0,1000}\/hypertunnel\.git.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","1","N/A","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","7992"
"*/hypertunnel-tcp-relay*.tar.gz*",".{0,1000}\/hypertunnel\-tcp\-relay.{0,1000}\.tar\.gz.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","1","N/A","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","7993"
"*/hypertunnel-tcp-relay*.zip*",".{0,1000}\/hypertunnel\-tcp\-relay.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","1","N/A","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","7994"
"*/install-fleetctl.sh*",".{0,1000}\/install\-fleetctl\.sh.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","8101"
"*/interactsh/*",".{0,1000}\/interactsh\/.{0,1000}","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C5","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","1","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","8106"
"*/interactsh-client*",".{0,1000}\/interactsh\-client.{0,1000}","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C6","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","1","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","8107"
"*/interactsh-collaborator*",".{0,1000}\/interactsh\-collaborator.{0,1000}","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C15","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","1","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","8108"
"*/interactsh-server*",".{0,1000}\/interactsh\-server.{0,1000}","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C8","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","1","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","8109"
"*/Invoke-Maldaptive.git*",".{0,1000}\/Invoke\-Maldaptive\.git.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","1","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","8153"
"*/IObitUnlocker.exe*",".{0,1000}\/IObitUnlocker\.exe.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","1","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","8172"
"*/ipscan.exe*",".{0,1000}\/ipscan\.exe.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","1","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","8199"
"*/ipscan.git*",".{0,1000}\/ipscan\.git.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","1","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","8200"
"*/ipscan_*_amd64.deb*",".{0,1000}\/ipscan_.{0,1000}_amd64\.deb.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#linux","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","8201"
"*/ipscan2-binary/*.exe*",".{0,1000}\/ipscan2\-binary\/.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","8202"
"*/ipscan-any-*.jar*",".{0,1000}\/ipscan\-any\-.{0,1000}\.jar.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#linux","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","8203"
"*/jprq.git*",".{0,1000}\/jprq\.git.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","1","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","8251"
"*/jprq.log*",".{0,1000}\/jprq\.log.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#linux","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","8252"
"*/jprq.service*",".{0,1000}\/jprq\.service.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#linux","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","8253"
"*/jprq/server/*.go*",".{0,1000}\/jprq\/server\/.{0,1000}\.go.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#linux","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","8254"
"*/jprq-darwin-arm64*",".{0,1000}\/jprq\-darwin\-arm64.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","1","#linux","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","8255"
"*/jprq-linux-386*",".{0,1000}\/jprq\-linux\-386.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","1","#linux","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","8256"
"*/jprq-linux-arm64*",".{0,1000}\/jprq\-linux\-arm64.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","1","#linux","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","8257"
"*/jprq-windows-386.exe*",".{0,1000}\/jprq\-windows\-386\.exe.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","1","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","8258"
"*/jprq-windows-amd64.exe*",".{0,1000}\/jprq\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","1","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","8259"
"*/keygen.exe*",".{0,1000}\/keygen\.exe.{0,1000}","greyware_tool_keyword","_","generic suspicious keyword keygen.exe observed in multiple cracked software often packed with malwares","T1204 - T1027 - T1059 - T1055 - T1060 - T1195","TA0005 - TA0002 - TA0011","N/A","N/A","Phishing","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","8341"
"*/killProcessPOC.git*",".{0,1000}\/killProcessPOC\.git.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","N/A","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","8368"
"*/lansearch.exe*",".{0,1000}\/lansearch\.exe.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","8435"
"*/LansweeperSetup_*.exe*",".{0,1000}\/LansweeperSetup_.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Lansweeper","Lansweeper discovers and inventories IT assets - gathering system - software and user data - abused by attackers","T1016 - T1082","TA0007","N/A","EvilCorp*","Discovery","https://www.lansweeper.com/","1","1","N/A","N/A","6","7","N/A","N/A","N/A","N/A","8436"
"*/latest/download/tunwg*",".{0,1000}\/latest\/download\/tunwg.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","1","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","8453"
"*/ld.so /bin/sh -p*",".{0,1000}\/ld\.so\s\/bin\/sh\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","8463"
"*/level-windows-amd64.exe*",".{0,1000}\/level\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","8492"
"*/level-windows-arm64.exe*",".{0,1000}\/level\-windows\-arm64\.exe.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","8493"
"*/libexec/softether/vpnserver/vpnserver*",".{0,1000}\/libexec\/softether\/vpnserver\/vpnserver.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN #linux","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","8502"
"*/Library/Logs/SPLog.txt*",".{0,1000}\/Library\/Logs\/SPLog\.txt.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","8507"
"*/linux_x64_admin*",".{0,1000}\/linux_x64_admin.{0,1000}","greyware_tool_keyword","stowaway","Stowaway -- Multi-hop Proxy Tool for pentesters","T1021 - T1090 - T1071 - T1573","TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/ph4ntonn/Stowaway","1","0","#linux","N/A","10","10","2989","422","2025-04-05T14:48:38Z","2019-11-15T03:25:50Z","8542"
"*/linux_x64_agent*",".{0,1000}\/linux_x64_agent.{0,1000}","greyware_tool_keyword","stowaway","Stowaway -- Multi-hop Proxy Tool for pentesters","T1021 - T1090 - T1071 - T1573","TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/ph4ntonn/Stowaway","1","0","#linux","N/A","10","10","2989","422","2025-04-05T14:48:38Z","2019-11-15T03:25:50Z","8543"
"*/linux_x86_admin*",".{0,1000}\/linux_x86_admin.{0,1000}","greyware_tool_keyword","stowaway","Stowaway -- Multi-hop Proxy Tool for pentesters","T1021 - T1090 - T1071 - T1573","TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/ph4ntonn/Stowaway","1","0","#linux","N/A","10","10","2989","422","2025-04-05T14:48:38Z","2019-11-15T03:25:50Z","8544"
"*/linux_x86_agent*",".{0,1000}\/linux_x86_agent.{0,1000}","greyware_tool_keyword","stowaway","Stowaway -- Multi-hop Proxy Tool for pentesters","T1021 - T1090 - T1071 - T1573","TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/ph4ntonn/Stowaway","1","0","#linux","N/A","10","10","2989","422","2025-04-05T14:48:38Z","2019-11-15T03:25:50Z","8545"
"*/LMI_Rescue.exe*",".{0,1000}\/LMI_Rescue\.exe.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","8558"
"*/LMIRTechConsole.exe*",".{0,1000}\/LMIRTechConsole\.exe.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","8559"
"*/localtunnel.git*",".{0,1000}\/localtunnel\.git.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/localtunnel/localtunnel","1","1","N/A","N/A","10","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","8596"
"*/localtunnel.git*",".{0,1000}\/localtunnel\.git.{0,1000}","greyware_tool_keyword","localtunnels","client for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/localtunnel","1","1","N/A","N/A","8","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","8597"
"*/localtunnel.js*",".{0,1000}\/localtunnel\.js.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/localtunnel/localtunnel","1","1","N/A","N/A","10","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","8598"
"*/localtunnel-linux-*.tar*",".{0,1000}\/localtunnel\-linux\-.{0,1000}\.tar.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#linux","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","8599"
"*/localtunnel-server.git*",".{0,1000}\/localtunnel\-server\.git.{0,1000}","greyware_tool_keyword","localtunnels","server for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/server","1","1","N/A","N/A","8","10","3163","1033","2024-03-20T09:14:46Z","2013-06-16T22:30:48Z","8600"
"*/loclx.exe*",".{0,1000}\/loclx\.exe.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","1","N/A","N/A","10","1","N/A","N/A","N/A","N/A","8606"
"*/loclx-windows-amd64.zip*",".{0,1000}\/loclx\-windows\-amd64\.zip.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","1","N/A","N/A","10","1","N/A","N/A","N/A","N/A","8607"
"*/log/anydesk.trace*",".{0,1000}\/log\/anydesk\.trace.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","#linux","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","8608"
"*/lsa-whisperer-*.zip*",".{0,1000}\/lsa\-whisperer\-.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","lsa-whisperer","Tools for interacting with authentication packages using their individual message protocols","T1556.002 - T1003.001","TA0006 - TA0005","N/A","N/A","Credential Access","https://github.com/EvanMcBroom/lsa-whisperer","1","1","N/A","N/A","6","4","316","29","2025-04-01T13:54:17Z","2022-08-04T14:35:45Z","8658"
"*/lsa-whisperer.git*",".{0,1000}\/lsa\-whisperer\.git.{0,1000}","greyware_tool_keyword","lsa-whisperer","Tools for interacting with authentication packages using their individual message protocols","T1556.002 - T1003.001","TA0006 - TA0005","N/A","N/A","Credential Access","https://github.com/EvanMcBroom/lsa-whisperer","1","1","N/A","N/A","6","4","316","29","2025-04-01T13:54:17Z","2022-08-04T14:35:45Z","8659"
"*/LTProxy.git*",".{0,1000}\/LTProxy\.git.{0,1000}","greyware_tool_keyword","LTProxy","Linux Transparent Proxy (Similar to Proxifiter)","T1090 - T1573.001 - T1571 - T1071.001","TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://github.com/L-codes/LTProxy","1","1","#linux","N/A","10","1","31","5","2024-11-27T05:09:47Z","2021-11-11T15:17:54Z","8660"
"*/MEGAclient.exe*",".{0,1000}\/MEGAclient\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","8734"
"*/MEGAcmd.exe*",".{0,1000}\/MEGAcmd\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","8735"
"*/MEGAcmd.sh*",".{0,1000}\/MEGAcmd\.sh.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","8736"
"*/MEGAcmdServer.exe*",".{0,1000}\/MEGAcmdServer\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","8737"
"*/MEGAcmdSetup.exe*",".{0,1000}\/MEGAcmdSetup\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","8738"
"*/MEGAcmdSetup32.exe*",".{0,1000}\/MEGAcmdSetup32\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","8739"
"*/MEGAcmdSetup64.exe*",".{0,1000}\/MEGAcmdSetup64\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","8740"
"*/MEGAcmdSetup64.exe*",".{0,1000}\/MEGAcmdSetup64\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","8741"
"*/MEGAcmdShell.exe*",".{0,1000}\/MEGAcmdShell\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","8742"
"*/MEGAcmdUpdater.app*",".{0,1000}\/MEGAcmdUpdater\.app.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#macos","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","8743"
"*/megasync.exe*",".{0,1000}\/megasync\.exe.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","8744"
"*/MEGAsyncSetup32.exe*",".{0,1000}\/MEGAsyncSetup32\.exe.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","8745"
"*/MEGAsyncSetup64.exe*",".{0,1000}\/MEGAsyncSetup64\.exe.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","8746"
"*/megatools.exe*",".{0,1000}\/megatools\.exe.{0,1000}","greyware_tool_keyword","megatools","Megatools is a collection of free and open source programs for accessing Mega service from a command line. Abused by attackers for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/megous/megatools","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","8747"
"*/MeshAgent --*",".{0,1000}\/MeshAgent\s\-\-.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#linux","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","8774"
"*/MeshAgent.git*",".{0,1000}\/MeshAgent\.git.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","1","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","8775"
"*/MeshCentral.git*",".{0,1000}\/MeshCentral\.git.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","8776"
"*/meshcentral.service*",".{0,1000}\/meshcentral\.service.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#linux","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","8777"
"*/meshinstall.sh*",".{0,1000}\/meshinstall\.sh.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","8778"
"*/meshinstall-bsd-rcd.sh*",".{0,1000}\/meshinstall\-bsd\-rcd\.sh.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","8779"
"*/Microsoft Azure Storage Explorer.app*",".{0,1000}\/Microsoft\sAzure\sStorage\sExplorer\.app.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","8812"
"*/Microsoft Azure Storage Explorer.zip*",".{0,1000}\/Microsoft\sAzure\sStorage\sExplorer\.zip.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","8813"
"*/MITMPluginLogViewer*",".{0,1000}\/MITMPluginLogViewer.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","8865"
"*/MITMServerHijacking*",".{0,1000}\/MITMServerHijacking.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","8867"
"*/mzcv.exe*",".{0,1000}\/mzcv\.exe.{0,1000}","greyware_tool_keyword","MozillaCookiesView","nirsoft utility that displays the details of all cookies stored inside the cookies file (cookies.txt or cookies.sqlite) - abused by threat actors","T1070 - T1552.001 - T1125 - T1005","TA0009 - TA0005","N/A","MuddyWater","Credential Access","https://www.nirsoft.net/utils/mzcv.html","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","8993"
"*/mzcv-x64.zip*",".{0,1000}\/mzcv\-x64\.zip.{0,1000}","greyware_tool_keyword","MozillaCookiesView","nirsoft utility that displays the details of all cookies stored inside the cookies file (cookies.txt or cookies.sqlite) - abused by threat actors","T1070 - T1552.001 - T1125 - T1005","TA0009 - TA0005","N/A","MuddyWater","Credential Access","https://www.nirsoft.net/utils/mzcv.html","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","8994"
"*/NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True*",".{0,1000}\/NAMESPACE\:\\\\root\\Microsoft\\Windows\\Defender\sPATH\sMSFT_MpPreference\scall\sAdd\sExclusionExtension\=exe\sForce\=True.{0,1000}","greyware_tool_keyword","wmic","Windows Defender Tampering Via Wmic","T1489","TA0005","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://www.virustotal.com/gui/file/00820a1f0972678cfe7885bc989ab3e5602b0febc96baf9bf3741d56aa374f03/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9007"
"*/nats-rmm.conf*",".{0,1000}\/nats\-rmm\.conf.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","9019"
"*/nc64 -i *",".{0,1000}\/nc64\s\-i\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","9027"
"*/nc64 -lvp *",".{0,1000}\/nc64\s\-lvp\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","9028"
"*/nc64 -zv *",".{0,1000}\/nc64\s\-zv\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","9029"
"*/neoreg.py*",".{0,1000}\/neoreg\.py.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","1","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","9047"
"*/Neo-reGeorg.git*",".{0,1000}\/Neo\-reGeorg\.git.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","1","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","9048"
"*/NeoreGeorg.java*",".{0,1000}\/NeoreGeorg\.java.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","1","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","9049"
"*/Neo-reGeorg/tarball*",".{0,1000}\/Neo\-reGeorg\/tarball.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","1","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","9050"
"*/Neo-reGeorg/zipball*",".{0,1000}\/Neo\-reGeorg\/zipball.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","1","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","9051"
"*/netcat-win32-*.zip*",".{0,1000}\/netcat\-win32\-.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","netcat","ncat reverse shell","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","APT15 - Calypso - EMBER BEAR - Black Basta","C2","https://nmap.org/ncat/","1","0","#linux","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","9086"
"*/netscan.exe*",".{0,1000}\/netscan\.exe.{0,1000}","greyware_tool_keyword","netscan","SoftPerfect Network Scanner abused by threat actor","T1040 - T1046 - T1018","TA0007 - TA0010 - TA0001","N/A","BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - AvosLocker - FiveHands - Yanluowang - MONTI - DarkSide - Everest - Cicada3301 - MedusaLocker - DragonForce - Phobos - Lynx","Discovery","https://www.softperfect.com/products/networkscanner/","1","1","N/A","network exploitation tool","6","10","N/A","N/A","N/A","N/A","9108"
"*/netscan.exe*",".{0,1000}\/netscan\.exe.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","9109"
"*/netscan_linux.tar.gz*",".{0,1000}\/netscan_linux\.tar\.gz.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","1","#linux","N/A","8","10","N/A","N/A","N/A","N/A","9110"
"*/netscan_macos.dmg*",".{0,1000}\/netscan_macos\.dmg.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","1","#macos","N/A","8","10","N/A","N/A","N/A","N/A","9111"
"*/netscan_setup.exe*",".{0,1000}\/netscan_setup\.exe.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","9112"
"*/netscan64.exe*",".{0,1000}\/netscan64\.exe.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","9113"
"*/netshrun.c*",".{0,1000}\/netshrun\.c.{0,1000}","greyware_tool_keyword","NetshRun","Netsh.exe relies on extensions taken from Registry which means it may be used as a persistence and you go one step further extending netsh with a DLL allowing you to do whatever you want","T1546.008 - T1112 - T1037 - T1055 - T1218.001","TA0003 - TA0002 - TA0008","N/A","N/A","Exploitation tool","https://github.com/gtworek/PSBits/blob/master/NetShRun","1","1","N/A","N/A","N/A","10","3337","542","2025-03-12T19:59:23Z","2019-06-29T13:22:36Z","9117"
"*/ngrok.exe*",".{0,1000}\/ngrok\.exe.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","9136"
"*/ngrok.git*",".{0,1000}\/ngrok\.git.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","9137"
"*/ngrok.go*",".{0,1000}\/ngrok\.go.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","9138"
"*/ngrok.log*",".{0,1000}\/ngrok\.log.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","0","#linux","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","9139"
"*/ngrokd.go*",".{0,1000}\/ngrokd\.go.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","9140"
"*/ngrokroot.crt*",".{0,1000}\/ngrokroot\.crt.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","0","#linux","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","9143"
"*/NimScan.exe*",".{0,1000}\/NimScan\.exe.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","1","N/A","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","9175"
"*/NimScan.git*",".{0,1000}\/NimScan\.git.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","1","N/A","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","9176"
"*/NimScan.nim*",".{0,1000}\/NimScan\.nim.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","1","N/A","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","9177"
"*/nircmd.exe*",".{0,1000}\/nircmd\.exe.{0,1000}","greyware_tool_keyword","nircmd","Nirsoft tool - NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface","T1059 - T1036","TA0005 - TA0002 - TA0003","N/A","N/A","Defense Evasion","https://www.nirsoft.net/utils/nircmd.html","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9184"
"*/nircmd.zip*",".{0,1000}\/nircmd\.zip.{0,1000}","greyware_tool_keyword","nircmd","Nirsoft tool - NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface","T1059 - T1036","TA0005 - TA0002 - TA0003","N/A","N/A","Defense Evasion","https://www.nirsoft.net/utils/nircmd.html","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9185"
"*/nircmdc.exe*",".{0,1000}\/nircmdc\.exe.{0,1000}","greyware_tool_keyword","nircmd","Nirsoft tool - NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface","T1059 - T1036","TA0005 - TA0002 - TA0003","N/A","N/A","Defense Evasion","https://www.nirsoft.net/utils/nircmd.html","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9186"
"*/nircmd-x64.zip*",".{0,1000}\/nircmd\-x64\.zip.{0,1000}","greyware_tool_keyword","nircmd","Nirsoft tool - NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface","T1059 - T1036","TA0005 - TA0002 - TA0003","N/A","N/A","Defense Evasion","https://www.nirsoft.net/utils/nircmd.html","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9187"
"*/Nmap/folder/check15*",".{0,1000}\/Nmap\/folder\/check15.{0,1000}","greyware_tool_keyword","nmap","Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","https://github.com/nmap/nmap/blob/635675b1430a89e950f71112d3bfc74feee4b19a/nselib/http.lua#L2600","1","1","N/A","will appear on your server access logs if you are scanned by nmap","8","10","10953","2505","2025-04-21T20:45:05Z","2012-03-09T14:47:43Z","9198"
"*/Nmap/folder/check16*",".{0,1000}\/Nmap\/folder\/check16.{0,1000}","greyware_tool_keyword","nmap","Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","https://github.com/nmap/nmap/blob/635675b1430a89e950f71112d3bfc74feee4b19a/nselib/http.lua#L2600","1","1","N/A","will appear on your server access logs if you are scanned by nmap","8","10","10953","2505","2025-04-21T20:45:05Z","2012-03-09T14:47:43Z","9199"
"*/Nmap/folder/check17*",".{0,1000}\/Nmap\/folder\/check17.{0,1000}","greyware_tool_keyword","nmap","Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","https://github.com/nmap/nmap/blob/635675b1430a89e950f71112d3bfc74feee4b19a/nselib/http.lua#L2600","1","1","N/A","will appear on your server access logs if you are scanned by nmap","8","10","10953","2505","2025-04-21T20:45:05Z","2012-03-09T14:47:43Z","9200"
"*/nmaplowercheck15*",".{0,1000}\/nmaplowercheck15.{0,1000}","greyware_tool_keyword","nmap","Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","https://nmap.org/book/nse-usage.html","1","1","N/A","will appear on your server access logs if you are scanned by nmap","8","10","N/A","N/A","N/A","N/A","9204"
"*/nmaplowercheck16*",".{0,1000}\/nmaplowercheck16.{0,1000}","greyware_tool_keyword","nmap","Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","https://github.com/nmap/nmap/blob/635675b1430a89e950f71112d3bfc74feee4b19a/nselib/http.lua#L2600","1","1","N/A","will appear on your server access logs if you are scanned by nmap","8","10","10953","2505","2025-04-21T20:45:05Z","2012-03-09T14:47:43Z","9205"
"*/nmaplowercheck17*",".{0,1000}\/nmaplowercheck17.{0,1000}","greyware_tool_keyword","nmap","Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","https://github.com/nmap/nmap/blob/635675b1430a89e950f71112d3bfc74feee4b19a/nselib/http.lua#L2600","1","1","N/A","will appear on your server access logs if you are scanned by nmap","8","10","10953","2505","2025-04-21T20:45:05Z","2012-03-09T14:47:43Z","9206"
"*/nmap-nse-scripts*",".{0,1000}\/nmap\-nse\-scripts.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","0","#linux","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","9207"
"*/nmap-scada*",".{0,1000}\/nmap\-scada.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","1","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","9208"
"*/NmapUpperCheck15*",".{0,1000}\/NmapUpperCheck15.{0,1000}","greyware_tool_keyword","nmap","Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","https://github.com/nmap/nmap/blob/635675b1430a89e950f71112d3bfc74feee4b19a/nselib/http.lua#L2600","1","1","N/A","will appear on your server access logs if you are scanned by nmap","8","10","10953","2505","2025-04-21T20:45:05Z","2012-03-09T14:47:43Z","9209"
"*/NmapUpperCheck16*",".{0,1000}\/NmapUpperCheck16.{0,1000}","greyware_tool_keyword","nmap","Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","https://github.com/nmap/nmap/blob/635675b1430a89e950f71112d3bfc74feee4b19a/nselib/http.lua#L2600","1","1","N/A","will appear on your server access logs if you are scanned by nmap","8","10","10953","2505","2025-04-21T20:45:05Z","2012-03-09T14:47:43Z","9210"
"*/NmapUpperCheck17*",".{0,1000}\/NmapUpperCheck17.{0,1000}","greyware_tool_keyword","nmap","Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","https://github.com/nmap/nmap/blob/635675b1430a89e950f71112d3bfc74feee4b19a/nselib/http.lua#L2600","1","1","N/A","will appear on your server access logs if you are scanned by nmap","8","10","10953","2505","2025-04-21T20:45:05Z","2012-03-09T14:47:43Z","9211"
"*/nmap-vulners*",".{0,1000}\/nmap\-vulners.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","1","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","9212"
"*/nse_install/*",".{0,1000}\/nse_install\/.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","0","#linux","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","9259"
"*/nse-install.git*",".{0,1000}\/nse\-install\.git.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","1","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","9260"
"*/nspowershell.exe*",".{0,1000}\/nspowershell\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9264"
"*/nssadmui.exe*",".{0,1000}\/nssadmui\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9265"
"*/OfflineSamTool.exe*",".{0,1000}\/OfflineSamTool\.exe.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9370"
"*/openvpn.exe*",".{0,1000}\/openvpn\.exe.{0,1000}","greyware_tool_keyword","OPENVPN","OpenVPN is a legitimate tool that might be used by an adversary to maintain persistence or exfiltrate data","T1071  - T1573 - T1133","TA0003 - TA0008 - TA0011","N/A","N/A","Defense Evasion","https://openvpn.net/","1","1","#VPN","N/A","6","8","N/A","N/A","N/A","N/A","9396"
"*/opt/config/aonetwork-client.yml*",".{0,1000}\/opt\/config\/aonetwork\-client\.yml.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#linux","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","9404"
"*/opt/dataplicity/*",".{0,1000}\/opt\/dataplicity\/.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#linux","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","9406"
"*/opt/duckdns/*",".{0,1000}\/opt\/duckdns\/.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","0","#linux","N/A","5","10","N/A","N/A","N/A","N/A","9408"
"*/opt/entrypoint.sh*",".{0,1000}\/opt\/entrypoint\.sh.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#linux","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","9409"
"*/opt/remoteit/remoteit*",".{0,1000}\/opt\/remoteit\/remoteit.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","#linux","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","9428"
"*/opt/rsocks/*",".{0,1000}\/opt\/rsocks\/.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","#linux","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","9429"
"*/opt/telebit*",".{0,1000}\/opt\/telebit.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","9433"
"*/oset.exe*",".{0,1000}\/oset\.exe.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9447"
"*/oset.zip*",".{0,1000}\/oset\.zip.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9448"
"*/oshi_run.pl*",".{0,1000}\/oshi_run\.pl.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","0","#linux #filehostingservice","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","9449"
"*/OshiUpload.git*",".{0,1000}\/OshiUpload\.git.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","1","#filehostingservice #P2P","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","9450"
"*/PAExec.cpp*",".{0,1000}\/PAExec\.cpp.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","1","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","9480"
"*/paexec.exe",".{0,1000}\/paexec\.exe","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","1","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","9481"
"*/PAExec.git*",".{0,1000}\/PAExec\.git.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","1","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","9482"
"*/paexec_eula.txt*",".{0,1000}\/paexec_eula\.txt.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","9483"
"*/pagekite-*.log*",".{0,1000}\/pagekite\-.{0,1000}\.log.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#linux","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","9484"
"*/pagekite.log*",".{0,1000}\/pagekite\.log.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#linux","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","9485"
"*/pagekite.py*",".{0,1000}\/pagekite\.py.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","9486"
"*/pagekite-0.3.21.py*",".{0,1000}\/pagekite\-0\.3\.21\.py.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","9487"
"*/pagekite-0.4.6a.py*",".{0,1000}\/pagekite\-0\.4\.6a\.py.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","9488"
"*/pagekite-0.5.6d.py*",".{0,1000}\/pagekite\-0\.5\.6d\.py.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","9489"
"*/pagekite-0.5.8a.py*",".{0,1000}\/pagekite\-0\.5\.8a\.py.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","9490"
"*/pagekite-gtk.py*",".{0,1000}\/pagekite\-gtk\.py.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","9491"
"*/pagekite-tmp.py*",".{0,1000}\/pagekite\-tmp\.py.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#linux","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","9492"
"*/PAYMENTS.exe*",".{0,1000}\/PAYMENTS\.exe.{0,1000}","greyware_tool_keyword","_","suspicious file name - has been used by threat actors","T1566","TA0001","N/A","N/A","Phishing","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9567"
"*/PCHunter.exe*",".{0,1000}\/PCHunter\.exe.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","9569"
"*/PCHunter_free.zip*",".{0,1000}\/PCHunter_free\.zip.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","9570"
"*/pcictlui.exe*",".{0,1000}\/pcictlui\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9571"
"*/PCIDEPLY.exe*",".{0,1000}\/PCIDEPLY\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9572"
"*/PCMonitorManager.exe*",".{0,1000}\/PCMonitorManager\.exe.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9573"
"*/PCMonitorSrv.exe*",".{0,1000}\/PCMonitorSrv\.exe.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9574"
"*/pcmontask.exe*",".{0,1000}\/pcmontask\.exe.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9575"
"*/pcmrdp-client.dll*",".{0,1000}\/pcmrdp\-client\.dll.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9576"
"*/pcunlocker.iso*",".{0,1000}\/pcunlocker\.iso.{0,1000}","greyware_tool_keyword","pcunlocker","Reset and unlock forgotten Windows login password","T1078","TA0005 - TA0006 - TA0009","N/A","N/A","Credential Access","https://www.pcunlocker.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9577"
"*/pcunlocker_trial.zip*",".{0,1000}\/pcunlocker_trial\.zip.{0,1000}","greyware_tool_keyword","pcunlocker","Reset and unlock forgotten Windows login password","T1078","TA0005 - TA0006 - TA0009","N/A","N/A","Credential Access","https://www.pcunlocker.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9578"
"*/perf stat /bin/sh -p*",".{0,1000}\/perf\sstat\s\/bin\/sh\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","9602"
"*/perl -e 'exec \""/bin/sh\""*",".{0,1000}\/perl\s\-e\s\'exec\s\\\""\/bin\/sh\\\"".{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","9607"
"*/pgrok.exe*",".{0,1000}\/pgrok\.exe.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/jerson/pgrok","1","1","N/A","N/A","10","10","283","55","2022-05-30T14:53:46Z","2019-07-31T13:23:51Z","9651"
"*/pgrok.git*",".{0,1000}\/pgrok\.git.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","1","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","9652"
"*/pgrok.yml*",".{0,1000}\/pgrok\.yml.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#linux","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","9653"
"*/pgrokd.exe*",".{0,1000}\/pgrokd\.exe.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/jerson/pgrok","1","1","N/A","N/A","10","10","283","55","2022-05-30T14:53:46Z","2019-07-31T13:23:51Z","9654"
"*/pgrokd.yml",".{0,1000}\/pgrokd\.yml","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#linux","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","9655"
"*/pgrokd_*.zip*",".{0,1000}\/pgrokd_.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","1","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","9656"
"*/pingcastle.git*",".{0,1000}\/pingcastle\.git.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","1","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","9695"
"*/PingCastle.zip*",".{0,1000}\/PingCastle\.zip.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","1","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","9696"
"*/pingcastle/releases/download/*",".{0,1000}\/pingcastle\/releases\/download\/.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","1","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","9697"
"*/PortQry.exe*",".{0,1000}\/PortQry\.exe.{0,1000}","greyware_tool_keyword","PortQry","Microsoft port scanning tool abused by threat actors","T1046 - T1016 - T1049","TA0007","N/A","APT15","Discovery","https://www.microsoft.com/en-us/download/details.aspx?id=17148","1","1","N/A","N/A","6","7","N/A","N/A","N/A","N/A","9748"
"*/PortQryV2.exe*",".{0,1000}\/PortQryV2\.exe.{0,1000}","greyware_tool_keyword","PortQry","Microsoft port scanning tool abused by threat actors","T1046 - T1016 - T1049","TA0007","N/A","APT15","Discovery","https://www.microsoft.com/en-us/download/details.aspx?id=17148","1","1","N/A","N/A","6","7","N/A","N/A","N/A","N/A","9749"
"*/portr.exe*",".{0,1000}\/portr\.exe.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","9750"
"*/portr.git*",".{0,1000}\/portr\.git.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","9751"
"*/portr/releases*",".{0,1000}\/portr\/releases.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","9752"
"*/portr_*_Darwin_arm64.zip*",".{0,1000}\/portr_.{0,1000}_Darwin_arm64\.zip.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","#linux","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","9753"
"*/portr_*_Darwin_x86_64.zip*",".{0,1000}\/portr_.{0,1000}_Darwin_x86_64\.zip.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","#linux","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","9754"
"*/portr_*_Linux_arm64.zip*",".{0,1000}\/portr_.{0,1000}_Linux_arm64\.zip.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","#linux","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","9755"
"*/portr_*_Linux_x86_64.zip*",".{0,1000}\/portr_.{0,1000}_Linux_x86_64\.zip.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","#linux","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","9756"
"*/portr_*_Windows_arm64.zip*",".{0,1000}\/portr_.{0,1000}_Windows_arm64\.zip.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","9757"
"*/portr_*_Windows_x86_64.zip*",".{0,1000}\/portr_.{0,1000}_Windows_x86_64\.zip.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","9758"
"*/portr_admin/*.py*",".{0,1000}\/portr_admin\/.{0,1000}\.py.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","9759"
"*/privoxy.exe*",".{0,1000}\/privoxy\.exe.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","1","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","9904"
"*/Procdump.zip*",".{0,1000}\/Procdump\.zip.{0,1000}","greyware_tool_keyword","Procdump","dump lsass process with procdump","T1003.001","TA0006","N/A","LockBit - Kimsuky - Conti - Quantum - PYSA - NetWalker - 8BASE - APT1 - APT15 - APT20 - APT27 - APT28 - Antlion - FIN13 - GOBLIN PANDA - Lazarus Group - PowerPool - PARINACOTA - Scattered Spider - BERSERK BEAR - Dispossessor","Credential Access","https://learn.microsoft.com/en-us/sysinternals/downloads/procdump","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","9907"
"*/processhacker-*-bin.zip*",".{0,1000}\/processhacker\-.{0,1000}\-bin\.zip.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","9910"
"*/processhacker/files/latest/download*",".{0,1000}\/processhacker\/files\/latest\/download.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","9911"
"*/ProduKey.exe*",".{0,1000}\/ProduKey\.exe.{0,1000}","greyware_tool_keyword","produkey","ProduKey is a small utility that displays the ProductID and the CD-Key of Microsoft Office (Microsoft Office 2003. Microsoft Office 2007). Windows (Including Windows 8/7/Vista). Exchange Server. and SQL Server installed on your computer. You can view this information for your current running operating system. or for another operating system/computer - by using command-line options. This utility can be useful if you lost the product key of your Windows/Office. and you want to reinstall it on your computer.","T1003.001 - T1003.002 - T1012 - T1057 - T1518","TA0006 - TA0007 - TA0009","N/A","Evilnum","Credential Access","https://www.nirsoft.net/utils/product_cd_key_viewer.html","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","9915"
"*/Proxifier.app/Contents/MacOS/Proxifier*",".{0,1000}\/Proxifier\.app\/Contents\/MacOS\/Proxifier.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","#macos","N/A","8","9","N/A","N/A","N/A","N/A","9928"
"*/Proxifier.exe*",".{0,1000}\/Proxifier\.exe.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A","9929"
"*/Proxifier/Proxifier.app/*",".{0,1000}\/Proxifier\/Proxifier\.app\/.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","#macos","N/A","8","9","N/A","N/A","N/A","N/A","9930"
"*/ProxifierPE.zip*",".{0,1000}\/ProxifierPE\.zip.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A","9931"
"*/ProxifierSetup.exe*",".{0,1000}\/ProxifierSetup\.exe.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A","9932"
"*/ps2exe.ps1*",".{0,1000}\/ps2exe\.ps1.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","1","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","9952"
"*/pslist.exe*",".{0,1000}\/pslist\.exe.{0,1000}","greyware_tool_keyword","pslist","Microsoft sysinternal comandline tool to list running process abused by threat actors","T1057 - T1012 - T1106","TA0007","N/A","APT10 - APT15 - APT33 - APT34 - Sandworm - APT35 - CHRYSENE - menuPass - GhostEmperor - Magnallium - Elfin","Discovery","https://learn.microsoft.com/pt-br/sysinternals/downloads/pslist","1","1","N/A","N/A","3","9","N/A","N/A","N/A","N/A","9972"
"*/pslist64.exe*",".{0,1000}\/pslist64\.exe.{0,1000}","greyware_tool_keyword","pslist","Microsoft sysinternal comandline tool to list running process abused by threat actors","T1057 - T1012 - T1106","TA0007","N/A","APT10 - APT15 - APT33 - APT34 - Sandworm - APT35 - CHRYSENE - menuPass - GhostEmperor - Magnallium - Elfin","Discovery","https://learn.microsoft.com/pt-br/sysinternals/downloads/pslist","1","1","N/A","N/A","3","9","N/A","N/A","N/A","N/A","9973"
"*/pulseway_x64.deb*",".{0,1000}\/pulseway_x64\.deb.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10002"
"*/Pulseway_x64.msi*",".{0,1000}\/Pulseway_x64\.msi.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10003"
"*/pulseway_x86.deb*",".{0,1000}\/pulseway_x86\.deb.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10004"
"*/pwn_tclsh.me*",".{0,1000}\/pwn_tclsh\.me.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","10046"
"*/py2exe/*",".{0,1000}\/py2exe\/.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","1","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","10061"
"*/pyinstaller/*",".{0,1000}\/pyinstaller\/.{0,1000}","greyware_tool_keyword","pyinstaller","PyInstaller bundles a Python application and all its dependencies into a single package executable.","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","N/A","N/A","Resource Development","https://www.pyinstaller.org/","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","10069"
"*/pyjam.as/tunnel*",".{0,1000}\/pyjam\.as\/tunnel.{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10070"
"*/PyPagekite.git*",".{0,1000}\/PyPagekite\.git.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","10083"
"*/PyPagekite/tarball/*",".{0,1000}\/PyPagekite\/tarball\/.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","10084"
"*/PyPagekite/zipball/*",".{0,1000}\/PyPagekite\/zipball\/.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","10085"
"*/pyshark.git*",".{0,1000}\/pyshark\.git.{0,1000}","greyware_tool_keyword","pyshark","Python wrapper for tshark allowing python packet parsing using wireshark dissectors","T1040 - T1213 - T1105 - T1572","TA0009 - TA0007","N/A","N/A","Discovery","https://github.com/KimiNewt/pyshark","1","1","N/A","N/A","6","10","2355","439","2024-12-04T15:41:20Z","2013-12-28T14:38:22Z","10096"
"*/QNAP_NAS/megacmdpkg*",".{0,1000}\/QNAP_NAS\/megacmdpkg.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","10116"
"*/Quasar.git*",".{0,1000}\/Quasar\.git.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","1","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","10125"
"*/Quasar.v*.zip*",".{0,1000}\/Quasar\.v.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","1","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","10126"
"*/Quasar/releases*",".{0,1000}\/Quasar\/releases.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","1","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","10127"
"*/Quick Assist Installer.exe*",".{0,1000}\/Quick\sAssist\sInstaller\.exe.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","1","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","10129"
"*/Quick%20Assist%20Installer.exe*",".{0,1000}\/Quick\%20Assist\%20Installer\.exe.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","1","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","10130"
"*/Radmin.exe*",".{0,1000}\/Radmin\.exe.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10142"
"*/Radmin_Server_*.msi*",".{0,1000}\/Radmin_Server_.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10143"
"*/Radmin_Viewer_*.msi*",".{0,1000}\/Radmin_Viewer_.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10144"
"*/Radmin_VPN_1.*.exe*",".{0,1000}\/Radmin_VPN_1\..{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10145"
"*/rathole.exe",".{0,1000}\/rathole\.exe","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","1","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","10168"
"*/rathole.git*",".{0,1000}\/rathole\.git.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","1","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","10169"
"*/rathole/src/*",".{0,1000}\/rathole\/src\/.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","1","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","10170"
"*/rathole-aarch64-*",".{0,1000}\/rathole\-aarch64\-.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","1","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","10171"
"*/rathole-arm*",".{0,1000}\/rathole\-arm.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","1","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","10172"
"*/rathole-main/*",".{0,1000}\/rathole\-main\/.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","1","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","10173"
"*/rathole-mipsel-*",".{0,1000}\/rathole\-mipsel\-.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","1","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","10174"
"*/rathole-x86_64*",".{0,1000}\/rathole\-x86_64.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","1","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","10175"
"*/raw/main/speedtest.exe*",".{0,1000}\/raw\/main\/speedtest\.exe.{0,1000}","greyware_tool_keyword","speedtest","legitimate tool from speedtest.net abused by threat actors to assess the network speed and determine the feasibility and duration of their exfiltration efforts","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","","Dispossessor - Dagon Locker","Data Exfiltration","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","1","N/A","N/A","6","7","N/A","N/A","N/A","N/A","10185"
"*/raw/master/speedtest.exe*",".{0,1000}\/raw\/master\/speedtest\.exe.{0,1000}","greyware_tool_keyword","speedtest","legitimate tool from speedtest.net abused by threat actors to assess the network speed and determine the feasibility and duration of their exfiltration efforts","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","","Dispossessor - Dagon Locker","Data Exfiltration","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","1","N/A","N/A","6","7","N/A","N/A","N/A","N/A","10188"
"*/rclone.conf*",".{0,1000}\/rclone\.conf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","10198"
"*/rclone.exe*",".{0,1000}\/rclone\.exe.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","interactive mode","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","10199"
"*/rclone.git*",".{0,1000}\/rclone\.git.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","1","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","10200"
"*/rclone.rar*",".{0,1000}\/rclone\.rar.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","1","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","10201"
"*/rclone.zip*",".{0,1000}\/rclone\.zip.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","1","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","10202"
"*/rclone/releases/download/*",".{0,1000}\/rclone\/releases\/download\/.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","1","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","10203"
"*/rdpscan --*",".{0,1000}\/rdpscan\s\-\-.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#linux","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","10222"
"*/rdpscan.git*",".{0,1000}\/rdpscan\.git.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","1","N/A","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","10223"
"*/rdpscan-macos.zip*",".{0,1000}\/rdpscan\-macos\.zip.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","1","N/A","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","10224"
"*/rdpscan-windows.zip*",".{0,1000}\/rdpscan\-windows\.zip.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","1","N/A","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","10225"
"*/RDPWInst.exe*",".{0,1000}\/RDPWInst\.exe.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","1","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","10235"
"*/RDPWInst-v*.msi*",".{0,1000}\/RDPWInst\-v.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","1","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","10236"
"*/rdpwrap.dll*",".{0,1000}\/rdpwrap\.dll.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","1","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","10237"
"*/rdpwrap.git*",".{0,1000}\/rdpwrap\.git.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","1","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","10238"
"*/RDPWrap-v*.zip*",".{0,1000}\/RDPWrap\-v.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","1","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","10239"
"*/RealTimeSync.exe*",".{0,1000}\/RealTimeSync\.exe.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","1","N/A","N/A","9","10","N/A","N/A","N/A","N/A","10246"
"*/RedTeaming-Tactics-and-Techniques.git*",".{0,1000}\/RedTeaming\-Tactics\-and\-Techniques\.git.{0,1000}","greyware_tool_keyword","ired.team","Red Teaming Tactics and Techniques","T1593.003","TA0043","N/A","N/A","Reconnaissance","https://github.com/mantvydasb/RedTeaming-Tactics-and-Techniques","1","1","N/A","N/A","7","10","4234","1071","2024-08-22T07:17:31Z","2019-03-02T13:33:33Z","10302"
"*/release/gt-win-x86_64.exe*",".{0,1000}\/release\/gt\-win\-x86_64\.exe.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","1","N/A","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","10336"
"*/release/sshx-server*",".{0,1000}\/release\/sshx\-server.{0,1000}","greyware_tool_keyword","sshx","Fast collaborative live terminal sharing over the web","T1021.004 - T1041 - T1059 - T1071.001","TA0002 - TA0009 - TA0011 - TA0010","N/A","N/A","C2","https://github.com/ekzhang/sshx","1","1","N/A","N/A","10","10","6379","220","2025-02-12T20:40:30Z","2022-02-12T23:29:33Z","10337"
"*/releases/download/Ahk2Exe*",".{0,1000}\/releases\/download\/Ahk2Exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","1","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","10339"
"*/RemCom.exe*",".{0,1000}\/RemCom\.exe.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","1","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","10352"
"*/RemCom.git*",".{0,1000}\/RemCom\.git.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","1","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","10353"
"*/RemComSvc.exe*",".{0,1000}\/RemComSvc\.exe.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","1","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","10354"
"*/Remote.It-Installer-*",".{0,1000}\/Remote\.It\-Installer\-.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","1","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","10356"
"*/RemoteControlSetup.exe*",".{0,1000}\/RemoteControlSetup\.exe.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10369"
"*/RemoteDesktop.exe*",".{0,1000}\/RemoteDesktop\.exe.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10370"
"*/remoteit.exe*",".{0,1000}\/remoteit\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","1","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","10373"
"*/remoteit.x86-win.exe*",".{0,1000}\/remoteit\.x86\-win\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","1","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","10374"
"*/remoteit/connectd/releases*",".{0,1000}\/remoteit\/connectd\/releases.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","1","N/A","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","10375"
"*/remoteit/desktop*",".{0,1000}\/remoteit\/desktop.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","1","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","10376"
"*/remoteit-desktop.exe*",".{0,1000}\/remoteit\-desktop\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","1","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","10377"
"*/remotemoe.git*",".{0,1000}\/remotemoe\.git.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","1","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","10382"
"*/remotepc.deb*",".{0,1000}\/remotepc\.deb.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10384"
"*/remotepc.deb*",".{0,1000}\/remotepc\.deb.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10385"
"*/RemotePC.exe*",".{0,1000}\/RemotePC\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10386"
"*/RemotePC.exe*",".{0,1000}\/RemotePC\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10387"
"*/RemotePC.lnk*",".{0,1000}\/RemotePC\.lnk.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10388"
"*/RemotePC.tmp*",".{0,1000}\/RemotePC\.tmp.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10389"
"*/remotepc-attended.deb*",".{0,1000}\/remotepc\-attended\.deb.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10390"
"*/RemotePCAttended.dmg*",".{0,1000}\/RemotePCAttended\.dmg.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","10391"
"*/remotepclauncher.exe*",".{0,1000}\/remotepclauncher\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10392"
"*/RemotePCSuite.dmg*",".{0,1000}\/RemotePCSuite\.dmg.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","10393"
"*/remotepcuiu.exe*",".{0,1000}\/remotepcuiu\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10394"
"*/RemotePCViewer.msi*",".{0,1000}\/RemotePCViewer\.msi.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10395"
"*/res/rdpwrap.ini*",".{0,1000}\/res\/rdpwrap\.ini.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","10405"
"*/rest_client_zrok/*",".{0,1000}\/rest_client_zrok\/.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","10423"
"*/restic-*.tar.gz*",".{0,1000}\/restic\-.{0,1000}\.tar\.gz.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","1","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","10424"
"*/restic.exe*",".{0,1000}\/restic\.exe.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","1","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","10425"
"*/restic/releases/download/*",".{0,1000}\/restic\/releases\/download\/.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","1","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","10426"
"*/restic_*_windows_amd64.zip*",".{0,1000}\/restic_.{0,1000}_windows_amd64\.zip.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","1","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","10427"
"*/restic-master/*",".{0,1000}\/restic\-master\/.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","1","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","10428"
"*/reverse-tunnel.git*",".{0,1000}\/reverse\-tunnel\.git.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","10451"
"*/reverse-tunnel/agent/cmd*",".{0,1000}\/reverse\-tunnel\/agent\/cmd.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","10452"
"*/reverse-tunnel/server/service*",".{0,1000}\/reverse\-tunnel\/server\/service.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","10453"
"*/RevoUninProSetup.exe*",".{0,1000}\/RevoUninProSetup\.exe.{0,1000}","greyware_tool_keyword","RevoUninstaller","legitimate tool abused by the Dispossessor ransomware group","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10457"
"*/rfusclient.exe*",".{0,1000}\/rfusclient\.exe.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10472"
"*/rmm/api/tacticalrmm/*",".{0,1000}\/rmm\/api\/tacticalrmm\/.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","10487"
"*/rmm-installer.ps1*",".{0,1000}\/rmm\-installer\.ps1.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","10488"
"*/root/jprq-server*",".{0,1000}\/root\/jprq\-server.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#linux","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","10504"
"*/root/tunnel*",".{0,1000}\/root\/tunnel.{0,1000}","greyware_tool_keyword","tunnel.pyjam.as","SSL-terminated ephemeral HTTP tunnels to your local machine - no custom software required (thanks to wireguard)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","10510"
"*/RpcDND_Console.exe*",".{0,1000}\/RpcDND_Console\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10540"
"*/rpcdownloader.exe*",".{0,1000}\/rpcdownloader\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10541"
"*/RPCFireWallRule.exe*",".{0,1000}\/RPCFireWallRule\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10545"
"*/rpcperfviewer.exe*",".{0,1000}\/rpcperfviewer\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10549"
"*/RPCProxyLatency.exe*",".{0,1000}\/RPCProxyLatency\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10550"
"*/rserver3.exe*",".{0,1000}\/rserver3\.exe.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10554"
"*/rsocks.git*",".{0,1000}\/rsocks\.git.{0,1000}","greyware_tool_keyword","rsocks","reverse socks5 client & server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/brimstone/rsocks","1","1","N/A","N/A","10","10","85","29","2020-01-09T20:45:32Z","2018-01-05T03:09:07Z","10556"
"*/rsocks.git*",".{0,1000}\/rsocks\.git.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","#linux","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","10557"
"*/rsocks.toml*",".{0,1000}\/rsocks\.toml.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","#linux","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","10558"
"*/rsocks/releases/download/*",".{0,1000}\/rsocks\/releases\/download\/.{0,1000}","greyware_tool_keyword","rsocks","reverse socks5 client & server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/brimstone/rsocks","1","1","N/A","N/A","10","10","85","29","2020-01-09T20:45:32Z","2018-01-05T03:09:07Z","10559"
"*/rsocks_linux_amd64*",".{0,1000}\/rsocks_linux_amd64.{0,1000}","greyware_tool_keyword","rsocks","reverse socks5 client & server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/brimstone/rsocks","1","1","#linux","N/A","10","10","85","29","2020-01-09T20:45:32Z","2018-01-05T03:09:07Z","10560"
"*/rsocks_windows_386.exe*",".{0,1000}\/rsocks_windows_386\.exe.{0,1000}","greyware_tool_keyword","rsocks","reverse socks5 client & server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/brimstone/rsocks","1","1","N/A","N/A","10","10","85","29","2020-01-09T20:45:32Z","2018-01-05T03:09:07Z","10561"
"*/rtun-freebsd-amd64*",".{0,1000}\/rtun\-freebsd\-amd64.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","10580"
"*/rtun-linux-amd64*",".{0,1000}\/rtun\-linux\-amd64.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","#linux","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","10581"
"*/rtun-linux-arm64*",".{0,1000}\/rtun\-linux\-arm64.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","#linux","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","10582"
"*/rtun-mac-amd64*",".{0,1000}\/rtun\-mac\-amd64.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","10583"
"*/rtun-server-freebsd-amd64*",".{0,1000}\/rtun\-server\-freebsd\-amd64.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","10584"
"*/rtun-server-linux-amd64*",".{0,1000}\/rtun\-server\-linux\-amd64.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","#linux","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","10585"
"*/rtun-server-linux-arm64*",".{0,1000}\/rtun\-server\-linux\-arm64.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","#linux","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","10586"
"*/rtun-server-mac-amd64*",".{0,1000}\/rtun\-server\-mac\-amd64.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","10587"
"*/rtun-server-windows-amd64.exe*",".{0,1000}\/rtun\-server\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","10588"
"*/rtun-windows-amd64.exe*",".{0,1000}\/rtun\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","10589"
"*/RustDesk.exe*",".{0,1000}\/RustDesk\.exe.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","1","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","10639"
"*/rustdesk.git*",".{0,1000}\/rustdesk\.git.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","1","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","10640"
"*/rustdesk/rustdesk/releases/*",".{0,1000}\/rustdesk\/rustdesk\/releases\/.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","1","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","10641"
"*/rutserv.exe*",".{0,1000}\/rutserv\.exe.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10649"
"*/rutview.exe*",".{0,1000}\/rutview\.exe.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","10650"
"*/rvim -c ':py3 import os*os.execl(\""/bin/sh\*",".{0,1000}\/rvim\s\-c\s\'\:py3\simport\sos.{0,1000}os\.execl\(\\\""\/bin\/sh\\.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","10651"
"*/s4n7h0/NSE*",".{0,1000}\/s4n7h0\/NSE.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","0","#linux","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","10658"
"*/sbin/dropbear*",".{0,1000}\/sbin\/dropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","10696"
"*/sdelete.exe*",".{0,1000}\/sdelete\.exe.{0,1000}","greyware_tool_keyword","sdelete","SDelete is an application that securely deletes data in a way that makes it unrecoverable.- abused by attackers","T1485 - T1070.004","TA0005 - TA0040 ","N/A","APT29 - Sandworm - Cobalt Group - FIN5 - Silence - BOSS SPIDER","Defense Evasion","https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","10747"
"*/SDelete.zip*",".{0,1000}\/SDelete\.zip.{0,1000}","greyware_tool_keyword","sdelete","SDelete is an application that securely deletes data in a way that makes it unrecoverable.- abused by attackers","T1485 - T1070.004","TA0005 - TA0040 ","N/A","APT29 - Sandworm - Cobalt Group - FIN5 - Silence - BOSS SPIDER","Defense Evasion","https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","10748"
"*/sdelete64.exe*",".{0,1000}\/sdelete64\.exe.{0,1000}","greyware_tool_keyword","sdelete","SDelete is an application that securely deletes data in a way that makes it unrecoverable.- abused by attackers","T1485 - T1070.004","TA0005 - TA0040 ","N/A","APT29 - Sandworm - Cobalt Group - FIN5 - Silence - BOSS SPIDER","Defense Evasion","https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","10749"
"*/sdelete64a.exe*",".{0,1000}\/sdelete64a\.exe.{0,1000}","greyware_tool_keyword","sdelete","delete one or more files and/or directories, or to cleanse the free space on a logical disk - abused by attackers","T1485 - T1070.004","TA0005 - TA0040 ","N/A","APT29 - Sandworm - Cobalt Group - FIN5 - Silence - BOSS SPIDER","Defense Evasion","https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","10750"
"*/send.exploit.in/*",".{0,1000}\/send\.exploit\.in\/.{0,1000}","greyware_tool_keyword","send.exploit.in","file-sharing platform used by ransomware groups","T1567","TA0010","N/A","Black Basta","Data Exfiltration","https://www.cisa.gov/sites/default/files/publications/aa22-321a_joint_csa_stopransomware_hive.pdf","1","1","#filehostingservice","N/A","10","10","N/A","N/A","N/A","N/A","10784"
"*/SetACL.exe*",".{0,1000}\/SetACL\.exe.{0,1000}","greyware_tool_keyword","SetACL","Manage Windows permissions from the command line","T1069 - T1222","TA0002 - TA0004 - TA0005","N/A","N/A","Defense Evasion","https://helgeklein.com/download/","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","10810"
"*/SetACL64..exe*",".{0,1000}\/SetACL64\.\.exe.{0,1000}","greyware_tool_keyword","SetACL","Manage Windows permissions from the command line","T1069 - T1222","TA0002 - TA0004 - TA0005","N/A","N/A","Defense Evasion","https://helgeklein.com/download/","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","10811"
"*/set-proxy.ps1*",".{0,1000}\/set\-proxy\.ps1.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","10814"
"*/sftp *@*:* ",".{0,1000}/sftp\s.{0,1000}\@.{0,1000}\:.{0,1000}","greyware_tool_keyword","sftp","Detects the use of tools that copy files from or to remote systems","T1041 - T1105 - T1106","TA0002 - TA0008 - TA0010","N/A","Black Basta","Data Exfiltration","https://attack.mitre.org/techniques/T1105/","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","10819"
"*/sftp *get*.wallet*",".{0,1000}sftp.*get.*(\.pem|\.key|\.wallet)\b.{0,1000}","greyware_tool_keyword","sftp","sftp transfers of sensitive files","T1041 - T1105 - T1106","TA0002 - TA0008 - TA0010","N/A","N/A","Data Exfiltration","https://attack.mitre.org/techniques/T1105/","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","10820"
"*/sftp *put*.tar.gz*",".{0,1000}sftp\s.*put.*(\.tar\.gz|\.zip|\.rar|\.7z)\b.{0,1000}","greyware_tool_keyword","sftp","sftp  archive transfers","T1041 - T1105 - T1106","TA0002 - TA0008 - TA0010","N/A","N/A","Data Exfiltration","https://attack.mitre.org/techniques/T1105/","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","10821"
"*/Shadowsocks-*.zip*",".{0,1000}\/Shadowsocks\-.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","1","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","10839"
"*/Shadowsocks.zip*",".{0,1000}\/Shadowsocks\.zip.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","1","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","10840"
"*/shadowsocks_service.*",".{0,1000}\/shadowsocks_service\..{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","#linux","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","10841"
"*/shadowsocks-manager.sock*",".{0,1000}\/shadowsocks\-manager\.sock.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","#linux","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","10842"
"*/shadowsocks-rust.default*",".{0,1000}\/shadowsocks\-rust\.default.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","1","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","10843"
"*/shadowsocks-rust.git*",".{0,1000}\/shadowsocks\-rust\.git.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","1","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","10844"
"*/shadowsocks-rust.init*",".{0,1000}\/shadowsocks\-rust\.init.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","1","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","10845"
"*/shadowsocks-rust.service*",".{0,1000}\/shadowsocks\-rust\.service.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","1","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","10846"
"*/shadowsocks-service*",".{0,1000}\/shadowsocks\-service.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","1","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","10847"
"*/shadowsocks-windows.git*",".{0,1000}\/shadowsocks\-windows\.git.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","1","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","10848"
"*/simplehelper64.exe*",".{0,1000}\/simplehelper64\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","11275"
"*/SirTunnel.git*",".{0,1000}\/SirTunnel\.git.{0,1000}","greyware_tool_keyword","SirTunnel","SirTunnel enables you to securely expose a webserver running on your computer to a public URL using HTTPS.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/anderspitman/SirTunnel","1","1","N/A","N/A","10","10","1436","119","2024-03-24T20:15:50Z","2020-09-23T00:15:26Z","11296"
"*/sirtunnel.py*",".{0,1000}\/sirtunnel\.py.{0,1000}","greyware_tool_keyword","SirTunnel","SirTunnel enables you to securely expose a webserver running on your computer to a public URL using HTTPS.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/anderspitman/SirTunnel","1","1","N/A","N/A","10","10","1436","119","2024-03-24T20:15:50Z","2020-09-23T00:15:26Z","11297"
"*/sish.git*",".{0,1000}\/sish\.git.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","1","N/A","N/A","10","10","4203","325","2025-04-10T20:04:08Z","2019-02-15T15:36:23Z","11299"
"*/sish.log*",".{0,1000}\/sish\.log.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","0","#linux","N/A","10","10","4203","325","2025-04-10T20:04:08Z","2019-02-15T15:36:23Z","11300"
"*/sish/cmd/*",".{0,1000}\/sish\/cmd\/.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","0","#linux","N/A","10","10","4203","325","2025-04-10T20:04:08Z","2019-02-15T15:36:23Z","11301"
"*/SoftEtherVPN-*.tar.xz*",".{0,1000}\/SoftEtherVPN\-.{0,1000}\.tar\.xz.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","11494"
"*/SoftEtherVPN.git*",".{0,1000}\/SoftEtherVPN\.git.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","abused https://asec.ahnlab.com/en/66843/","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","11495"
"*/SoftEtherVPN/releases/tag/*",".{0,1000}\/SoftEtherVPN\/releases\/tag\/.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","11496"
"*/softether-vpnclient-*.exe*",".{0,1000}\/softether\-vpnclient\-.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","11497"
"*/softether-vpnserver-*.deb*",".{0,1000}\/softether\-vpnserver\-.{0,1000}\.deb.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","11498"
"*/softether-vpnserver.service*",".{0,1000}\/softether\-vpnserver\.service.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN #linux","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","11499"
"*/softether-vpnserver_*.exe*",".{0,1000}\/softether\-vpnserver_.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","11500"
"*/SolarWinds-Dameware-DRS-St.exe*",".{0,1000}\/SolarWinds\-Dameware\-DRS\-St\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","11502"
"*/sources.list.d/tailscale.list*",".{0,1000}\/sources\.list\.d\/tailscale\.list.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11506"
"*/spacerunner.exe*",".{0,1000}\/spacerunner\.exe.{0,1000}","greyware_tool_keyword","SpaceRunner","enables the compilation of a C# program that will execute arbitrary PowerShell code without launching PowerShell processes through the use of runspace.","T1059.001 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/Mr-B0b/SpaceRunner","1","0","N/A","N/A","7","2","195","38","2020-07-26T10:39:53Z","2020-07-26T09:31:09Z","11507"
"*/SplashtopStreamer/SPLog.txt*",".{0,1000}\/SplashtopStreamer\/SPLog\.txt.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","11528"
"*/src/expose serve *",".{0,1000}\/src\/expose\sserve\s.{0,1000}","greyware_tool_keyword","expose","tunneling service - written in pure PHP","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/beyondcode/expose","1","0","#linux","N/A","10","10","4367","280","2025-04-04T13:57:03Z","2020-04-14T19:18:38Z","11586"
"*/sshpass /bin/sh -p*",".{0,1000}\/sshpass\s\/bin\/sh\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","11611"
"*/sshtunnel -*",".{0,1000}\/sshtunnel\s\-.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","0","#linux","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","11616"
"*/sshtunnel.git*",".{0,1000}\/sshtunnel\.git.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","1","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","11617"
"*/sshtunnel.py*",".{0,1000}\/sshtunnel\.py.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","1","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","11618"
"*/sshtunnel/tarball/*",".{0,1000}\/sshtunnel\/tarball\/.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","1","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","11619"
"*/sshtunnel/zipball/*",".{0,1000}\/sshtunnel\/zipball\/.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","1","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","11620"
"*/sshuttle.git*",".{0,1000}\/sshuttle\.git.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","1","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","11621"
"*/sshuttle.py*",".{0,1000}\/sshuttle\.py.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","1","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","11622"
"*/sshuttle/tarball*",".{0,1000}\/sshuttle\/tarball.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","1","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","11623"
"*/sshuttle/zipball*",".{0,1000}\/sshuttle\/zipball.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","1","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","11624"
"*/sshx-server/*",".{0,1000}\/sshx\-server\/.{0,1000}","greyware_tool_keyword","sshx","Fast collaborative live terminal sharing over the web","T1021.004 - T1041 - T1059 - T1071.001","TA0002 - TA0009 - TA0011 - TA0010","N/A","N/A","C2","https://github.com/ekzhang/sshx","1","1","N/A","N/A","10","10","6379","220","2025-02-12T20:40:30Z","2022-02-12T23:29:33Z","11626"
"*/stdbuf -i0 /bin/sh -p*",".{0,1000}\/stdbuf\s\-i0\s\/bin\/sh\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","11666"
"*/stunnel-*.tar.gz*",".{0,1000}\/stunnel\-.{0,1000}\.tar\.gz.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","0","#linux","N/A","7","8","N/A","N/A","N/A","N/A","11691"
"*/stunnel-latest.tar.gz*",".{0,1000}\/stunnel\-latest\.tar\.gz.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","1","N/A","N/A","7","8","N/A","N/A","N/A","N/A","11692"
"*/stunnel-latest-android.zip*",".{0,1000}\/stunnel\-latest\-android\.zip.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","1","N/A","N/A","7","8","N/A","N/A","N/A","N/A","11693"
"*/stunnel-latest-win64-installer.exe*",".{0,1000}\/stunnel\-latest\-win64\-installer\.exe.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","1","N/A","N/A","7","8","N/A","N/A","N/A","N/A","11694"
"*/suo5.git*",".{0,1000}\/suo5\.git.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","1","N/A","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","11718"
"*/suo5/releases/*",".{0,1000}\/suo5\/releases\/.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","1","N/A","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","11719"
"*/suo5-darwin-amd64*",".{0,1000}\/suo5\-darwin\-amd64.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","1","#linux","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","11720"
"*/suo5-darwin-arm64*",".{0,1000}\/suo5\-darwin\-arm64.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","1","#linux","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","11721"
"*/suo5-gui-darwin.app.zip*",".{0,1000}\/suo5\-gui\-darwin\.app\.zip.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","1","#linux","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","11722"
"*/suo5-gui-linux*",".{0,1000}\/suo5\-gui\-linux.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","1","#linux","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","11723"
"*/suo5-gui-windows.exe*",".{0,1000}\/suo5\-gui\-windows\.exe.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","1","N/A","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","11724"
"*/suo5-linux-amd64*",".{0,1000}\/suo5\-linux\-amd64.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","1","#linux","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","11725"
"*/suo5-linux-arm64*",".{0,1000}\/suo5\-linux\-arm64.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","1","#linux","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","11726"
"*/suo5-windows-amd64.exe*",".{0,1000}\/suo5\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","1","N/A","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","11727"
"*/Supremo.exe*",".{0,1000}\/Supremo\.exe.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","11736"
"*/syncthing.exe*",".{0,1000}\/syncthing\.exe.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","1","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","11754"
"*/syncthing/releases/latest*",".{0,1000}\/syncthing\/releases\/latest.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","1","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","11755"
"*/syncthing-linux-*",".{0,1000}\/syncthing\-linux\-.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","1","#linux","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","11756"
"*/system/chrome-remote-desktop@*",".{0,1000}\/system\/chrome\-remote\-desktop\@.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","11765"
"*/system/meshagent*",".{0,1000}\/system\/meshagent.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#linux","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","11766"
"*/system/MeshCommander*",".{0,1000}\/system\/MeshCommander.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#linux","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","11767"
"*/systemd/system/connectd.service*",".{0,1000}\/systemd\/system\/connectd\.service.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#linux","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","11769"
"*/systemd/system/pulseway.service*",".{0,1000}\/systemd\/system\/pulseway\.service.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","11770"
"*/tacticalagent.log*",".{0,1000}\/tacticalagent\.log.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","#linux","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","11778"
"*/tacticalagent-v*-*.exe*",".{0,1000}\/tacticalagent\-v.{0,1000}\-.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","11779"
"*/tacticalagent-v*-linux-arm.exe*",".{0,1000}\/tacticalagent\-v.{0,1000}\-linux\-arm\.exe.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","#linux","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","11780"
"*/tacticalagent-v*-windows-amd64.exe*",".{0,1000}\/tacticalagent\-v.{0,1000}\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","11781"
"*/tacticalrmm.exe*",".{0,1000}\/tacticalrmm\.exe.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","11782"
"*/tacticalrmm.git*",".{0,1000}\/tacticalrmm\.git.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","11783"
"*/tacticalrmm/master/install.sh*",".{0,1000}\/tacticalrmm\/master\/install\.sh.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","11784"
"*/tacticalrmm/releases/latest*",".{0,1000}\/tacticalrmm\/releases\/latest.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","11785"
"*/tacticalrmm-web.git*",".{0,1000}\/tacticalrmm\-web\.git.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","11786"
"*/tailscale update*",".{0,1000}\/tailscale\supdate.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","#linux","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11788"
"*/tailscale.exe*",".{0,1000}\/tailscale\.exe.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11789"
"*/tailscale/cli/*",".{0,1000}\/tailscale\/cli\/.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","#linux","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11790"
"*/tailscale/client/*",".{0,1000}\/tailscale\/client\/.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11791"
"*/tailscale/clientupdate/*.go*",".{0,1000}\/tailscale\/clientupdate\/.{0,1000}\.go.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","#linux","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11792"
"*/tailscale:unstable*",".{0,1000}\/tailscale\:unstable.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11793"
"*/tailscale_*_*.deb*",".{0,1000}\/tailscale_.{0,1000}_.{0,1000}\.deb.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11794"
"*/tailscale_*_*.tgz*",".{0,1000}\/tailscale_.{0,1000}_.{0,1000}\.tgz.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11795"
"*/tailscaled.defaults*",".{0,1000}\/tailscaled\.defaults.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11796"
"*/tailscaled.go*",".{0,1000}\/tailscaled\.go.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11797"
"*/tailscaled.sock*",".{0,1000}\/tailscaled\.sock.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11798"
"*/tailscale-setup-*-*.msi*",".{0,1000}\/tailscale\-setup\-.{0,1000}\-.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11799"
"*/tailscale-setup-*.exe*",".{0,1000}\/tailscale\-setup\-.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11800"
"*/TDSSKiller.exe*",".{0,1000}\/TDSSKiller\.exe.{0,1000}","greyware_tool_keyword","TDSKiller","TDSKiller detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Avaddon","Defense Evasion","https://www.majorgeeks.com/files/details/kaspersky_tdsskiller.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","11828"
"*/tdsskiller.zip*",".{0,1000}\/tdsskiller\.zip.{0,1000}","greyware_tool_keyword","TDSKiller","TDSKiller detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Avaddon","Defense Evasion","https://www.majorgeeks.com/files/details/kaspersky_tdsskiller.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","11829"
"*/telebit http *",".{0,1000}\/telebit\shttp\s.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","11852"
"*/telebit.js.git*",".{0,1000}\/telebit\.js\.git.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","11853"
"*/telebit.service*",".{0,1000}\/telebit\.service.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","11854"
"*/telebit/var/log/*",".{0,1000}\/telebit\/var\/log\/.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","11855"
"*/telebit-remote.js*",".{0,1000}\/telebit\-remote\.js.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","11856"
"*/test_tailscale.sh*",".{0,1000}\/test_tailscale\.sh.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","11865"
"*/tightvnc-*.msi*",".{0,1000}\/tightvnc\-.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","11919"
"*/tkc_agent_dre.deb*",".{0,1000}\/tkc_agent_dre\.deb.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","11931"
"*/tmate -k *",".{0,1000}\/tmate\s\-k\s.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","11935"
"*/tmate-ssh-server.*",".{0,1000}\/tmate\-ssh\-server\..{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","1","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","11936"
"*/tmate-ssh-server.git*",".{0,1000}\/tmate\-ssh\-server\.git.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","1","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","11937"
"*/tmate-ssh-server/releases/*",".{0,1000}\/tmate\-ssh\-server\/releases\/.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","1","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","11938"
"*/tmp/*/enroll.sh*",".{0,1000}\/tmp\/.{0,1000}\/enroll\.sh.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","11941"
"*/tmp/*/itsm.service*",".{0,1000}\/tmp\/.{0,1000}\/itsm\.service.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","11942"
"*/tmp/*/itsm-linux*",".{0,1000}\/tmp\/.{0,1000}\/itsm\-linux.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","11943"
"*/tmp/.ltproxy_proxychains_*",".{0,1000}\/tmp\/\.ltproxy_proxychains_.{0,1000}","greyware_tool_keyword","LTProxy","Linux Transparent Proxy (Similar to Proxifiter)","T1090 - T1573.001 - T1571 - T1071.001","TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://github.com/L-codes/LTProxy","1","0","#linux","N/A","10","1","31","5","2024-11-27T05:09:47Z","2021-11-11T15:17:54Z","11947"
"*/tmp/boringproxy-client*",".{0,1000}\/tmp\/boringproxy\-client.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#linux","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","11959"
"*/tmp/dropbear*",".{0,1000}\/tmp\/dropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#linux","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","11965"
"*/tmp/fleet_remove_log.txt*",".{0,1000}\/tmp\/fleet_remove_log\.txt.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#linux","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","11970"
"*/tmp/FreeFileSync*",".{0,1000}\/tmp\/FreeFileSync.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","#linux","N/A","9","10","N/A","N/A","N/A","N/A","11971"
"*/tmp/sshuttle*",".{0,1000}\/tmp\/sshuttle.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","11997"
"*/tmp/stunnel*",".{0,1000}\/tmp\/stunnel.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","0","#linux","N/A","7","8","N/A","N/A","N/A","N/A","11998"
"*/tmp/tmate*",".{0,1000}\/tmp\/tmate.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","11999"
"*/tunnel.nosocket.php*",".{0,1000}\/tunnel\.nosocket\.php.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","1","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","12129"
"*/tunnel/server.go*",".{0,1000}\/tunnel\/server\.go.{0,1000}","greyware_tool_keyword","tunnel","Tunnel is a server/client package that enables to proxy public connections to your local machine over a tunnel connection from the local machine to the public server. What this means is, you can share your localhost even if it doesn't have a Public IP or if it's not reachable from outside","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/koding/tunnel","1","0","#linux","N/A","10","10","328","72","2023-10-20T13:43:58Z","2015-05-28T07:26:42Z","12132"
"*/tunnel/tunnel.py*",".{0,1000}\/tunnel\/tunnel\.py.{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","12133"
"*/tunnel/tunnel.service*",".{0,1000}\/tunnel\/tunnel\.service.{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","12134"
"*/tunneld.service*",".{0,1000}\/tunneld\.service.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","1","N/A","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","12135"
"*/tunneller.git*",".{0,1000}\/tunneller\.git.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","N/A","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12136"
"*/tunneller/releases/*",".{0,1000}\/tunneller\/releases\/.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","N/A","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12137"
"*/tunneller-darwin-amd64*",".{0,1000}\/tunneller\-darwin\-amd64.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12138"
"*/tunneller-darwin-amd64*",".{0,1000}\/tunneller\-darwin\-amd64.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12139"
"*/tunneller-darwin-amd64*",".{0,1000}\/tunneller\-darwin\-amd64.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12140"
"*/tunneller-darwin-amd64*",".{0,1000}\/tunneller\-darwin\-amd64.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12141"
"*/tunneller-darwin-i386*",".{0,1000}\/tunneller\-darwin\-i386.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12142"
"*/tunneller-darwin-i386*",".{0,1000}\/tunneller\-darwin\-i386.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12143"
"*/tunneller-darwin-i386*",".{0,1000}\/tunneller\-darwin\-i386.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12144"
"*/tunneller-darwin-i386*",".{0,1000}\/tunneller\-darwin\-i386.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12145"
"*/tunneller-freebsd-amd64*",".{0,1000}\/tunneller\-freebsd\-amd64.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","N/A","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12146"
"*/tunneller-freebsd-amd64*",".{0,1000}\/tunneller\-freebsd\-amd64.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","N/A","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12147"
"*/tunneller-freebsd-amd64*",".{0,1000}\/tunneller\-freebsd\-amd64.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","N/A","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12148"
"*/tunneller-freebsd-amd64*",".{0,1000}\/tunneller\-freebsd\-amd64.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","N/A","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12149"
"*/tunneller-freebsd-i386*",".{0,1000}\/tunneller\-freebsd\-i386.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","N/A","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12150"
"*/tunneller-freebsd-i386*",".{0,1000}\/tunneller\-freebsd\-i386.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","N/A","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12151"
"*/tunneller-freebsd-i386*",".{0,1000}\/tunneller\-freebsd\-i386.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","N/A","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12152"
"*/tunneller-freebsd-i386*",".{0,1000}\/tunneller\-freebsd\-i386.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","N/A","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12153"
"*/tunneller-linux-amd64*",".{0,1000}\/tunneller\-linux\-amd64.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12154"
"*/tunneller-linux-amd64*",".{0,1000}\/tunneller\-linux\-amd64.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12155"
"*/tunneller-linux-amd64*",".{0,1000}\/tunneller\-linux\-amd64.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12156"
"*/tunneller-linux-amd64*",".{0,1000}\/tunneller\-linux\-amd64.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12157"
"*/tunneller-linux-i386*",".{0,1000}\/tunneller\-linux\-i386.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12158"
"*/tunneller-linux-i386*",".{0,1000}\/tunneller\-linux\-i386.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12159"
"*/tunneller-linux-i386*",".{0,1000}\/tunneller\-linux\-i386.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12160"
"*/tunneller-linux-i386*",".{0,1000}\/tunneller\-linux\-i386.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","#linux","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","12161"
"*/tunnel-main.tar.gz*",".{0,1000}\/tunnel\-main\.tar\.gz.{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","12162"
"*/tunnelmole.js*",".{0,1000}\/tunnelmole\.js.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","12163"
"*/tunnelmole-client.git*",".{0,1000}\/tunnelmole\-client\.git.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","1","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","12164"
"*/tunnelmole-service*",".{0,1000}\/tunnelmole\-service.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","1","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","12165"
"*/tunnelmole-service.git*",".{0,1000}\/tunnelmole\-service\.git.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","1","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","12166"
"*/tunnelto.git*",".{0,1000}\/tunnelto\.git.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","1","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","12168"
"*/tunnelto/releases/latest*",".{0,1000}\/tunnelto\/releases\/latest.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","1","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","12169"
"*/tunnelto_server*",".{0,1000}\/tunnelto_server.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","1","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","12170"
"*/tunnelto_server/*",".{0,1000}\/tunnelto_server\/.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","1","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","12171"
"*/tunnelto_server:*",".{0,1000}\/tunnelto_server\:.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","#linux","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","12172"
"*/tunwg.exe*",".{0,1000}\/tunwg\.exe.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","1","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","12175"
"*/tunwg.git*",".{0,1000}\/tunwg\.git.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","1","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","12176"
"*/tunwg@latest*",".{0,1000}\/tunwg\@latest.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","1","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","12177"
"*/tunwg-arm64.exe*",".{0,1000}\/tunwg\-arm64\.exe.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","1","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","12178"
"*/unlocker-setup.exe*",".{0,1000}\/unlocker\-setup\.exe.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","1","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","12231"
"*/unshare -r /bin/sh*",".{0,1000}\/unshare\s\-r\s\/bin\/sh.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","12236"
"*/upd/mcmd/MEGAcmd.app*",".{0,1000}\/upd\/mcmd\/MEGAcmd\.app.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#macos","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12242"
"*/updog-*.tar.gz*",".{0,1000}\/updog\-.{0,1000}\.tar\.gz.{0,1000}","greyware_tool_keyword","updog","Updog is a replacement for SimpleHTTPServer. It allows uploading and downloading via HTTP/S can set ad hoc SSL certificates and use http basic auth.","T1567 - T1074.001 - T1020","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://github.com/sc0tfree/updog","1","1","N/A","N/A","9","10","3052","314","2024-03-13T15:52:39Z","2020-02-18T15:29:21Z","12243"
"*/updog.git*",".{0,1000}\/updog\.git.{0,1000}","greyware_tool_keyword","updog","Updog is a replacement for SimpleHTTPServer. It allows uploading and downloading via HTTP/S can set ad hoc SSL certificates and use http basic auth.","T1567 - T1074.001 - T1020","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://github.com/sc0tfree/updog","1","1","N/A","N/A","9","10","3052","314","2024-03-13T15:52:39Z","2020-02-18T15:29:21Z","12244"
"*/updog/archive/updog-*",".{0,1000}\/updog\/archive\/updog\-.{0,1000}","greyware_tool_keyword","updog","Updog is a replacement for SimpleHTTPServer. It allows uploading and downloading via HTTP/S can set ad hoc SSL certificates and use http basic auth.","T1567 - T1074.001 - T1020","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://github.com/sc0tfree/updog","1","1","N/A","N/A","9","10","3052","314","2024-03-13T15:52:39Z","2020-02-18T15:29:21Z","12245"
"*/usr/bin/anydesk*",".{0,1000}\/usr\/bin\/anydesk.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","#linux","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","12262"
"*/usr/bin/connectd*",".{0,1000}\/usr\/bin\/connectd.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#linux","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","12266"
"*/usr/bin/ehorus_agent*",".{0,1000}\/usr\/bin\/ehorus_agent.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","12267"
"*/usr/bin/gt client-c *",".{0,1000}\/usr\/bin\/gt\sclient\-c\s.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#linux","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","12272"
"*/usr/bin/logger logger ""connectd installer postinst*",".{0,1000}\/usr\/bin\/logger\slogger\s\""connectd\sinstaller\spostinst.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#linux","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","12274"
"*/usr/bin/mega-attr*",".{0,1000}\/usr\/bin\/mega\-attr.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12275"
"*/usr/bin/mega-backup*",".{0,1000}\/usr\/bin\/mega\-backup.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12276"
"*/usr/bin/mega-cancel*",".{0,1000}\/usr\/bin\/mega\-cancel.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12277"
"*/usr/bin/mega-cat*",".{0,1000}\/usr\/bin\/mega\-cat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12278"
"*/usr/bin/mega-cd*",".{0,1000}\/usr\/bin\/mega\-cd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12279"
"*/usr/bin/mega-cmd*",".{0,1000}\/usr\/bin\/mega\-cmd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12280"
"*/usr/bin/mega-cmd*",".{0,1000}\/usr\/bin\/mega\-cmd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12281"
"*/usr/bin/mega-cmd-server*",".{0,1000}\/usr\/bin\/mega\-cmd\-server.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12282"
"*/usr/bin/mega-confirm*",".{0,1000}\/usr\/bin\/mega\-confirm.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12283"
"*/usr/bin/mega-confirmcancel*",".{0,1000}\/usr\/bin\/mega\-confirmcancel.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12284"
"*/usr/bin/mega-cp*",".{0,1000}\/usr\/bin\/mega\-cp.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12285"
"*/usr/bin/mega-debug*",".{0,1000}\/usr\/bin\/mega\-debug.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12286"
"*/usr/bin/mega-deleteversions*",".{0,1000}\/usr\/bin\/mega\-deleteversions.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12287"
"*/usr/bin/mega-df*",".{0,1000}\/usr\/bin\/mega\-df.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12288"
"*/usr/bin/mega-du*",".{0,1000}\/usr\/bin\/mega\-du.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12289"
"*/usr/bin/mega-errorcode*",".{0,1000}\/usr\/bin\/mega\-errorcode.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12290"
"*/usr/bin/mega-exclude*",".{0,1000}\/usr\/bin\/mega\-exclude.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12291"
"*/usr/bin/mega-exec*",".{0,1000}\/usr\/bin\/mega\-exec.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12292"
"*/usr/bin/mega-export*",".{0,1000}\/usr\/bin\/mega\-export.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12293"
"*/usr/bin/mega-find*",".{0,1000}\/usr\/bin\/mega\-find.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12294"
"*/usr/bin/mega-ftp*",".{0,1000}\/usr\/bin\/mega\-ftp.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12295"
"*/usr/bin/mega-get*",".{0,1000}\/usr\/bin\/mega\-get.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12296"
"*/usr/bin/mega-graphics*",".{0,1000}\/usr\/bin\/mega\-graphics.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12297"
"*/usr/bin/mega-help*",".{0,1000}\/usr\/bin\/mega\-help.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12298"
"*/usr/bin/mega-https*",".{0,1000}\/usr\/bin\/mega\-https.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12299"
"*/usr/bin/mega-import*",".{0,1000}\/usr\/bin\/mega\-import.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12300"
"*/usr/bin/mega-invite*",".{0,1000}\/usr\/bin\/mega\-invite.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12301"
"*/usr/bin/mega-ipc*",".{0,1000}\/usr\/bin\/mega\-ipc.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12302"
"*/usr/bin/mega-killsession*",".{0,1000}\/usr\/bin\/mega\-killsession.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12303"
"*/usr/bin/mega-lcd*",".{0,1000}\/usr\/bin\/mega\-lcd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12304"
"*/usr/bin/mega-log*",".{0,1000}\/usr\/bin\/mega\-log.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12305"
"*/usr/bin/mega-login*",".{0,1000}\/usr\/bin\/mega\-login.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12306"
"*/usr/bin/mega-logout*",".{0,1000}\/usr\/bin\/mega\-logout.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12307"
"*/usr/bin/mega-lpwd*",".{0,1000}\/usr\/bin\/mega\-lpwd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12308"
"*/usr/bin/mega-ls*",".{0,1000}\/usr\/bin\/mega\-ls.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12309"
"*/usr/bin/mega-mediainfo*",".{0,1000}\/usr\/bin\/mega\-mediainfo.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12310"
"*/usr/bin/mega-mkdir*",".{0,1000}\/usr\/bin\/mega\-mkdir.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12311"
"*/usr/bin/mega-mount*",".{0,1000}\/usr\/bin\/mega\-mount.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12312"
"*/usr/bin/mega-mv*",".{0,1000}\/usr\/bin\/mega\-mv.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12313"
"*/usr/bin/mega-passwd*",".{0,1000}\/usr\/bin\/mega\-passwd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12314"
"*/usr/bin/mega-permissions*",".{0,1000}\/usr\/bin\/mega\-permissions.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12315"
"*/usr/bin/mega-preview*",".{0,1000}\/usr\/bin\/mega\-preview.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12316"
"*/usr/bin/mega-proxy*",".{0,1000}\/usr\/bin\/mega\-proxy.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12317"
"*/usr/bin/mega-put*",".{0,1000}\/usr\/bin\/mega\-put.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12318"
"*/usr/bin/mega-pwd*",".{0,1000}\/usr\/bin\/mega\-pwd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12319"
"*/usr/bin/mega-quit*",".{0,1000}\/usr\/bin\/mega\-quit.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12320"
"*/usr/bin/mega-reload*",".{0,1000}\/usr\/bin\/mega\-reload.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12321"
"*/usr/bin/mega-rm*",".{0,1000}\/usr\/bin\/mega\-rm.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12322"
"*/usr/bin/mega-session*",".{0,1000}\/usr\/bin\/mega\-session.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12323"
"*/usr/bin/mega-share*",".{0,1000}\/usr\/bin\/mega\-share.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12324"
"*/usr/bin/mega-showpcr*",".{0,1000}\/usr\/bin\/mega\-showpcr.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12325"
"*/usr/bin/mega-signup*",".{0,1000}\/usr\/bin\/mega\-signup.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12326"
"*/usr/bin/mega-speedlimit*",".{0,1000}\/usr\/bin\/mega\-speedlimit.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12327"
"*/usr/bin/mega-sync*",".{0,1000}\/usr\/bin\/mega\-sync.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12328"
"*/usr/bin/mega-thumbnail*",".{0,1000}\/usr\/bin\/mega\-thumbnail.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12329"
"*/usr/bin/mega-transfers*",".{0,1000}\/usr\/bin\/mega\-transfers.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12330"
"*/usr/bin/mega-tree*",".{0,1000}\/usr\/bin\/mega\-tree.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12331"
"*/usr/bin/mega-userattr*",".{0,1000}\/usr\/bin\/mega\-userattr.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12332"
"*/usr/bin/mega-users*",".{0,1000}\/usr\/bin\/mega\-users.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12333"
"*/usr/bin/mega-version*",".{0,1000}\/usr\/bin\/mega\-version.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12334"
"*/usr/bin/mega-webdav*",".{0,1000}\/usr\/bin\/mega\-webdav.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12335"
"*/usr/bin/mega-whoami*",".{0,1000}\/usr\/bin\/mega\-whoami.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12336"
"*/usr/bin/r-agent*",".{0,1000}\/usr\/bin\/r\-agent.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#linux","linux","10","10","N/A","N/A","N/A","N/A","12340"
"*/usr/bin/rclone*",".{0,1000}\/usr\/bin\/rclone.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#linux","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","12341"
"*/usr/bin/r-viewer*",".{0,1000}\/usr\/bin\/r\-viewer.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#linux","linux","10","10","N/A","N/A","N/A","N/A","12342"
"*/usr/lib64/anydesk*",".{0,1000}\/usr\/lib64\/anydesk.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","#linux","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","12345"
"*/usr/libexec/anydesk*",".{0,1000}\/usr\/libexec\/anydesk.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","#linux","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","12346"
"*/usr/local/bin/cloudflared tunnel*",".{0,1000}\/usr\/local\/bin\/cloudflared\stunnel.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#linux","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","12347"
"*/usr/local/bin/jprq*",".{0,1000}\/usr\/local\/bin\/jprq.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#linux","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","12350"
"*/usr/local/bin/level*",".{0,1000}\/usr\/local\/bin\/level.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","12351"
"*/usr/local/etc/shadowsocks6.json*",".{0,1000}\/usr\/local\/etc\/shadowsocks6\.json.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","#linux","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","12358"
"*/usr/ports/security/softether5*",".{0,1000}\/usr\/ports\/security\/softether5.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN #linux","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","12360"
"*/usr/sbin/pulseway*",".{0,1000}\/usr\/sbin\/pulseway.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","12361"
"*/usr/sbin/pulsewayd*",".{0,1000}\/usr\/sbin\/pulsewayd.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","12362"
"*/usr/sbin/userdel -r ehorus*",".{0,1000}\/usr\/sbin\/userdel\s\-r\sehorus.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","12364"
"*/usr/share/applications/r-agent.desktop*",".{0,1000}\/usr\/share\/applications\/r\-agent\.desktop.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#linux","linux","10","10","N/A","N/A","N/A","N/A","12365"
"*/usr/share/applications/r-viewer.desktop*",".{0,1000}\/usr\/share\/applications\/r\-viewer\.desktop.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#linux","linux","10","10","N/A","N/A","N/A","N/A","12366"
"*/usr/share/connectd/scripts/*",".{0,1000}\/usr\/share\/connectd\/scripts\/.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#linux","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","12369"
"*/usr/share/doc/megacmd/*",".{0,1000}\/usr\/share\/doc\/megacmd\/.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","12371"
"*/usr/share/doc/rclone/*",".{0,1000}\/usr\/share\/doc\/rclone\/.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#linux","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","12372"
"*/usr/share/ehorus*",".{0,1000}\/usr\/share\/ehorus.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","12373"
"*/uvs_v415eng.zip*",".{0,1000}\/uvs_v415eng\.zip.{0,1000}","greyware_tool_keyword","Universal Virus Sniffer","Universal Virus Sniffer detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","Phobos","Defense Evasion","https://www.majorgeeks.com/files/details/universal_virus_sniffer.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","12390"
"*/var/lib/level/level.db*",".{0,1000}\/var\/lib\/level\/level\.db.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","12397"
"*/var/lib/level/level.log*",".{0,1000}\/var\/lib\/level\/level\.log.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","12398"
"*/var/lib/zrok-*",".{0,1000}\/var\/lib\/zrok\-.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","12401"
"*/var/log/ehorus_agent.log*",".{0,1000}\/var\/log\/ehorus_agent\.log.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#logfile #linux","N/A","10","10","N/A","N/A","N/A","N/A","12403"
"*/var/log/jprq/*",".{0,1000}\/var\/log\/jprq\/.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#linux","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","12406"
"*/var/log/pagekite/*",".{0,1000}\/var\/log\/pagekite\/.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#linux","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","12407"
"*/var/log/remoteit*",".{0,1000}\/var\/log\/remoteit.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","#linux","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","12408"
"*/var/log/shadowsocks*",".{0,1000}\/var\/log\/shadowsocks.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","#linux","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","12409"
"*/var/opt/pgrokd*",".{0,1000}\/var\/opt\/pgrokd.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#linux","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","12411"
"*/var/run/pagekite.pid*",".{0,1000}\/var\/run\/pagekite\.pid.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#linux","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","12412"
"*/vbs2exe.exe*",".{0,1000}\/vbs2exe\.exe.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","1","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","12424"
"*/view -c ':py3 import os*os.execl(\""/bin/sh\*",".{0,1000}\/view\s\-c\s\'\:py3\simport\sos.{0,1000}os\.execl\(\\\""\/bin\/sh\\.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","12445"
"*/viewerhostkeypopup.exe*",".{0,1000}\/viewerhostkeypopup\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","12446"
"*/VncSharp.exe*",".{0,1000}\/VncSharp\.exe.{0,1000}","greyware_tool_keyword","VncSharp","VncSharp is a GPL implementation of the VNC Remote Framebuffer (RFB) Protocol for the .NET Framework","T1021.001 - T1219  - T1071.001","TA0007 - TA0008","Carbanak","FIN7 - Carbanak","Lateral Movement","https://github.com/humphd/VncSharp","1","1","N/A","N/A","8","3","246","179","2019-02-18T16:04:27Z","2012-03-05T15:23:41Z","12471"
"*/VncSharp.git*",".{0,1000}\/VncSharp\.git.{0,1000}","greyware_tool_keyword","VncSharp","VncSharp is a GPL implementation of the VNC Remote Framebuffer (RFB) Protocol for the .NET Framework","T1021.001 - T1219  - T1071.001","TA0007 - TA0008","Carbanak","FIN7 - Carbanak","Lateral Movement","https://github.com/humphd/VncSharp","1","1","N/A","N/A","8","3","246","179","2019-02-18T16:04:27Z","2012-03-05T15:23:41Z","12472"
"*/VPDAgent.exe*",".{0,1000}\/VPDAgent\.exe.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","12482"
"*/VSAX_x64.msi*",".{0,1000}\/VSAX_x64\.msi.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","12483"
"*/vsxrc-clip.exe*",".{0,1000}\/vsxrc\-clip\.exe.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","12486"
"*/watch -x sh -c 'reset* exec sh 1>&0 2>&0*",".{0,1000}\/watch\s\-x\ssh\s\-c\s\'reset.{0,1000}\sexec\ssh\s1\>\&0\s2\>\&0.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","12499"
"*/webhook.site.git*",".{0,1000}\/webhook\.site\.git.{0,1000}","greyware_tool_keyword","webhook.site","test HTTP webhooks with this handy tool that displays requests instantly - abused by attacker for payload callback confirmation","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/webhooksite/webhook.site","1","1","N/A","N/A","10","10","5806","457","2025-04-04T10:42:59Z","2016-03-21T08:45:42Z","12535"
"*/webvulnscan1*.exe*",".{0,1000}\/webvulnscan1.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Acunetix Web Vulnerability Scanner","Vulnerability Scanner abused by threat actors","T1190 - T1046 - T1210 - T1213","TA0001 - TA0008 - TA0009","N/A","Clever Kitten - EMBER BEAR","Vulnerability Scanner","https://www.acunetix.com/vulnerability-scanner/","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A","12554"
"*/webvulnscan2*.exe*",".{0,1000}\/webvulnscan2.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Acunetix Web Vulnerability Scanner","Vulnerability Scanner abused by threat actors","T1190 - T1046 - T1210 - T1213","TA0001 - TA0008 - TA0009","N/A","Clever Kitten - EMBER BEAR","Vulnerability Scanner","https://www.acunetix.com/vulnerability-scanner/","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A","12555"
"*/webvulnscan3*.exe*",".{0,1000}\/webvulnscan3.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Acunetix Web Vulnerability Scanner","Vulnerability Scanner abused by threat actors","T1190 - T1046 - T1210 - T1213","TA0001 - TA0008 - TA0009","N/A","Clever Kitten - EMBER BEAR","Vulnerability Scanner","https://www.acunetix.com/vulnerability-scanner/","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A","12556"
"*/Win7Taskbar.dll*",".{0,1000}\/Win7Taskbar\.dll.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","12585"
"*/Wireguard.zip*",".{0,1000}\/Wireguard\.zip.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12654"
"*/wireguard-amd64-*.msi*",".{0,1000}\/wireguard\-amd64\-.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12655"
"*/wireguard-installer.exe*",".{0,1000}\/wireguard\-installer\.exe.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12656"
"*/wireguard-installer.rar*",".{0,1000}\/wireguard\-installer\.rar.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12657"
"*/wireproxy.conf*",".{0,1000}\/wireproxy\.conf.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","1","#linux","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","12659"
"*/wireproxy.git*",".{0,1000}\/wireproxy\.git.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","1","N/A","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","12660"
"*/wireproxy.service*",".{0,1000}\/wireproxy\.service.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","1","#linux","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","12661"
"*/wireproxy/releases/*",".{0,1000}\/wireproxy\/releases\/.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","1","N/A","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","12662"
"*/wireproxy_darwin*",".{0,1000}\/wireproxy_darwin.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","1","#linux","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","12663"
"*/wireproxy_linux_*",".{0,1000}\/wireproxy_linux_.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","1","#linux","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","12664"
"*/wireproxy_windows*",".{0,1000}\/wireproxy_windows.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","1","N/A","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","12665"
"*/wireproxy-ci-test*",".{0,1000}\/wireproxy\-ci\-test.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#linux","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","12666"
"*/wireproxy-master*",".{0,1000}\/wireproxy\-master.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#linux","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","12667"
"*/wireproxy-udp*",".{0,1000}\/wireproxy\-udp.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#linux","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","12668"
"*/wiretap add client*",".{0,1000}\/wiretap\sadd\sclient.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#linux","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12670"
"*/wiretap.conf*",".{0,1000}\/wiretap\.conf.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#linux","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12671"
"*/wiretap.Dockerfile*",".{0,1000}\/wiretap\.Dockerfile.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12672"
"*/wiretap.exe*",".{0,1000}\/wiretap\.exe.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12673"
"*/wiretap.git*",".{0,1000}\/wiretap\.git.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12674"
"*/wiretap.log*",".{0,1000}\/wiretap\.log.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#linux","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12675"
"*/wiretap/releases/download/*",".{0,1000}\/wiretap\/releases\/download\/.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12676"
"*/wiretap_*_linux_386.tar.gz*",".{0,1000}\/wiretap_.{0,1000}_linux_386\.tar\.gz.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","#linux","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12677"
"*/wiretap_*_linux_amd64.tar.gz*",".{0,1000}\/wiretap_.{0,1000}_linux_amd64\.tar\.gz.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","#linux","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12678"
"*/wiretap_*_linux_arm64.tar.gz*",".{0,1000}\/wiretap_.{0,1000}_linux_arm64\.tar\.gz.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","#linux","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12679"
"*/wiretap_*_linux_armv6.tar.gz*",".{0,1000}\/wiretap_.{0,1000}_linux_armv6\.tar\.gz.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","#linux","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12680"
"*/wiretap_*_windows_386.tar.gz*",".{0,1000}\/wiretap_.{0,1000}_windows_386\.tar\.gz.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12681"
"*/wiretap_*_windows_amd64.tar.gz*",".{0,1000}\/wiretap_.{0,1000}_windows_amd64\.tar\.gz.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12682"
"*/wiretap_*_windows_arm64.tar.gz*",".{0,1000}\/wiretap_.{0,1000}_windows_arm64\.tar\.gz.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12683"
"*/wiretap_*_windows_armv6.tar.gz*",".{0,1000}\/wiretap_.{0,1000}_windows_armv6\.tar\.gz.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12684"
"*/wiretap_relay.conf*",".{0,1000}\/wiretap_relay\.conf.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#linux","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12685"
"*/wiretap_relay_1.conf*",".{0,1000}\/wiretap_relay_1\.conf.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#linux","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12686"
"*/wiretap_server.conf*",".{0,1000}\/wiretap_server\.conf.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#linux","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12687"
"*/wiretap_server_1.conf*",".{0,1000}\/wiretap_server_1\.conf.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#linux","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","12688"
"*/work/anyproxy/bin/anyproxy-ca --generate*",".{0,1000}\/work\/anyproxy\/bin\/anyproxy\-ca\s\-\-generate.{0,1000}","greyware_tool_keyword","CursedChrome","Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies allowing you to browse sites as your victims","T1176 - T1219 - T1090","TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/mandatoryprogrammer/CursedChrome","1","0","#linux","anyproxy","10","10","1533","226","2024-10-26T19:06:54Z","2020-04-26T20:55:05Z","12724"
"*/x86_64-pc-windows-msvc/release/gt.exe*",".{0,1000}\/x86_64\-pc\-windows\-msvc\/release\/gt\.exe.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","1","N/A","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","12757"
"*/x86_64-pc-windows-msvc/release/gt.exe*",".{0,1000}\/x86_64\-pc\-windows\-msvc\/release\/gt\.exe.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","1","N/A","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","12758"
"*/xmrig-*-gcc-win64.zip*",".{0,1000}\/xmrig\-.{0,1000}\-gcc\-win64\.zip.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","12772"
"*/xmrig.exe*",".{0,1000}\/xmrig\.exe.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","12773"
"*/xmrig.git*",".{0,1000}\/xmrig\.git.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","12774"
"*/yak_darwin_amd64.zip*",".{0,1000}\/yak_darwin_amd64\.zip.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","1","#linux","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","12796"
"*/yak_linux_amd64.zip*",".{0,1000}\/yak_linux_amd64\.zip.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","1","#linux","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","12797"
"*/yak_windows_amd64.zip*",".{0,1000}\/yak_windows_amd64\.zip.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","12798"
"*/ZA_Connect.exe*",".{0,1000}\/ZA_Connect\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","12802"
"*/ZAAudioClient.exe*",".{0,1000}\/ZAAudioClient\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","12803"
"*/ZAFileTransfer.exe*",".{0,1000}\/ZAFileTransfer\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","12804"
"*/ZAService.exe*",".{0,1000}\/ZAService\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","12805"
"*/zrok.exe*",".{0,1000}\/zrok\.exe.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","12819"
"*/zrok.git*",".{0,1000}\/zrok\.git.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","12820"
"*/zrok.zip*",".{0,1000}\/zrok\.zip.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","12821"
"*/zrok-amd64_darwin_amd64*",".{0,1000}\/zrok\-amd64_darwin_amd64.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","#linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","12822"
"*/zrok-arm64_darwin_arm64*",".{0,1000}\/zrok\-arm64_darwin_arm64.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","#linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","12823"
"*/zrok-controller.log*",".{0,1000}\/zrok\-controller\.log.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","12824"
"*/zrok-docker/*",".{0,1000}\/zrok\-docker\/.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","12825"
"*/zrok-frontend.log*",".{0,1000}\/zrok\-frontend\.log.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","12826"
"*/zrok-share.env*",".{0,1000}\/zrok\-share\.env.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#linux","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","12827"
"*: > /var/log/messages*",".{0,1000}\:\s\>\s\/var\/log\/messages.{0,1000}","greyware_tool_keyword","bash","Indicator Removal on Host - clearing logs with no ops","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","12832"
"*: > /var/spool/mail/*",".{0,1000}\:\s\>\s\/var\/spool\/mail\/.{0,1000}","greyware_tool_keyword","bash","Indicator Removal on Host - clearing logs with no ops","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","12833"
"*:(){:I: &I*",".{0,1000}\:\(\)\{\:I\:\s\&I.{0,1000}","greyware_tool_keyword","linux","fork bomb linux - denial-of-service attack wherein a process continually replicates itself to deplete available system resources slowing down or crashing the system due to resource starvation","T1499","TA0040","N/A","N/A","Exploitation tool","https://github.com/RoseSecurity/Red-Teaming-TTPs","1","0","#linux","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","12835"
"*::CreateInstance([type]::GetTypeFromCLSID(""13709620-C279-11CE-A49E-444553540000*",".{0,1000}\:\:CreateInstance\(\[type\]\:\:GetTypeFromCLSID\(\""13709620\-C279\-11CE\-A49E\-444553540000.{0,1000}","greyware_tool_keyword","powershell","lolbin execution with COM object","T1121 - T1559.001 - T1203","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/xyddnljydd/ComClsIDInterefaceEnum","1","0","#lolbin","https://pentestlab.blog/2024/01/15/lateral-movement-visual-studio-dte/","10","1","1","1","2023-09-18T09:08:41Z","2023-09-18T08:39:54Z","12842"
"*::CreateInstance([type]::GetTypeFromCLSID(""33ABD590-0400-4FEF-AF98-5F5A8A99CFC3*",".{0,1000}\:\:CreateInstance\(\[type\]\:\:GetTypeFromCLSID\(\""33ABD590\-0400\-4FEF\-AF98\-5F5A8A99CFC3.{0,1000}","greyware_tool_keyword","powershell","lolbin execution with COM object","T1121 - T1559.001 - T1203","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/xyddnljydd/ComClsIDInterefaceEnum","1","0","#lolbin","https://pentestlab.blog/2024/01/15/lateral-movement-visual-studio-dte/","10","1","1","1","2023-09-18T09:08:41Z","2023-09-18T08:39:54Z","12843"
"*::CreateInstance([type]::GetTypeFromCLSID(""F935DC22-1CF0-11D0-ADB9-00C04FD58A0B""*",".{0,1000}\:\:CreateInstance\(\[type\]\:\:GetTypeFromCLSID\(\""F935DC22\-1CF0\-11D0\-ADB9\-00C04FD58A0B\"".{0,1000}","greyware_tool_keyword","powershell","lolbin execution with COM object","T1121 - T1559.001 - T1203","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/xyddnljydd/ComClsIDInterefaceEnum","1","0","#lolbin","https://pentestlab.blog/2024/01/15/lateral-movement-visual-studio-dte/","10","1","1","1","2023-09-18T09:08:41Z","2023-09-18T08:39:54Z","12844"
"*:\programdata\cloud.exe*",".{0,1000}\:\\programdata\\cloud\.exe.{0,1000}","greyware_tool_keyword","Compress-Archive","Compress data using zlib for exfiltration","T1560 - T1020 - T1041","TA0010","N/A","N/A","Data Exfiltration","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","N/A","https://x.com/malmoeb/status/1736995855482118314","10","10","N/A","N/A","N/A","N/A","12847"
"*:8040/SetupWizard.aspx*",".{0,1000}\:8040\/SetupWizard\.aspx.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","12861"
"*:8070/tomcat/code/suo5.jsp*",".{0,1000}\:8070\/tomcat\/code\/suo5\.jsp.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","1","N/A","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","12863"
"*:9001/proxy/mdmserver1/account*",".{0,1000}\:9001\/proxy\/mdmserver1\/account.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","12866"
"*?? MITM ????*",".{0,1000}\?\?\sMITM\s\?\?\?\?.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","12870"
"*@a.pinggy.io*",".{0,1000}\@a\.pinggy\.io.{0,1000}","greyware_tool_keyword","pinggy","Create HTTP/TCP or TLS tunnels to your Mac/PC. Even if it is sitting behind firewalls and NATs.","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://pinggy.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","12875"
"*@email.webhook.site*",".{0,1000}\@email\.webhook\.site.{0,1000}","greyware_tool_keyword","webhook.site","test HTTP webhooks with this handy tool that displays requests instantly - abused by attacker for payload callback confirmation","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/webhooksite/webhook.site","1","1","N/A","N/A","10","10","5806","457","2025-04-04T10:42:59Z","2016-03-21T08:45:42Z","12877"
"*@tunnelto.dev*",".{0,1000}\@tunnelto\.dev.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","12886"
"*[ talha.tariq@gmail.com ]*",".{0,1000}\[\stalha\.tariq\@gmail\.com\s\].{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","12890"
"*[!] AS-REP Roastable user:*",".{0,1000}\[!\]\sAS\-REP\sRoastable\suser\:.{0,1000}","greyware_tool_keyword","adaudit","Powershell script to do domain auditing automation","T1482 - T1087","TA0007","N/A","N/A","Discovery","https://github.com/phillips321/adaudit","1","0","#content","N/A","8","4","389","106","2025-04-08T06:17:54Z","2018-04-20T11:29:06Z","12892"
"*[-] Kerberoast*",".{0,1000}\[\-\]\sKerberoast.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","#content","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","13020"
"*[+] NTDS.dit, SYSTEM & SAM saved to output folder*",".{0,1000}\[\+\]\sNTDS\.dit,\sSYSTEM\s\&\sSAM\ssaved\sto\soutput\sfolder.{0,1000}","greyware_tool_keyword","adaudit","Powershell script to do domain auditing automation","T1482 - T1087","TA0007","N/A","N/A","Discovery","https://github.com/phillips321/adaudit","1","0","#content","N/A","8","4","389","106","2025-04-08T06:17:54Z","2018-04-20T11:29:06Z","13238"
"*[+] Use secretsdump.py*",".{0,1000}\[\+\]\sUse\ssecretsdump\.py.{0,1000}","greyware_tool_keyword","adaudit","Powershell script to do domain auditing automation","T1482 - T1087","TA0007","N/A","N/A","Discovery","https://github.com/phillips321/adaudit","1","0","#content","N/A","8","4","389","106","2025-04-08T06:17:54Z","2018-04-20T11:29:06Z","13384"
"*[ADSI]* | Select-Object -Property *lockoutDuration*",".{0,1000}\[ADSI\].{0,1000}\s\|\sSelect\-Object\s\-Property\s.{0,1000}lockoutDuration.{0,1000}","greyware_tool_keyword","ldap queries","enumeration of Domain Password Policies","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","13429"
"*[ADSI]* | Select-Object -Property *lockoutThreshold*",".{0,1000}\[ADSI\].{0,1000}\s\|\sSelect\-Object\s\-Property\s.{0,1000}lockoutThreshold.{0,1000}","greyware_tool_keyword","ldap queries","enumeration of Domain Password Policies","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","13430"
"*[ADSI]* | Select-Object -Property *minPwdLength*",".{0,1000}\[ADSI\].{0,1000}\s\|\sSelect\-Object\s\-Property\s.{0,1000}minPwdLength.{0,1000}","greyware_tool_keyword","ldap queries","enumeration of Domain Password Policies","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","13431"
"*[ADSI]*LDAP://CN=Domain Admins*| ForEach-Object {[adsi]""LDAP://$_""}; *.distinguishedname*",".{0,1000}\[ADSI\].{0,1000}LDAP\:\/\/CN\=Domain\sAdmins.{0,1000}\|\sForEach\-Object\s\{\[adsi\]\""LDAP\:\/\/\$_\""\}\;\s.{0,1000}\.distinguishedname.{0,1000}","greyware_tool_keyword","ldap queries","enumeration of Domain Admins group members","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","13432"
"*[ADSI]*LDAP://dc=* | Select -Property pwdProperties*",".{0,1000}\[ADSI\].{0,1000}LDAP\:\/\/dc\=.{0,1000}\s\|\sSelect\s\-Property\spwdProperties.{0,1000}","greyware_tool_keyword","ldap queries","get LDAP properties for password settings directly","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","13433"
"*[adsisearcher]""(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))""; $users = $searchUsers.FindAll(); $userProps = $users.Properties; $userProps | Where-Object {$_.description}*",".{0,1000}\[adsisearcher\]\""\(\&\(objectCategory\=person\)\(objectClass\=user\)\(!\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\)\""\;\s\$users\s\=\s\$searchUsers\.FindAll\(\)\;\s\$userProps\s\=\s\$users\.Properties\;\s\$userProps\s\|\sWhere\-Object\s\{\$_\.description\}.{0,1000}","greyware_tool_keyword","ldap queries","find user descriptions in Active Directory:","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","13434"
"*[adsisearcher]""(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))""*",".{0,1000}\[adsisearcher\]\""\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\"".{0,1000}","greyware_tool_keyword","ldap queries","find all disabled user accounts","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","13435"
"*[adsisearcher]""(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2560)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))""*",".{0,1000}\[adsisearcher\]\""\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2560\)\(!\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\)\"".{0,1000}","greyware_tool_keyword","ldap queries","get a count of all inter domain trust accounts","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","13436"
"*[adsisearcher]""(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))*",".{0,1000}\[adsisearcher\]\""\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=32\)\(!\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\)\).{0,1000}","greyware_tool_keyword","ldap queries","Detection of all accounts with 'Password Not Required'","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","13437"
"*[adsisearcher]'(&(objectCategory=computer)(primaryGroupID=516))').FindAll()*",".{0,1000}\[adsisearcher\]\'\(\&\(objectCategory\=computer\)\(primaryGroupID\=516\)\)\'\)\.FindAll\(\).{0,1000}","greyware_tool_keyword","ldap queries","Enumerate all Domain Controllers","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://web.archive.org/web/20240109000256/https://cyberdom.blog/2024/01/07/defender-for-identity-hunting-for-ldap/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","13438"
"*[adsisearcher]'(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))').FindAll()*",".{0,1000}\[adsisearcher\]\'\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=32\)\)\'\)\.FindAll\(\).{0,1000}","greyware_tool_keyword","ldap queries","Enumerate all accounts that do not require a password","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://jsecurity101.medium.com/uncovering-adversarial-ldap-tradecraft-658b2deca384","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","13439"
"*[adsisearcher]*(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=66048)(!(userAccountControl:1.2.840.113556.1.4.803:=2))*",".{0,1000}\[adsisearcher\].{0,1000}\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=66048\)\(!\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=2\)\).{0,1000}","greyware_tool_keyword","ldap queries","ADSI query to retrieve all active user accounts with non-expiring passwords","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","13440"
"*[Ask NeoGeorg] NeoGeorg *",".{0,1000}\[Ask\sNeoGeorg\]\sNeoGeorg\s.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","13441"
"*[Get-ADRRevertToSelf] Token impersonation successfully reverted*",".{0,1000}\[Get\-ADRRevertToSelf\]\sToken\simpersonation\ssuccessfully\sreverted.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","13463"
"*[Get-ADR-UserImpersonation] Alternate credentials successfully impersonated*",".{0,1000}\[Get\-ADR\-UserImpersonation\]\sAlternate\scredentials\ssuccessfully\simpersonated.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","13464"
"*[info] TCP upload server started (tcp.pl)*",".{0,1000}\[info\]\sTCP\supload\sserver\sstarted\s\(tcp\.pl\).{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","0","#filehostingservice","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","13480"
"*[IO.Path]::Combine($env:TEMP,""x.exe"")*",".{0,1000}\[IO\.Path\]\:\:Combine\(\$env\:TEMP,\""x\.exe\""\).{0,1000}","greyware_tool_keyword","powershell","suspicious behavior powershell script","T1059.001 - T1105 - T1204.002","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","13485"
"*[megaapi_impl.cpp:*",".{0,1000}\[megaapi_impl\.cpp\:.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13488"
"*[megaclient.cpp:*",".{0,1000}\[megaclient\.cpp\:.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13489"
"*[PageKite] Remote connection closed!*",".{0,1000}\[PageKite\]\sRemote\sconnection\sclosed!.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","13494"
"*[PowerTool] name=%s, size=%d, %d*",".{0,1000}\[PowerTool\]\sname\=\%s,\ssize\=\%d,\s\%d.{0,1000}","greyware_tool_keyword","Powertool","tool abused by threat actors to desactive Antivirus","T1562.001 - T1089 - T1562.009","TA0005","N/A","Play - Dispossessor","Defense Evasion","https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml","1","0","#content","N/A","10","10","N/A","N/A","N/A","N/A","13498"
"*[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers*",".{0,1000}\[System\.DirectoryServices\.ActiveDirectory\.Domain\]\:\:GetCurrentDomain\(\)\.DomainControllers.{0,1000}","greyware_tool_keyword","ldap queries","Discover all Domain Controller in the domain using ADSI","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://adsecurity.org/?p=299","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","13509"
"*[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs*",".{0,1000}\[System\.DirectoryServices\.ActiveDirectory\.Forest\]\:\:GetCurrentForest\(\)\.GlobalCatalogs.{0,1000}","greyware_tool_keyword","ldap queries","Discover all Global Catalogs in the forest using ADSI","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://adsecurity.org/?p=299","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","13510"
"*[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain.PDCRoleOwner.Name*",".{0,1000}\[System\.DirectoryServices\.ActiveDirectory\.Forest\]\:\:GetCurrentForest\(\)\.RootDomain\.PDCRoleOwner\.Name.{0,1000}","greyware_tool_keyword","ldap queries","query for the primary domain controller within the forest","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","13511"
"*[System.Environment]::GetEnvironmentVariable('username')*",".{0,1000}\[System\.Environment\]\:\:GetEnvironmentVariable\(\'username\'\).{0,1000}","greyware_tool_keyword","powershell","alternativeto whoami","T1033 ","TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","3","6","N/A","N/A","N/A","N/A","13512"
"*\*-*-*_rut-*.zip.3bf*","[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}_rut-[0-9]\.[0-9]\.[0-9]\.[0-9]\.zip\.3bf","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13549"
"*\*-internet-id-log.csv*",".{0,1000}\\.{0,1000}\-internet\-id\-log\.csv.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13555"
"*\.boxcanvas\BoxDesktop*",".{0,1000}\\\.boxcanvas\\BoxDesktop.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","13559"
"*\.btunnel.*",".{0,1000}\\\.btunnel\..{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","13560"
"*\.config\rclone\*",".{0,1000}\\\.config\\rclone\\.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","13562"
"*\.dwagent\*",".{0,1000}\\\.dwagent\\.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","13563"
"*\.megatools.cache*",".{0,1000}\\\.megatools\.cache.{0,1000}","greyware_tool_keyword","megatools","Megatools is a collection of free and open source programs for accessing Mega service from a command line. Abused by attackers for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/megous/megatools","1","0","N/A","N/A","9","","N/A","","","","13565"
"*\.rustdesk*",".{0,1000}\\\.rustdesk.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","13567"
"*\.tmole.sh\*",".{0,1000}\\\.tmole\.sh\\.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","13568"
"*\.tunnelto\key.token*",".{0,1000}\\\.tunnelto\\key\.token.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","13569"
"*\.vscode-cli\code_tunnel.json*",".{0,1000}\\\.vscode\-cli\\code_tunnel\.json.{0,1000}","greyware_tool_keyword","vscode","built-in port forwarding. This feature allows you to share locally running services over the internet to other people and devices.","T1090 - T1003 - T1571","TA0010 - TA0002 - TA0009","N/A","N/A","C2","https://twitter.com/code/status/1699869087071899669","1","0","N/A","code tunnel has been used","10","10","N/A","N/A","N/A","N/A","13570"
"*\\.\\pipe\\megacmdpipe_*",".{0,1000}\\\\\.\\\\pipe\\\\megacmdpipe_.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#namedpipe","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","13580"
"*\\.\pipe\orbit-osquery-extension*",".{0,1000}\\\\\.\\pipe\\orbit\-osquery\-extension.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#namedpipe","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","13595"
"*\\.\pipe\Supremo*",".{0,1000}\\\\\.\\pipe\\Supremo.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","#namedpipe","N/A","10","10","N/A","N/A","N/A","N/A","13603"
"*\\.\pipe\tailscale-test*",".{0,1000}\\\\\.\\pipe\\tailscale\-test.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","#namedpipe","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","13604"
"*\\\\.\\aswSP_ArPot0*",".{0,1000}\\\\\\\\\.\\\\aswSP_ArPot0.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","N/A","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","13616"
"*\\\\.\\aswSP_ArPot1*",".{0,1000}\\\\\\\\\.\\\\aswSP_ArPot1.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","N/A","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","13617"
"*\\\\.\\aswSP_ArPot2*",".{0,1000}\\\\\\\\\.\\\\aswSP_ArPot2.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","N/A","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","13618"
"*\\\\.\\aswSP_ArPot3*",".{0,1000}\\\\\\\\\.\\\\aswSP_ArPot3.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","N/A","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","13619"
"*\\\\.\\aswSP_Avar*",".{0,1000}\\\\\\\\\.\\\\aswSP_Avar.{0,1000}","greyware_tool_keyword","Burntcigar KillAV","Scans for process names linked to known antivirus or EDR products - then adds their process IDs to a stack for later termination - often used by attackers","T1089 - T1489 - T1562","TA0005","KillAV","Cuba","Malware","https://www.virustotal.com/gui/file/aeb044d310801d546d10b247164c78afde638a90b6ef2f04e1f40170e54dec03?nocache=1","1","0","#namedpipe","avast named pipe - subject to false positives","10","10","N/A","N/A","N/A","N/A","13620"
"*\\\\.\\aswSP_Avar*",".{0,1000}\\\\\\\\\.\\\\aswSP_Avar.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","N/A","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","13622"
"*\\MeshAgent*",".{0,1000}\\\\MeshAgent.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","13666"
"*\\pipe\\openssh-ssh-agent*",".{0,1000}\\\\pipe\\\\openssh\-ssh\-agent.{0,1000}","greyware_tool_keyword","openssh-portable","monitoring openssh usage","T1098.003 - T1562.004 - T1021.004","TA0006 - TA0002 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider*","C2","https://github.com/PowerShell/openssh-portable","1","0","#namedpipe","N/A","10","10","1859","333","2025-04-18T17:52:43Z","2016-11-02T04:18:48Z","13675"
"*\\RustDeskIddDriver*",".{0,1000}\\\\RustDeskIddDriver.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","13684"
"*\1.bat",".{0,1000}\\1\.bat","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13709"
"*\1.dll",".{0,1000}\\1\.dll","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13710"
"*\1.exe",".{0,1000}\\1\.exe","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13712"
"*\127.0.0.1-5900.vnc*",".{0,1000}\\127\.0\.0\.1\-5900\.vnc.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13716"
"*\2.bat",".{0,1000}\\2\.bat","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13725"
"*\2.dll",".{0,1000}\\2\.dll","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13726"
"*\2.exe",".{0,1000}\\2\.exe","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13727"
"*\3.bat",".{0,1000}\\3\.bat","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13734"
"*\3.dll",".{0,1000}\\3\.dll","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13735"
"*\3.exe",".{0,1000}\\3\.exe","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13736"
"*\3proxy-*.deb*",".{0,1000}\\3proxy\-.{0,1000}\.deb.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","13737"
"*\3proxy-*.rpm*",".{0,1000}\\3proxy\-.{0,1000}\.rpm.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","13738"
"*\3proxy-*.zip*",".{0,1000}\\3proxy\-.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","13739"
"*\3proxy.cfg*",".{0,1000}\\3proxy\.cfg.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","13740"
"*\3proxy.exe*",".{0,1000}\\3proxy\.exe.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","13741"
"*\3proxy.key*",".{0,1000}\\3proxy\.key.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","13742"
"*\3proxy.log*",".{0,1000}\\3proxy\.log.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","13743"
"*\4.bat",".{0,1000}\\4\.bat","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13744"
"*\4.dll",".{0,1000}\\4\.dll","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13745"
"*\4.exe",".{0,1000}\\4\.exe","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13746"
"*\5.bat",".{0,1000}\\5\.bat","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13747"
"*\5.dll",".{0,1000}\\5\.dll","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13748"
"*\5.exe",".{0,1000}\\5\.exe","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13749"
"*\6.bat",".{0,1000}\\6\.bat","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13751"
"*\6.dll",".{0,1000}\\6\.dll","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13752"
"*\6.exe",".{0,1000}\\6\.exe","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13753"
"*\7.bat",".{0,1000}\\7\.bat","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13754"
"*\7.dll",".{0,1000}\\7\.dll","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13755"
"*\7.exe",".{0,1000}\\7\.exe","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13756"
"*\8.bat",".{0,1000}\\8\.bat","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13757"
"*\8.dll",".{0,1000}\\8\.dll","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13758"
"*\8.exe",".{0,1000}\\8\.exe","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13759"
"*\9.bat",".{0,1000}\\9\.bat","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13763"
"*\9.dll",".{0,1000}\\9\.dll","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13764"
"*\9.exe",".{0,1000}\\9\.exe","greyware_tool_keyword","_","Suspicious file names - One caracter executables often used by threat actors (warning false positives)","T1070.004 - T1059","TA0010 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","False positive rate can be high","2","10","N/A","N/A","N/A","N/A","13765"
"*\aa_nts.dll*",".{0,1000}\\aa_nts\.dll.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13768"
"*\AA_v3.exe*",".{0,1000}\\AA_v3\.exe.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13769"
"*\AA_v3.log*",".{0,1000}\\AA_v3\.log.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13770"
"*\AADInternals\*",".{0,1000}\\AADInternals\\.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","13772"
"*\Action1\7z.dll*",".{0,1000}\\Action1\\7z\.dll.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13781"
"*\Action1\Agent\Certificate*",".{0,1000}\\Action1\\Agent\\Certificate.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13782"
"*\Action1\CrashDumps*",".{0,1000}\\Action1\\CrashDumps.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13783"
"*\Action1\package_downloads*",".{0,1000}\\Action1\\package_downloads.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13784"
"*\Action1\scripts\Run_PowerShell_*",".{0,1000}\\Action1\\scripts\\Run_PowerShell_.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13785"
"*\action1_agent(My_Organization).msi*",".{0,1000}\\action1_agent\(My_Organization\)\.msi.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","product name","10","10","N/A","N/A","N/A","N/A","13786"
"*\ACTION1_AGENT.EXE-*",".{0,1000}\\ACTION1_AGENT\.EXE\-.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13787"
"*\action1_log_*.log*",".{0,1000}\\action1_log_.{0,1000}\.log.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","example C:\Windows\Action1\logs\action1_log_2023-12-17_13-42-47~10328.log","10","10","N/A","N/A","N/A","N/A","13788"
"*\ad_svc.trace*",".{0,1000}\\ad_svc\.trace.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","13790"
"*\adaudit.ps1*",".{0,1000}\\adaudit\.ps1.{0,1000}","greyware_tool_keyword","adaudit","Powershell script to do domain auditing automation","T1482 - T1087","TA0007","N/A","N/A","Discovery","https://github.com/phillips321/adaudit","1","0","N/A","N/A","8","4","389","106","2025-04-08T06:17:54Z","2018-04-20T11:29:06Z","13795"
"*\adf.bat*",".{0,1000}\\adf\.bat.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://github.com/aancw/community-threats/blob/82ece2dec931d175ed47276d426f526610aa8262/Ryuk/VFS/adf.bat#L4","1","0","N/A","N/A","10","1","0","0","2022-02-15T23:58:54Z","2022-02-24T18:51:11Z","13832"
"*\adfind.cf*",".{0,1000}\\adfind\.cf.{0,1000}","greyware_tool_keyword","adfind","adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers are abusing it to gather valuable information about the network environment","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://www.virustotal.com/gui/file/484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13833"
"*\AdFind.zip*",".{0,1000}\\AdFind\.zip.{0,1000}","greyware_tool_keyword","adfind","adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers are abusing it to gather valuable information about the network environment","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://www.virustotal.com/gui/file/484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13834"
"*\ADGet.exe*",".{0,1000}\\ADGet\.exe.{0,1000}","greyware_tool_keyword","adget","gather valuable informations about the AD environment","T1018 - T1027 - T1046 - T1057 - T1069 - T1087 - T1098 - T1482","TA0001 - TA0002 - TA0003 - TA0007 - TA0011","N/A","N/A","Discovery","https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13848"
"*\adiskreader\*",".{0,1000}\\adiskreader\\.{0,1000}","greyware_tool_keyword","adiskreader","Async Python library to parse local and remote disk images","T1020 - T1048 - T1074 - T1560.001","TA0005 - TA0009 - TA0010","N/A","N/A","Data Exfiltration","https://github.com/skelsec/adiskreader","1","0","N/A","N/A","4","1","76","7","2025-03-15T19:48:39Z","2023-12-18T11:54:31Z","13850"
"*\ADM Templates\ADMX\*.admx*",".{0,1000}\\ADM\sTemplates\\ADMX\\.{0,1000}\.admx.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13852"
"*\adprinterpipe*",".{0,1000}\\adprinterpipe.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","13864"
"*\ADRecon.ps1*",".{0,1000}\\ADRecon\.ps1.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","13865"
"*\ADRecon-master*",".{0,1000}\\ADRecon\-master.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","13866"
"*\ADRecon-Report.xlsx*",".{0,1000}\\ADRecon\-Report\.xlsx.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","13867"
"*\Advanced IP Scanner.lnk*",".{0,1000}\\Advanced\sIP\sScanner\.lnk.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","13873"
"*\Advanced Monitoring Agent\debug.log*",".{0,1000}\\Advanced\sMonitoring\sAgent\\debug\.log.{0,1000}","greyware_tool_keyword","Nsight RMM","Nsight RMM usage","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Scattered Spider*","RMM","https://www.n-able.com/products/n-sight-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13874"
"*\Advanced Monitoring Agent\staging*",".{0,1000}\\Advanced\sMonitoring\sAgent\\staging.{0,1000}","greyware_tool_keyword","Nsight RMM","Nsight RMM usage","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Scattered Spider*","RMM","https://www.n-able.com/products/n-sight-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13875"
"*\Advanced Monitoring Agent\task_start.js*",".{0,1000}\\Advanced\sMonitoring\sAgent\\task_start\.js.{0,1000}","greyware_tool_keyword","Nsight RMM","Nsight RMM usage","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Scattered Spider*","RMM","https://www.n-able.com/products/n-sight-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13876"
"*\Advanced Monitoring Agent\unzip.exe*",".{0,1000}\\Advanced\sMonitoring\sAgent\\unzip\.exe.{0,1000}","greyware_tool_keyword","Nsight RMM","Nsight RMM usage","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Scattered Spider*","RMM","https://www.n-able.com/products/n-sight-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13877"
"*\Advanced Monitoring Agent\winagent.exe*",".{0,1000}\\Advanced\sMonitoring\sAgent\\winagent\.exe.{0,1000}","greyware_tool_keyword","Nsight RMM","Nsight RMM usage","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Scattered Spider*","RMM","https://www.n-able.com/products/n-sight-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13878"
"*\Advanced Port Scanner Portable\*",".{0,1000}\\Advanced\sPort\sScanner\sPortable\\.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","13879"
"*\advanced_ip_scanner*",".{0,1000}advanced_ip_scanner.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","13880"
"*\AeroAdmin *_Portable.exe*",".{0,1000}\\AeroAdmin\s.{0,1000}_Portable\.exe.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13883"
"*\aeroadmin.exe*",".{0,1000}\\aeroadmin\.exe.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13884"
"*\Aeroadmin.lnk*",".{0,1000}\\Aeroadmin\.lnk.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13885"
"*\Aeroadmin\black.bmp*",".{0,1000}\\Aeroadmin\\black\.bmp.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13886"
"*\Ahk2Exe.ahk*",".{0,1000}\\Ahk2Exe\.ahk.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","13892"
"*\Ahk2Exe.exe*",".{0,1000}\\Ahk2Exe\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","13893"
"*\Ahk2Exe.zip*",".{0,1000}\\Ahk2Exe\.zip.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","13894"
"*\Alpemix.ini*",".{0,1000}\\Alpemix\.ini.{0,1000}","greyware_tool_keyword","Alpemix","connect to your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.alpemix.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13902"
"*\Alpemix.zip*",".{0,1000}\\Alpemix\.zip.{0,1000}","greyware_tool_keyword","Alpemix","connect to your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.alpemix.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13903"
"*\AlphaControlAgent\obj\Release\AteraAgent.pdb*",".{0,1000}\\AlphaControlAgent\\obj\\Release\\AteraAgent\.pdb.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13904"
"*\AMMYY\access.log*",".{0,1000}\\AMMYY\\access\.log.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13909"
"*\Amperage.exe*",".{0,1000}\\Amperage\.exe.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","13912"
"*\Amperage\Program.cs*",".{0,1000}\\Amperage\\Program\.cs.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","13913"
"*\Amperage_v2024.5.31_arm64.zip*",".{0,1000}\\Amperage_v2024\.5\.31_arm64\.zip.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","13914"
"*\Amperage_v2024.6.1_arm64.zip*",".{0,1000}\\Amperage_v2024\.6\.1_arm64\.zip.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","13915"
"*\AmperageAIXSysRemove*",".{0,1000}\\AmperageAIXSysRemove.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","13916"
"*\AmperageHwReqDetour*",".{0,1000}\\AmperageHwReqDetour.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","13917"
"*\AmperageKit.sln*",".{0,1000}\\AmperageKit\.sln.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","13918"
"*\Angry IP Scanner.app*",".{0,1000}\\Angry\sIP\sScanner\.app.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","13937"
"*\AnyDesk (1).exe*",".{0,1000}\\AnyDesk\s\(1\)\.exe.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","13952"
"*\AnyDesk.exe*",".{0,1000}\\AnyDesk\.exe.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","13953"
"*\AnyDesk.lnk*",".{0,1000}\\AnyDesk\.lnk.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","13954"
"*\AnyDesk\ad.trace*",".{0,1000}\\AnyDesk\\ad\.trace.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","13955"
"*\AnyDesk\ad_svc.trace*",".{0,1000}\\AnyDesk\\ad_svc\.trace.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","13956"
"*\AnyDesk\AnyDesk_Output.txt*",".{0,1000}\\AnyDesk\\AnyDesk_Output\.txt.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1","1","0","N/A","simple backdoor with anydesk","10","1","1","0","2025-04-17T19:04:37Z","2023-12-05T22:08:51Z","13957"
"*\AnyDesk\connection_trace.txt*",".{0,1000}\\AnyDesk\\connection_trace\.txt.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","13958"
"*\AnyDesk\connection_trace.txt*",".{0,1000}\\AnyDesk\\connection_trace\.txt.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","13959"
"*\anydesk\printer_driver*",".{0,1000}\\anydesk\\printer_driver.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","13960"
"*\AnyDesk\service.conf*",".{0,1000}\\AnyDesk\\service\.conf.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","13961"
"*\AnyDeskPrintDriver.cat*",".{0,1000}\\AnyDeskPrintDriver\.cat.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","13962"
"*\anydeskprintdriver.inf*",".{0,1000}\\anydeskprintdriver\.inf.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","13963"
"*\Anyplace Control - Admin.lnk*",".{0,1000}\\Anyplace\sControl\s\-\sAdmin\.lnk.{0,1000}","greyware_tool_keyword","AnyplaceControl","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyplace-control[.]com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13964"
"*\Anyplace Control\*",".{0,1000}\\Anyplace\sControl\\.{0,1000}","greyware_tool_keyword","AnyplaceControl","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyplace-control[.]com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13965"
"*\anyplace-control.ini*",".{0,1000}\\anyplace\-control\.ini.{0,1000}","greyware_tool_keyword","AnyplaceControl","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyplace-control[.]com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13966"
"*\AnyViewerSetup.exe*",".{0,1000}\\AnyViewerSetup\.exe.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13967"
"*\AnyViewerSetup.tmp*",".{0,1000}\\AnyViewerSetup\.tmp.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13968"
"*\Apemix.exe*",".{0,1000}\\Apemix\.exe.{0,1000}","greyware_tool_keyword","Alpemix","connect to your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.alpemix.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13973"
"*\AppData\Local\*\rescue.log*",".{0,1000}\\AppData\\Local\\.{0,1000}\\rescue\.log.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13981"
"*\appdata\local\bomgar\bomgar-rep\*",".{0,1000}\\appdata\\local\\bomgar\\bomgar\-rep\\.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13982"
"*\AppData\Local\CoreAIPlatform.00\UKP\*\ukg.db*",".{0,1000}\\AppData\\Local\\CoreAIPlatform\.00\\UKP\\.{0,1000}\\ukg\.db.{0,1000}","greyware_tool_keyword","Microsoft Recall","data from the Recall feature in Windows 11 - recall is enable on the computer","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","N/A","1","0","N/A","will trigger if  recall is enable on the computer","8","10","N/A","N/A","N/A","N/A","13983"
"*\AppData\Local\CoreAIPlatform.00\UKP\*\ukg.db*",".{0,1000}\\AppData\\Local\\CoreAIPlatform\.00\\UKP\\.{0,1000}\\ukg\.db.{0,1000}","greyware_tool_keyword","TotalRecall","extracts and displays data from the Recall feature in Windows 11","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/xaitax/TotalRecall","1","0","N/A","will trigger if the recall is enable on the computer","5","10","2011","159","2024-06-08T09:25:08Z","2024-06-03T16:38:04Z","13984"
"*\AppData\Local\CyberGhost*",".{0,1000}\\AppData\\Local\\CyberGhost.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","13985"
"*\appdata\local\damewa~1\*",".{0,1000}\\appdata\\local\\damewa\~1\\.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13986"
"*\appdata\local\dameware remote everywhere*",".{0,1000}\\appdata\\local\\dameware\sremote\severywhere.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13987"
"*\AppData\Local\Downloaded Installations\*\server-3.3.5.0.msi*",".{0,1000}\\AppData\\Local\\Downloaded\sInstallations\\.{0,1000}\\server\-3\.3\.5\.0\.msi.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13988"
"*\AppData\Local\Downloaded Installations\*\viewer-7.2.2.0.msi*",".{0,1000}\\AppData\\Local\\Downloaded\sInstallations\\.{0,1000}\\viewer\-7\.2\.2\.0\.msi.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13989"
"*\AppData\Local\GoToMyPC\*",".{0,1000}\\AppData\\Local\\GoToMyPC\\.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13990"
"*\AppData\Local\LMIR*.tmp.bat*",".{0,1000}\\AppData\\Local\\LMIR.{0,1000}\.tmp\.bat.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13991"
"*\AppData\Local\LogMeIn Rescue Applet\*",".{0,1000}\\AppData\\Local\\LogMeIn\sRescue\sApplet\\.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13992"
"*\AppData\Local\MEGAcmd*",".{0,1000}\\AppData\\Local\\MEGAcmd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","13993"
"*\appdata\local\megasync\*",".{0,1000}\\appdata\\local\\megasync\\.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13994"
"*\AppData\Local\Microsoft\CLR_*\UsageLogs\*.exe.log*",".{0,1000}\\AppData\\Local\\Microsoft\\CLR_.{0,1000}\\UsageLogs\\.{0,1000}\.exe\.log.{0,1000}","greyware_tool_keyword","cobaltstrike","If cobaltstrike uses execute-assembly there is a chance that a file will be created in the UsageLogs logs","T1548.002 - T1548.003 - T1134.001 - T1134.003 - T1134.004 - T1087.002 - T1071.001 - T1071.004 - T1071.005 - T1197 - T1185 - T1059.001 - T1059.003 - T1059.004 - T1068.002 - T1083 - T1564.010 - T1562.001 - T1005 - T1001.003 - T1030 - T1140 - T1573.001 - T1573.002 - T1203 - T1068.001 - T1083 - T1135 - T1095 - T1027 - T1137.001 - T1003.001 - T1003.002 - T1069.001 - T1069.002 - T1057 - T1055.001 - T1055.012 - T1572 - T1090.001 - T1090.004 - T1012 - T1620 - T1021.001 - T1021.002 - T1021.003 - T1021.004 - T1021.006 - T1018 - T1029 - T1113 - T1518 - T1553.002 - T1218.011 - T1016 - T1049 - T1007 - T1569.002 - T1550.002 - T1078.002 - T1078.003 - T1047","TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0011 - TA0040","N/A","APT19 - MAZE - APT32 - APT37 - APT41 - Aquatic Panda - AvosLocker - Black Basta - BlackByte - BlackCat - BlackSuit - CL0P - Cactus - Chimera - Cobalt Group - Conti - Common Raven - CopyKittens - Cuba - Dagon Locker - DarkHydrus - Diavol - Earth Lusca - EvilCorp* - FIN6 - FIN7 - Hive - Indrik Spider - Karakurt - Leviathan - LockBit - LuminousMoth - Mustang Panda - NetWalker - Nokoyawa - PLAY - Phobos - Qilin - Quantum - REvil - RagnarLocker - RansomEXX - Royal - Ryuk - Snatch - TA505 - Threat Group-3390 - Trigona - Vice Society - Wizard Spider - XingLocker - Yanluowang - menuPass - Unit 29155 - Akira - APT15 - APT26 - BRONZE STARLIGHT - COZY BEAR - Sandworm","C2","https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13995"
"*\appdata\local\microsoft\windows\inetcache\ie\can_install_pc[1].xml*",".{0,1000}\\appdata\\local\\microsoft\\windows\\inetcache\\ie\\can_install_pc\[1\]\.xml.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","13996"
"*\AppData\Local\remoteit*",".{0,1000}\\AppData\\Local\\remoteit.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","13997"
"*\AppData\Local\rustdesk\*",".{0,1000}\\AppData\\Local\\rustdesk\\.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","13998"
"*\AppData\Local\Temp\*\Doc_ENG\_Rootkit detection.txt*",".{0,1000}\\AppData\\Local\\Temp\\.{0,1000}\\Doc_ENG\\_Rootkit\sdetection\.txt.{0,1000}","greyware_tool_keyword","Universal Virus Sniffer","Universal Virus Sniffer detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","Phobos","Defense Evasion","https://www.majorgeeks.com/files/details/universal_virus_sniffer.html","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","13999"
"*\AppData\Local\Temp\*\gosetup.exe*",".{0,1000}\\AppData\\Local\\Temp\\.{0,1000}\\gosetup\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14000"
"*\AppData\Local\Temp\*\GoToOpener.msi*",".{0,1000}\\AppData\\Local\\Temp\\.{0,1000}\\GoToOpener\.msi.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14001"
"*\AppData\Local\Temp\*\IObitUnlockerSetup*",".{0,1000}\\AppData\\Local\\Temp\\.{0,1000}\\IObitUnlockerSetup.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","14002"
"*\AppData\Local\Temp\*\NSM.LIC*",".{0,1000}\\AppData\\Local\\Temp\\.{0,1000}\\NSM\.LIC.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14003"
"*\AppData\Local\Temp\*\Proxifier PE\*",".{0,1000}\\AppData\\Local\\Temp\\.{0,1000}\\Proxifier\sPE\\.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","14004"
"*\AppData\Local\Temp\*\server-3.3.5.0.exe*",".{0,1000}\\AppData\\Local\\Temp\\.{0,1000}\\server\-3\.3\.5\.0\.exe.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14008"
"*\AppData\Local\Temp\*\server-3.3.5.0.msi*",".{0,1000}\\AppData\\Local\\Temp\\.{0,1000}\\server\-3\.3\.5\.0\.msi.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14009"
"*\AppData\Local\Temp\*\zmstage.exe*",".{0,1000}\\AppData\\Local\\Temp\\.{0,1000}\\zmstage\.exe.{0,1000}","greyware_tool_keyword","AnyplaceControl","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyplace-control[.]com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14010"
"*\AppData\Local\Temp\*_Radmin_3.*.zip*",".{0,1000}\\AppData\\Local\\Temp\\.{0,1000}_Radmin_3\..{0,1000}\.zip.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14011"
"*\AppData\Local\Temp\a.exe*",".{0,1000}\\AppData\\Local\\Temp\\a\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14012"
"*\AppData\Local\Temp\b.exe*",".{0,1000}\\AppData\\Local\\Temp\\b\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14013"
"*\AppData\Local\Temp\c.exe*",".{0,1000}\\AppData\\Local\\Temp\\c\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14014"
"*\AppData\Local\Temp\d.exe*",".{0,1000}\\AppData\\Local\\Temp\\d\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14016"
"*\AppData\Local\Temp\dwagent*",".{0,1000}\\AppData\\Local\\Temp\\dwagent.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","14017"
"*\AppData\Local\Temp\e.exe*",".{0,1000}\\AppData\\Local\\Temp\\e\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14018"
"*\AppData\Local\Temp\eraserInstallBootstrapper\*",".{0,1000}\\AppData\\Local\\Temp\\eraserInstallBootstrapper\\.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","14019"
"*\AppData\Local\Temp\f.exe*",".{0,1000}\\AppData\\Local\\Temp\\f\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14020"
"*\AppData\Local\Temp\g.exe*",".{0,1000}\\AppData\\Local\\Temp\\g\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14022"
"*\AppData\Local\Temp\h.exe*",".{0,1000}\\AppData\\Local\\Temp\\h\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14024"
"*\AppData\Local\Temp\i.exe*",".{0,1000}\\AppData\\Local\\Temp\\i\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14025"
"*\AppData\Local\Temp\ITarian_Remote_Access_*",".{0,1000}\\AppData\\Local\\Temp\\ITarian_Remote_Access_.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14026"
"*\AppData\Local\Temp\j.exe*",".{0,1000}\\AppData\\Local\\Temp\\j\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14027"
"*\AppData\Local\Temp\k.exe*",".{0,1000}\\AppData\\Local\\Temp\\k\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14028"
"*\AppData\Local\Temp\l.exe*",".{0,1000}\\AppData\\Local\\Temp\\l\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14030"
"*\AppData\Local\Temp\lansweeper-*",".{0,1000}\\AppData\\Local\\Temp\\lansweeper\-.{0,1000}","greyware_tool_keyword","Lansweeper","Lansweeper discovers and inventories IT assets - gathering system - software and user data - abused by attackers","T1016 - T1082","TA0007","N/A","EvilCorp*","Discovery","https://www.lansweeper.com/","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","14031"
"*\AppData\Local\Temp\m.exe*",".{0,1000}\\AppData\\Local\\Temp\\m\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14033"
"*\AppData\Local\Temp\n.exe*",".{0,1000}\\AppData\\Local\\Temp\\n\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14034"
"*\AppData\Local\Temp\o.exe*",".{0,1000}\\AppData\\Local\\Temp\\o\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14035"
"*\AppData\Local\Temp\p.exe*",".{0,1000}\\AppData\\Local\\Temp\\p\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14036"
"*\AppData\Local\Temp\PCHunter.sys*",".{0,1000}\\AppData\\Local\\Temp\\PCHunter\.sys.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","14038"
"*\AppData\Local\Temp\Procmon.exe*",".{0,1000}\\AppData\\Local\\Temp\\Procmon\.exe.{0,1000}","greyware_tool_keyword","procmon","Procmon used in user temp folder","T1059.001 - T1036 - T1569.002","TA0002 - TA0006","N/A","N/A","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","4","7","N/A","N/A","N/A","N/A","14039"
"*\AppData\Local\Temp\Procmon64.exe*",".{0,1000}\\AppData\\Local\\Temp\\Procmon64\.exe.{0,1000}","greyware_tool_keyword","procmon","Procmon used in user temp folder","T1059.001 - T1036 - T1569.002","TA0002 - TA0006","N/A","N/A","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","4","7","N/A","N/A","N/A","N/A","14040"
"*\AppData\Local\Temp\Proxifier PE\*",".{0,1000}\\AppData\\Local\\Temp\\Proxifier\sPE\\.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","14041"
"*\AppData\Local\Temp\q.exe*",".{0,1000}\\AppData\\Local\\Temp\\q\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14042"
"*\AppData\Local\Temp\r.exe*",".{0,1000}\\AppData\\Local\\Temp\\r\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14043"
"*\AppData\Local\Temp\Remote_Control_by_Itarian*",".{0,1000}\\AppData\\Local\\Temp\\Remote_Control_by_Itarian.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14044"
"*\AppData\Local\Temp\RemoteHelp\EBWebView*",".{0,1000}\\AppData\\Local\\Temp\\RemoteHelp\\EBWebView.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","14045"
"*\AppData\Local\Temp\rutserv*",".{0,1000}\\AppData\\Local\\Temp\\rutserv.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14046"
"*\AppData\Local\Temp\s.exe*",".{0,1000}\\AppData\\Local\\Temp\\s\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14047"
"*\AppData\Local\Temp\t.exe*",".{0,1000}\\AppData\\Local\\Temp\\t\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14052"
"*\AppData\Local\Temp\u.exe*",".{0,1000}\\AppData\\Local\\Temp\\u\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14055"
"*\AppData\Local\Temp\v.exe*",".{0,1000}\\AppData\\Local\\Temp\\v\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14057"
"*\AppData\Local\Temp\VPN_*\VPN_Lock.dat*",".{0,1000}\\AppData\\Local\\Temp\\VPN_.{0,1000}\\VPN_Lock\.dat.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","14058"
"*\appdata\local\temp\vpn_*\vpnsetup.exe*",".{0,1000}\\appdata\\local\\temp\\vpn_.{0,1000}\\vpnsetup\.exe.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","14059"
"*\AppData\Local\Temp\VPN_AECD\*",".{0,1000}\\AppData\\Local\\Temp\\VPN_AECD\\.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","14060"
"*\AppData\Local\Temp\w.exe*",".{0,1000}\\AppData\\Local\\Temp\\w\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14061"
"*\AppData\Local\Temp\x.exe*",".{0,1000}\\AppData\\Local\\Temp\\x\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14063"
"*\AppData\Local\Temp\y.exe*",".{0,1000}\\AppData\\Local\\Temp\\y\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14064"
"*\AppData\Local\Temp\z.exe*",".{0,1000}\\AppData\\Local\\Temp\\z\.exe.{0,1000}","greyware_tool_keyword","_","suspicious executable name in temp location","T1204.002 - T1059 - T1036.005 - T1070.004","TA0002 - TA0005","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","14065"
"*\AppData\Local\ZohoMeeting\*",".{0,1000}\\AppData\\Local\\ZohoMeeting\\.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14066"
"*\AppData\LocalLow\LogMeIn Rescue\*",".{0,1000}\\AppData\\LocalLow\\LogMeIn\sRescue\\.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14067"
"*\AppData\Roaming\*\remote.nsm*",".{0,1000}\\AppData\\Roaming\\.{0,1000}\\remote\.nsm.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14068"
"*\AppData\Roaming\*\RemoteDesktop.exe*",".{0,1000}\\AppData\\Roaming\\.{0,1000}\\RemoteDesktop\.exe.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14069"
"*\AppData\Roaming\*\uac.tmp",".{0,1000}\\AppData\\Roaming\\.{0,1000}\\uac\.tmp","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14070"
"*\AppData\Roaming\*-5900.vnc*",".{0,1000}\\AppData\\Roaming\\.{0,1000}\-5900\.vnc.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14071"
"*\appdata\roaming\*'DestPort'>4782</Data>*",".{0,1000}\\appdata\\roaming\\.{0,1000}\'DestPort\'\>4782\<\/Data\>.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","14072"
"*\AppData\Roaming\AnyDesk\system.conf*",".{0,1000}\\AppData\\Roaming\\AnyDesk\\system\.conf.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","14073"
"*\AppData\Roaming\AnyDesk\user.conf*",".{0,1000}\\AppData\\Roaming\\AnyDesk\\user\.conf.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","14074"
"*\AppData\Roaming\Anyplace Control*",".{0,1000}\\AppData\\Roaming\\Anyplace\sControl.{0,1000}","greyware_tool_keyword","AnyplaceControl","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyplace-control[.]com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14075"
"*\AppData\Roaming\DameWare Development\*",".{0,1000}\\AppData\\Roaming\\DameWare\sDevelopment\\.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","14076"
"*\AppData\Roaming\FreeFileSync\Logs\*",".{0,1000}\\AppData\\Roaming\\FreeFileSync\\Logs\\.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","14077"
"*\AppData\Roaming\freerdp*",".{0,1000}\\AppData\\Roaming\\freerdp.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14078"
"*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.bat*",".{0,1000}\\AppData\\Roaming\\Microsoft\\Windows\\Start\sMenu\\Programs\\Startup\\.{0,1000}\.bat.{0,1000}","greyware_tool_keyword","_","script in startup location","T1059 - T1037 - T1060","TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A","14080"
"*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.cmd*",".{0,1000}\\AppData\\Roaming\\Microsoft\\Windows\\Start\sMenu\\Programs\\Startup\\.{0,1000}\.cmd.{0,1000}","greyware_tool_keyword","_","script in startup location","T1059 - T1037 - T1060","TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A","14081"
"*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.hta*",".{0,1000}\\AppData\\Roaming\\Microsoft\\Windows\\Start\sMenu\\Programs\\Startup\\.{0,1000}\.hta.{0,1000}","greyware_tool_keyword","_","script in startup location","T1059 - T1037 - T1060","TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A","14082"
"*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.ps1*",".{0,1000}\\AppData\\Roaming\\Microsoft\\Windows\\Start\sMenu\\Programs\\Startup\\.{0,1000}\.ps1.{0,1000}","greyware_tool_keyword","_","script in startup location","T1059 - T1037 - T1060","TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A","14083"
"*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbs*",".{0,1000}\\AppData\\Roaming\\Microsoft\\Windows\\Start\sMenu\\Programs\\Startup\\.{0,1000}\.vbs.{0,1000}","greyware_tool_keyword","_","script in startup location","T1059 - T1037 - T1060","TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A","14084"
"*\AppData\Roaming\NetSupport\*",".{0,1000}\\AppData\\Roaming\\NetSupport\\.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14085"
"*\AppData\Roaming\Radmin*",".{0,1000}\\AppData\\Roaming\\Radmin.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14086"
"*\AppData\Roaming\rclone*",".{0,1000}\\AppData\\Roaming\\rclone.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","14087"
"*\AppData\Roaming\rclone\rclone.conf*",".{0,1000}\\AppData\\Roaming\\rclone\\rclone\.conf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","14088"
"*\AppData\Roaming\Remote Utilities Files*",".{0,1000}\\AppData\\Roaming\\Remote\sUtilities\sFiles.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14089"
"*\AppData\Roaming\SoftPerfect Network Scanner*",".{0,1000}\\AppData\\Roaming\\SoftPerfect\sNetwork\sScanner.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","14090"
"*\AppData\Roaming\TeamViewer*",".{0,1000}\\AppData\\Roaming\\TeamViewer.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","14091"
"*\AppData\Roaming\Telegram Desktop\tdata*",".{0,1000}\\AppData\\Roaming\\Telegram\sDesktop\\tdata.{0,1000}","greyware_tool_keyword","telegram","telegram API usage -given the increasing adoption of Telegram by malware for command and control (C2) operations. it's essential to monitor and restrict its usage within corporate networks and on company devices","T1071.004 - T1102 - T1047","TA0011 - TA0002 - TA0005","N/A","Gamaredon","C2","api.telegram.org","0","0","N/A","High False positive Risk !","1","9","N/A","N/A","N/A","N/A","14092"
"*\AppData\Roaming\UltraVNC\*",".{0,1000}\\AppData\\Roaming\\UltraVNC\\.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14093"
"*\AppData\Roaming\VSA X*",".{0,1000}\\AppData\\Roaming\\VSA\sX.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14094"
"*\Application Data\IObit\IObit Unlocker*",".{0,1000}\\Application\sData\\IObit\\IObit\sUnlocker.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","14095"
"*\Applications\VPN\Data\OpenVPN\*",".{0,1000}\\Applications\\VPN\\Data\\OpenVPN\\.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","14096"
"*\Applications\VPN\tunnel.dll*",".{0,1000}\\Applications\\VPN\\tunnel\.dll.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","14097"
"*\Applications\VPN\wireguard.dll*",".{0,1000}\\Applications\\VPN\\wireguard\.dll.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","14098"
"*\Assistance rapide Installer.exe*",".{0,1000}\\Assistance\srapide\sInstaller\.exe.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","14122"
"*\Assistenza rapida Installer.exe*",".{0,1000}\\Assistenza\srapida\sInstaller\.exe.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","14123"
"*\atera_agent.exe*",".{0,1000}\\atera_agent\.exe.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14128"
"*\AtNow \\*",".{0,1000}\\AtNow\s\\\\.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","14133"
"*\atnow.exe*",".{0,1000}\\atnow\.exe.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","14134"
"*\atnow.zip*",".{0,1000}\\atnow\.zip.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","14135"
"*\AttendedServiceRemove.exe*",".{0,1000}\\AttendedServiceRemove\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14141"
"*\AttendedUDP.zip*",".{0,1000}\\AttendedUDP\.zip.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14142"
"*\attrib.exe* +H *",".{0,1000}\\attrib\.exe.{0,1000}\s\+H\s.{0,1000}","greyware_tool_keyword","attrib","command aiming to hide a file.  It can be performed with attrib.exe on a WINDOWS machine with command option +h ","T1562.001","TA0040 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","2","8","N/A","N/A","N/A","N/A","14143"
"*\AutoHotkey.dll*",".{0,1000}\\AutoHotkey\.dll.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","14149"
"*\AutoHotkey.exe*",".{0,1000}\\AutoHotkey\.exe.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","14150"
"*\AutoHotkey_*.zip*",".{0,1000}\\AutoHotkey_.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","14151"
"*\AutoHotkey_1*_setup.exe*",".{0,1000}\\AutoHotkey_1.{0,1000}_setup\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","14152"
"*\AutoHotkey_2*_setup.exe*",".{0,1000}\\AutoHotkey_2.{0,1000}_setup\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","14153"
"*\AutoHotkey64.exe*",".{0,1000}\\AutoHotkey64\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","14154"
"*\AutoHotkey64.exe*",".{0,1000}\\AutoHotkey64\.exe.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","14155"
"*\AutoHotkey64_UIA.exe*",".{0,1000}\\AutoHotkey64_UIA\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","14156"
"*\AutoHotkey-main*",".{0,1000}\\AutoHotkey\-main.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","14157"
"*\AutoHotkeySC.bin*",".{0,1000}\\AutoHotkeySC\.bin.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","14158"
"*\AutoHotkeyU32.exe*",".{0,1000}\\AutoHotkeyU32\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","14159"
"*\AutoHotkeyUX.exe*",".{0,1000}\\AutoHotkeyUX\.exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","14160"
"*\AutoHotkeyx.sln*",".{0,1000}\\AutoHotkeyx\.sln.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","14161"
"*\AvDump.exe --pid * --exception_ptr 0*",".{0,1000}\\AvDump\.exe\s\-\-pid\s.{0,1000}\s\-\-exception_ptr\s0.{0,1000}","greyware_tool_keyword","AVDump","Avast AV to dump LSASS (C:\Program Files\Avast Software\Avast)","T1003.001 - T1059.001 - T1106","TA0006","N/A","Dispossessor","Credential Access","https://rosesecurity.gitbook.io/red-teaming-ttps/windows#av-lsass-dump","1","0","N/A","lolbin","8","9","N/A","N/A","N/A","N/A","14167"
"*\Aweray Remote.lnk*",".{0,1000}\\Aweray\sRemote\.lnk.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14176"
"*\Aweray_Remote_*.exe*",".{0,1000}\\Aweray_Remote_.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14177"
"*\Aweray_Remote_*.zip*",".{0,1000}\\Aweray_Remote_.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14178"
"*\AweSun.exe*",".{0,1000}\\AweSun\.exe.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14179"
"*\baconsoleapp.exe*",".{0,1000}\\baconsoleapp\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14209"
"*\baconsoleappen.dll*",".{0,1000}\\baconsoleappen\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14210"
"*\baseclient.exe* -consoleinstallcomplete*",".{0,1000}\\baseclient\.exe.{0,1000}\s\-consoleinstallcomplete.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14231"
"*\basupclphlp.exe*",".{0,1000}\\basupclphlp\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14233"
"*\basupclpprg.exe*",".{0,1000}\\basupclpprg\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14234"
"*\basupconhelper.exe*",".{0,1000}\\basupconhelper\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14235"
"*\basuplib.dll*",".{0,1000}\\basuplib\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14236"
"*\basupportexpresssrvcupdater_dameware*",".{0,1000}\\basupportexpresssrvcupdater_dameware.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14237"
"*\basupportexpressstandaloneservice_dameware*",".{0,1000}\\basupportexpressstandaloneservice_dameware.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14238"
"*\basupregedithlpr.exe*",".{0,1000}\\basupregedithlpr\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14239"
"*\basupregedithlpr_*.log*",".{0,1000}\\basupregedithlpr_.{0,1000}\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14240"
"*\basupsrvc.cfg*",".{0,1000}\\basupsrvc\.cfg.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14241"
"*\basupsrvc.exe*",".{0,1000}\\basupsrvc\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14242"
"*\basupsrvc.ico*",".{0,1000}\\basupsrvc\.ico.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14243"
"*\basupsrvc.ini*",".{0,1000}\\basupsrvc\.ini.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14244"
"*\basupsrvc.xml*",".{0,1000}\\basupsrvc\.xml.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14245"
"*\basupsrvc_*.log*",".{0,1000}\\basupsrvc_.{0,1000}\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14246"
"*\basupsrvccnfg.exe*",".{0,1000}\\basupsrvccnfg\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14247"
"*\basupsrvccnfg_*.log*",".{0,1000}\\basupsrvccnfg_.{0,1000}\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14248"
"*\basupsrvccnfg_dameware*",".{0,1000}\\basupsrvccnfg_dameware.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14249"
"*\basupsrvccnfgde.dll*",".{0,1000}\\basupsrvccnfgde\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14250"
"*\basupsrvccnfgen.dll*",".{0,1000}\\basupsrvccnfgen\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14251"
"*\basupsrvccnfges.dll*",".{0,1000}\\basupsrvccnfges\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14252"
"*\basupsrvccnfgfr.dll*",".{0,1000}\\basupsrvccnfgfr\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14253"
"*\basupsrvccnfgit.dll*",".{0,1000}\\basupsrvccnfgit\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14254"
"*\basupsrvccnfgpt.dll*",".{0,1000}\\basupsrvccnfgpt\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14255"
"*\basupsrvcde.dll*",".{0,1000}\\basupsrvcde\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14256"
"*\basupsrvcen.dll*",".{0,1000}\\basupsrvcen\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14257"
"*\basupsrvces.dll*",".{0,1000}\\basupsrvces\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14258"
"*\basupsrvcevnt3.dll*",".{0,1000}\\basupsrvcevnt3\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14259"
"*\basupsrvcfr.dll*",".{0,1000}\\basupsrvcfr\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14260"
"*\basupsrvcit.dll*",".{0,1000}\\basupsrvcit\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14261"
"*\basupsrvcpt.dll*",".{0,1000}\\basupsrvcpt\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14262"
"*\basupsrvcupdater.exe*",".{0,1000}\\basupsrvcupdater\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14263"
"*\basupsrvcupdater_*.log*",".{0,1000}\\basupsrvcupdater_.{0,1000}\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14264"
"*\basupsysinf*.log*",".{0,1000}\\basupsysinf.{0,1000}\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14265"
"*\basupsysinf.exe*",".{0,1000}\\basupsysinf\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14266"
"*\basupsysinf.ini*",".{0,1000}\\basupsysinf\.ini.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14267"
"*\basupsysshell.exe*",".{0,1000}\\basupsysshell\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14268"
"*\basupsysshell64.exe*",".{0,1000}\\basupsysshell64\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14269"
"*\basuptshelper.exe*",".{0,1000}\\basuptshelper\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14270"
"*\basuptshelper_*.log*",".{0,1000}\\basuptshelper_.{0,1000}\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14271"
"*\basuptshelperlib.dll*",".{0,1000}\\basuptshelperlib\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14272"
"*\basupunelev.exe*",".{0,1000}\\basupunelev\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14273"
"*\basupvista.dll*",".{0,1000}\\basupvista\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14274"
"*\bavideochat.exe*",".{0,1000}\\bavideochat\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14277"
"*\bawhook.dll*",".{0,1000}\\bawhook\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14278"
"*\beanywhere support express service - [dameware]*",".{0,1000}\\beanywhere\ssupport\sexpress\sservice\s\-\s\[dameware\].{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14286"
"*\BEST_uninstallTool.exe*",".{0,1000}\\BEST_uninstallTool\.exe.{0,1000}","greyware_tool_keyword","Dispossessor","tool used by Dispossessor ransomware group to remove AV","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14293"
"*\bin\3proxy*",".{0,1000}\\bin\\3proxy.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","14303"
"*\bin\RDPConf.exe*",".{0,1000}\\bin\\RDPConf\.exe.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","14306"
"*\bin\tapinstall.exe*",".{0,1000}\\bin\\tapinstall\.exe.{0,1000}","greyware_tool_keyword","OPENVPN","OpenVPN is a legitimate tool that might be used by an adversary to maintain persistence or exfiltrate data","T1071  - T1573 - T1133","TA0003 - TA0008 - TA0011","N/A","N/A","Defense Evasion","https://openvpn.net/","1","0","#VPN","N/A","6","8","N/A","N/A","N/A","N/A","14309"
"*\BitLockerRecoveryKeys.csv*",".{0,1000}\\BitLockerRecoveryKeys\.csv.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","14319"
"*\BitTorrent.exe*",".{0,1000}\\BitTorrent\.exe.{0,1000}","greyware_tool_keyword","bittorent","popular BitTorrent client used for downloading files over the BitTorrent network. a peer-to-peer file sharing protocol. Can be used for collection and exfiltration. Not something we want to see installed in a enterprise network","T1193 - T1204 - T1486 - T1048","TA0005 - TA0011 - TA0010 - TA0040","N/A","N/A","Data Exfiltration","https[://]www[.]bittorrent.com/fr/","1","0","#P2P","N/A","N/A","N/A","N/A","N/A","N/A","N/A","14326"
"*\Bomgar-enum_cp-*",".{0,1000}\\Bomgar\-enum_cp\-.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14365"
"*\bomgar-rep.cache\*",".{0,1000}\\bomgar\-rep\.cache\\.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14366"
"*\bomgar-rep.exe*",".{0,1000}\\bomgar\-rep\.exe.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14367"
"*\bomgar-rep-installer.exe*",".{0,1000}\\bomgar\-rep\-installer\.exe.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14368"
"*\bomgar-scc-*.exe*",".{0,1000}\\bomgar\-scc\-.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14369"
"*\bomgar-scc.exe*",".{0,1000}\\bomgar\-scc\.exe.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14370"
"*\BOMGAR-SCC.EXE-*",".{0,1000}\\BOMGAR\-SCC\.EXE\-.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14371"
"*\bored-tunnel-client*",".{0,1000}\\bored\-tunnel\-client.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","14374"
"*\box.desktop.updateservice.exe*",".{0,1000}\\box\.desktop\.updateservice\.exe.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","14375"
"*\Box.Updater.Common.dll*",".{0,1000}\\Box\.Updater\.Common\.dll.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","14376"
"*\box\box.exe*",".{0,1000}\\box\\box\.exe.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","14377"
"*\Box\ui\BoxUI.exe*",".{0,1000}\\Box\\ui\\BoxUI\.exe.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","14378"
"*\BoxDesktop.boxnote\shell\*",".{0,1000}\\BoxDesktop\.boxnote\\shell\\.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","14379"
"*\BoxDrive.msi*",".{0,1000}\\BoxDrive\.msi.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","14380"
"*\BRMM_2024.1-Release*",".{0,1000}\\BRMM_2024\.1\-Release.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14383"
"*\BSUtility.exe*",".{0,1000}\\BSUtility\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14408"
"*\btunnel.exe*",".{0,1000}\\btunnel\.exe.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","14409"
"*\btunnel.log*",".{0,1000}\\btunnel\.log.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","14410"
"*\c3pool\\miner.bat*",".{0,1000}\\c3pool\\\\miner\.bat.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","14447"
"*\c3pool\config.json*",".{0,1000}\\c3pool\\config\.json.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","14448"
"*\cbhook-x86.dll*",".{0,1000}\\cbhook\-x86\.dll.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14472"
"*\Chrome Remote Desktop\host.json*",".{0,1000}\\Chrome\sRemote\sDesktop\\host\.json.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14511"
"*\ChromeCookiesView.cfg*",".{0,1000}\\ChromeCookiesView\.cfg.{0,1000}","greyware_tool_keyword","ChromeCookiesView","displays the list of all cookies stored by Google Chrome Web browser - abused by attackers","T1539 - T1005 - T1070.004 - T1552.001","TA0006 - TA0008 - TA0009","N/A","Evilnum - MuddyWater","Credential Access","https://www.nirsoft.net/utils/chrome_cookies_view.html","1","0","N/A","https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf","8","10","N/A","N/A","N/A","N/A","14519"
"*\Citrix\GoToMyPc\FileTransfer\history*",".{0,1000}\\Citrix\\GoToMyPc\\FileTransfer\\history.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14531"
"*\Citrix\GoToMyPc\GuestInvite*",".{0,1000}\\Citrix\\GoToMyPc\\GuestInvite.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14532"
"*\cloudflared.exe*",".{0,1000}\\cloudflared\.exe.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","14552"
"*\cloudflared\cmd\*",".{0,1000}\\cloudflared\\cmd\\.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","14553"
"*\cloudflared-2023.*",".{0,1000}\\cloudflared\-2023\..{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","14554"
"*\cloudflared-2024.*",".{0,1000}\\cloudflared\-2024\..{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","14555"
"*\CloudShell.ps1*",".{0,1000}\\CloudShell\.ps1.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","14556"
"*\CloudShell_utils.ps1*",".{0,1000}\\CloudShell_utils\.ps1.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","14557"
"*\cmd\tailscaled*",".{0,1000}\\cmd\\tailscaled.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","14561"
"*\cmdkey.exe"" /list*",".{0,1000}\\cmdkey\.exe\""\s\/list.{0,1000}","greyware_tool_keyword","Cmdkey","List Saved Credentials","T1555","TA0006","N/A","N/A","Discovery","https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14564"
"*\ComodoRemoteControl.exe*",".{0,1000}\\ComodoRemoteControl\.exe.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14597"
"*\config\RustDesk.toml*",".{0,1000}\\config\\RustDesk\.toml.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","14602"
"*\config\RustDesk_local.*",".{0,1000}\\config\\RustDesk_local\..{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","14603"
"*\connectd.aarch64-win.exe*",".{0,1000}\\connectd\.aarch64\-win\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","14613"
"*\connectd.x86_64-win.exe*",".{0,1000}\\connectd\.x86_64\-win\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","14614"
"*\Content\.Outlook\*\*.rdp*",".{0,100}\\Content\.Outlook\\[A-Z0-9]{8}\\[^\\]{1,255}\.rdp.{0,100}","greyware_tool_keyword","rdp","rdp file received in emails - abused by attackers","T1204 - T1566 - T1078 - T1105","TA0001 - TA0002 - TA0010 - TA0011","N/A","Midnight Blizzard - APT29 - UNC2452 - Cozy Bear","Phishing","https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files","1","0","N/A","https://x.com/cyb3rops/status/1851880158640099675","9","8","N/A","N/A","N/A","N/A","14616"
"*\ContextMenuHandlers\MEGA (Context menu)*",".{0,1000}\\ContextMenuHandlers\\MEGA\s\(Context\smenu\).{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","14617"
"*\Control\Print\Monitors\REMOTEPCPRINTER*",".{0,1000}\\Control\\Print\\Monitors\\REMOTEPCPRINTER.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","14622"
"*\Control\SafeBoot\Network\SupremoService*",".{0,1000}\\Control\\SafeBoot\\Network\\SupremoService.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","14623"
"*\ControlSet001\Control\SafeBoot\Network\AmmyyAdmin_*",".{0,1000}\\ControlSet001\\Control\\SafeBoot\\Network\\AmmyyAdmin_.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","14624"
"*\ControlSet001\Services\AnyDesk*",".{0,1000}\\ControlSet001\\Services\\AnyDesk.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","14625"
"*\ControlSet001\Services\PCHunter*",".{0,1000}\\ControlSet001\\Services\\PCHunter.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","0","#registry #servicename","N/A","8","10","N/A","N/A","N/A","N/A","14626"
"*\createpassword.exe*",".{0,1000}\\createpassword\.exe.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14652"
"*\credentials.log*",".{0,1000}\\credentials\.log.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","14659"
"*\croc.exe*",".{0,1000}\\croc\.exe.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","N/A","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","14676"
"*\CurrentControlSet\Control\SafeBoot\Network\AeroadminService*",".{0,1000}\\CurrentControlSet\\Control\\SafeBoot\\Network\\AeroadminService.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","14706"
"*\CurrentControlSet\Control\SafeBoot\Network\AnyDesk*",".{0,1000}\\CurrentControlSet\\Control\\SafeBoot\\Network\\AnyDesk.{0,1000}","greyware_tool_keyword","anydesk","anydesk added in safeboot - abused by attackers to maintain persistence and bypass detection","T1546.013 - T1218 - T1060","TA0005 - TA0003 - TA0002","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","14707"
"*\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client (*",".{0,1000}\\CurrentControlSet\\Control\\SafeBoot\\Network\\ScreenConnect\sClient\s\(.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","14708"
"*\CurrentControlSet\Services\AeroadminService*",".{0,1000}\\CurrentControlSet\\Services\\AeroadminService.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","14709"
"*\CurrentControlSet\Services\AlpemixSrvcx*",".{0,1000}\\CurrentControlSet\\Services\\AlpemixSrvcx.{0,1000}","greyware_tool_keyword","Alpemix","connect to your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.alpemix.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","14710"
"*\CurrentControlSet\Services\bam\State\UserSettings\*\MicrosoftCorporationII.QuickAssist_*",".{0,1000}\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\.{0,1000}\\MicrosoftCorporationII\.QuickAssist_.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","#registry","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","14712"
"*\CurrentControlSet\Services\GsServer*",".{0,1000}\\CurrentControlSet\\Services\\GsServer.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","#registry","N/A","9","10","N/A","N/A","N/A","N/A","14713"
"*\CurrentControlSet\Services\ItsmRsp*",".{0,1000}\\CurrentControlSet\\Services\\ItsmRsp.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","#servicename #registry","N/A","10","10","N/A","N/A","N/A","N/A","14714"
"*\CurrentControlSet\Services\ITSMService*",".{0,1000}\\CurrentControlSet\\Services\\ITSMService.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","#servicename #registry","N/A","10","10","N/A","N/A","N/A","N/A","14715"
"*\CurrentControlSet\Services\Mesh*",".{0,1000}\\CurrentControlSet\\Services\\Mesh.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","#registry","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","14716"
"*\CurrentControlSet\Services\MiniInternetIdService*",".{0,1000}\\CurrentControlSet\\Services\\MiniInternetIdService.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","14717"
"*\CurrentControlSet\Services\Neo_VPN*",".{0,1000}\\CurrentControlSet\\Services\\Neo_VPN.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#registry #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","14718"
"*\CurrentControlSet\Services\RmmService*",".{0,1000}\\CurrentControlSet\\Services\\RmmService.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","#servicename #registry","N/A","10","10","N/A","N/A","N/A","N/A","14719"
"*\CurrentControlSet\Services\ScreenConnect *",".{0,1000}\\CurrentControlSet\\Services\\ScreenConnect\s.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","14720"
"*\CurrentControlSet\Services\SEVPNCLIENTDEV*",".{0,1000}\\CurrentControlSet\\Services\\SEVPNCLIENTDEV.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#servicename #registry #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","14721"
"*\CurrentControlSet\Services\SupremoService*",".{0,1000}\\CurrentControlSet\\Services\\SupremoService.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","#servicename #registry","registry","10","10","N/A","N/A","N/A","N/A","14722"
"*\CurrentControlSet\Services\TeamViewer*",".{0,1000}\\CurrentControlSet\\Services\\TeamViewer.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","#servicename #registry","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","14723"
"*\CurrentControlSet\Services\VSAX*",".{0,1000}\\CurrentControlSet\\Services\\VSAX.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","#servicename #registry","registry","10","10","N/A","N/A","N/A","N/A","14724"
"*\CurrentControlSet\Services\Zoho Assist-Remote Support*",".{0,1000}\\CurrentControlSet\\Services\\Zoho\sAssist\-Remote\sSupport.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","#servicename #registry","N/A","10","10","N/A","N/A","N/A","N/A","14725"
"*\CurrentVersion\App Paths\MEGAsync*",".{0,1000}\\CurrentVersion\\App\sPaths\\MEGAsync.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","14726"
"*\CurrentVersion\App Paths\RemotePCPerformance*",".{0,1000}\\CurrentVersion\\App\sPaths\\RemotePCPerformance.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","14727"
"*\CurrentVersion\Devices\Remote Utilities Printer*",".{0,1000}\\CurrentVersion\\Devices\\Remote\sUtilities\sPrinter.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","14728"
"*\CurrentVersion\Devices\RemotePC Printer*",".{0,1000}\\CurrentVersion\\Devices\\RemotePC\sPrinter.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","14729"
"*\CurrentVersion\Run\Bomgar Support Reconnect*",".{0,1000}\\CurrentVersion\\Run\\Bomgar\sSupport\sReconnect.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14730"
"*\CurrentVersion\Run\DWAgentMon*",".{0,1000}\\CurrentVersion\\Run\\DWAgentMon.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","14731"
"*\CurrentVersion\Run\Quasar Client Startup*",".{0,1000}\\CurrentVersion\\Run\\Quasar\sClient\sStartup.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","14732"
"*\currentversion\uninstall\dameware remote everywhere*",".{0,1000}\\currentversion\\uninstall\\dameware\sremote\severywhere.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14734"
"*\CurrentVersion\Uninstall\FreeFileSync_is1*",".{0,1000}\\CurrentVersion\\Uninstall\\FreeFileSync_is1.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","#registry","N/A","9","10","N/A","N/A","N/A","N/A","14735"
"*\CurrentVersion\Uninstall\FreeFileSync_is1*",".{0,1000}\\CurrentVersion\\Uninstall\\FreeFileSync_is1.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","14736"
"*\CurrentVersion\Uninstall\MEGAcmd\*",".{0,1000}\\CurrentVersion\\Uninstall\\MEGAcmd\\.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#registry","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","14737"
"*\CurrentVersion\Uninstall\MEGAsync*",".{0,1000}\\CurrentVersion\\Uninstall\\MEGAsync.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","14738"
"*\CurrentVersion\Uninstall\Representative Console [eval-*",".{0,1000}\\CurrentVersion\\Uninstall\\Representative\sConsole\s\[eval\-.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14739"
"*\CurrentVersion\Uninstall\RustDesk*",".{0,1000}\\CurrentVersion\\Uninstall\\RustDesk.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","14740"
"*\CurrentVersion\Uninstall\stunnel*",".{0,1000}\\CurrentVersion\\Uninstall\\stunnel.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","0","#registry","N/A","7","8","N/A","N/A","N/A","N/A","14741"
"*\CurrentVersion\Uninstall\Ultravnc2_is1\*",".{0,1000}\\CurrentVersion\\Uninstall\\Ultravnc2_is1\\.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","#registry","registry path","10","10","N/A","N/A","N/A","N/A","14742"
"*\CurrentVersion\Uninstall\winscp3_is1*",".{0,1000}\\CurrentVersion\\Uninstall\\winscp3_is1.{0,1000}","greyware_tool_keyword","WinSCP","SFTP connexion with winscp - legit tool abused by threat actors to exfiltrate data","T1105","TA0010","N/A","Akia - Unit 29155","Data Exfiltration","N/A","1","0","#registry","N/A","8","10","N/A","N/A","N/A","N/A","14743"
"*\CyberGhost 6.lnk*",".{0,1000}\\CyberGhost\s6\.lnk.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","14754"
"*\CyberGhost 7.lnk*",".{0,1000}\\CyberGhost\s7\.lnk.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","14755"
"*\CyberGhost 8.lnk*",".{0,1000}\\CyberGhost\s8\.lnk.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","14756"
"*\CyberGhost.VPN.*.exe*",".{0,1000}\\CyberGhost\.VPN\..{0,1000}\.exe.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","14757"
"*\CyberGhost-WireGuard-1.conf*",".{0,1000}\\CyberGhost\-WireGuard\-1\.conf.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","14758"
"*\DameWare Development\MrcVerbLog*",".{0,1000}\\DameWare\sDevelopment\\MrcVerbLog.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","14769"
"*\Dameware Mini Remote Control x64\*",".{0,1000}\\Dameware\sMini\sRemote\sControl\sx64\\.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","14770"
"*\dameware mini remote control x64\*",".{0,1000}\\dameware\smini\sremote\scontrol\sx64\\.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","14771"
"*\DameWare Mini Remote Control*.exe*",".{0,1000}\\DameWare\sMini\sRemote\sControl.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","14772"
"*\Dameware Mini Remote Control.lnk*",".{0,1000}\\Dameware\sMini\sRemote\sControl\.lnk.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","14773"
"*\dameware remote everywhere agent*",".{0,1000}\\dameware\sremote\severywhere\sagent.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14774"
"*\dameware remote everywhere.lnk*",".{0,1000}\\dameware\sremote\severywhere\.lnk.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14775"
"*\Dameware Remote Support .lnk*",".{0,1000}\\Dameware\sRemote\sSupport\s\.lnk.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","14776"
"*\Dameware Remote Support\*",".{0,1000}\\Dameware\sRemote\sSupport\\.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","14777"
"*\DameWare.Diagnostics*",".{0,1000}\\DameWare\.Diagnostics.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","14778"
"*\DameWare.LogAdjuster.exe*",".{0,1000}\\DameWare\.LogAdjuster\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","14779"
"*\DameWare.LogAdjuster.exe.config*",".{0,1000}\\DameWare\.LogAdjuster\.exe\.config.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","14780"
"*\damewareagent.exe",".{0,1000}\\damewareagent\.exe","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14781"
"*\damewareagent.exe*",".{0,1000}\\damewareagent\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14782"
"*\damewareremoteeverywhere\*",".{0,1000}\\damewareremoteeverywhere\\.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14783"
"*\damewareremoteeverywhereagentinstaller.install.log*",".{0,1000}\\damewareremoteeverywhereagentinstaller\.install\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14784"
"*\Dashboard.exe.config*",".{0,1000}\\Dashboard\.exe\.config.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","14803"
"*\dataplicity.conf*",".{0,1000}\\dataplicity\.conf.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","N/A","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","14808"
"*\dataplicity.log*",".{0,1000}\\dataplicity\.log.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","N/A","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","14809"
"*\DCaaS_utils.ps1",".{0,1000}\\DCaaS_utils\.ps1","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","14813"
"*\dctoolshardware.exe*",".{0,1000}\\dctoolshardware\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14831"
"*\DefaultPasswordPolicy.csv*",".{0,1000}\\DefaultPasswordPolicy\.csv.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","14858"
"*\default-yakit.db*",".{0,1000}\\default\-yakit\.db.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","14859"
"*\devtunnel.dll*",".{0,1000}\\devtunnel\.dll.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","#originalfilename","N/A","8","10","N/A","N/A","N/A","N/A","14922"
"*\DIRECTORY\BACKGROUND\SHELL\GOODSYNC*",".{0,1000}\\DIRECTORY\\BACKGROUND\\SHELL\\GOODSYNC.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","14942"
"*\disable dameware remote everywhere agent.lnk*",".{0,1000}\\disable\sdameware\sremote\severywhere\sagent\.lnk.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","14948"
"*\DMRC-10-Evaluation.lic*",".{0,1000}\\DMRC\-10\-Evaluation\.lic.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","14989"
"*\DNTU.exe*",".{0,1000}\\DNTU\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","15013"
"*\Documents\ConnectWiseControl\Files*",".{0,1000}\\Documents\\ConnectWiseControl\\Files.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15017"
"*\download\code-tunnel.exe*",".{0,1000}\\download\\code\-tunnel\.exe.{0,1000}","greyware_tool_keyword","vscode","the binary for the code-tunnels component is self-contained / portable and signed - seing it in different location than \Programs\Microsoft VS Code\bin\ is suspicious ","T1090 - T1003 - T1571","TA0010 - TA0002 - TA0009","N/A","N/A","C2","https://twitter.com/code/status/1699869087071899669","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15047"
"*\Downloads\IObitUnlockerSetup*",".{0,1000}\\Downloads\\IObitUnlockerSetup.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","15057"
"*\dre_mac_console.zip*",".{0,1000}\\dre_mac_console\.zip.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15065"
"*\DriverDatabase\DeviceIds\NeoAdapter_VPN*",".{0,1000}\\DriverDatabase\\DeviceIds\\NeoAdapter_VPN.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","15068"
"*\drivers\x64\rupdui.dll*",".{0,1000}\\drivers\\x64\\rupdui\.dll.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15073"
"*\DuckDNS.cfg*",".{0,1000}\\DuckDNS\.cfg.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","15091"
"*\DuckDNS.csproj*",".{0,1000}\\DuckDNS\.csproj.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","15092"
"*\DuckDNS.exe*",".{0,1000}\\DuckDNS\.exe.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","15093"
"*\DuckDNS.lnk*",".{0,1000}\\DuckDNS\.lnk.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","15094"
"*\DuckDNS.sln*",".{0,1000}\\DuckDNS\.sln.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","15095"
"*\DumpS1.ps1*",".{0,1000}\\DumpS1\.ps1.{0,1000}","greyware_tool_keyword","SentinelAgent","dump a process with SentinelAgent.exe","T1003 - T1055","TA0006 - TA0005","N/A","N/A","Credential Access","https://gist.github.com/adamsvoboda/8e248c6b7fb812af5d04daba141c867e","1","0","N/A","N/A","8","7","N/A","N/A","N/A","N/A","15119"
"*\dwagent.exe*",".{0,1000}\\dwagent\.exe.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","15130"
"*\DWAgent.lnk*",".{0,1000}\\DWAgent\.lnk.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","15131"
"*\dwagent.log*",".{0,1000}\\dwagent\.log.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","15132"
"*\dwagent.pid*",".{0,1000}\\dwagent\.pid.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","15133"
"*\dwagent.start*",".{0,1000}\\dwagent\.start.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","15134"
"*\dwagent.stop*",".{0,1000}\\dwagent\.stop.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","15135"
"*\dwaggdi.dll*",".{0,1000}\\dwaggdi\.dll.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","15136"
"*\dwaginstall.log*",".{0,1000}\\dwaginstall\.log.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","15137"
"*\dwaglnc.exe*",".{0,1000}\\dwaglnc\.exe.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","15138"
"*\dwagsvc.exe*",".{0,1000}\\dwagsvc\.exe.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","15139"
"*\dwagupd.dll*",".{0,1000}\\dwagupd\.dll.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","15140"
"*\DWAMTD.dll*",".{0,1000}\\DWAMTD\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15141"
"*\DWAMTDRES.dll*",".{0,1000}\\DWAMTDRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15142"
"*\DWMRC_St_64.msi*",".{0,1000}\\DWMRC_St_64\.msi.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15143"
"*\DWMSISET.W32*",".{0,1000}\\DWMSISET\.W32.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15144"
"*\DWMSISET.X64*",".{0,1000}\\DWMSISET\.X64.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15145"
"*\DWNativeWCFClient.dll*",".{0,1000}\\DWNativeWCFClient\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15146"
"*\DWNativeWCFClientRES.dll*",".{0,1000}\\DWNativeWCFClientRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15147"
"*\DWPing.dll*",".{0,1000}\\DWPing\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15148"
"*\DWPINGRES.dll*",".{0,1000}\\DWPINGRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15149"
"*\DWRCBA.dll*",".{0,1000}\\DWRCBA\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15150"
"*\DWRCBN.dll*",".{0,1000}\\DWRCBN\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15151"
"*\DWRCC.chm*",".{0,1000}\\DWRCC\.chm.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15152"
"*\DWRCC.exe*",".{0,1000}\\DWRCC\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15153"
"*\DWRCC.log*",".{0,1000}\\DWRCC\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15154"
"*\DWRCC.log*",".{0,1000}\\DWRCC\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","15155"
"*\DWRCC.Logging.xml*",".{0,1000}\\DWRCC\.Logging\.xml.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15156"
"*\DWRCCH.dll*",".{0,1000}\\DWRCCH\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15157"
"*\DWRCChat.dll*",".{0,1000}\\DWRCChat\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15158"
"*\DWRCChatRES.dll*",".{0,1000}\\DWRCChatRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15159"
"*\DWRCCMD.exe*",".{0,1000}\\DWRCCMD\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15160"
"*\DWRCCRES.dll*",".{0,1000}\\DWRCCRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15161"
"*\DWRCCSFTv2.data*",".{0,1000}\\DWRCCSFTv2\.data.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15162"
"*\DWRCD.dll*",".{0,1000}\\DWRCD\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15163"
"*\DWRCD.dll*",".{0,1000}\\DWRCD\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15164"
"*\DWRCK.dll*",".{0,1000}\\DWRCK\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15165"
"*\DWRCOP.dll*",".{0,1000}\\DWRCOP\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15166"
"*\DWRCOPRES.dll*",".{0,1000}\\DWRCOPRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15167"
"*\DWRCPN.dll*",".{0,1000}\\DWRCPN\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15168"
"*\DWRCRSA.dll*",".{0,1000}\\DWRCRSA\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15169"
"*\DWRCRSS.dll*",".{0,1000}\\DWRCRSS\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15170"
"*\DWRCRSS.dll*",".{0,1000}\\DWRCRSS\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15171"
"*\DWRCS.exe*",".{0,1000}\\DWRCS\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15172"
"*\DWRCS.Logging.xml*",".{0,1000}\\DWRCS\.Logging\.xml.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15173"
"*\DWRCS.reg*",".{0,1000}\\DWRCS\.reg.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","15174"
"*\DWRCSET.dll*",".{0,1000}\\DWRCSET\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15175"
"*\DWRCSETRES.dll*",".{0,1000}\\DWRCSETRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15176"
"*\DWRCSh.dll*",".{0,1000}\\DWRCSh\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15177"
"*\DWRCSHRegister.cmd*",".{0,1000}\\DWRCSHRegister\.cmd.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15178"
"*\DWRCSI.dll*",".{0,1000}\\DWRCSI\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15179"
"*\DWRCSI.dll*",".{0,1000}\\DWRCSI\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15180"
"*\DWRCSIRES.dll*",".{0,1000}\\DWRCSIRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15181"
"*\DWRCSMSI.exe*",".{0,1000}\\DWRCSMSI\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15182"
"*\DWRCSMSIRES.dll*",".{0,1000}\\DWRCSMSIRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15183"
"*\DWRCSPC.exe*",".{0,1000}\\DWRCSPC\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15184"
"*\DWRCSPCRES.dll*",".{0,1000}\\DWRCSPCRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15185"
"*\DWRCSPX.exe*",".{0,1000}\\DWRCSPX\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15186"
"*\DWRCSPXRES.dll*",".{0,1000}\\DWRCSPXRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15187"
"*\DWRCSRES.dll*",".{0,1000}\\DWRCSRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15188"
"*\DWRCST.exe*",".{0,1000}\\DWRCST\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15189"
"*\DWRCST.Logging.xml*",".{0,1000}\\DWRCST\.Logging\.xml.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15190"
"*\DWRCSTRES.dll*",".{0,1000}\\DWRCSTRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15191"
"*\DWRCU3.dll*",".{0,1000}\\DWRCU3\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15192"
"*\DWRCWHD.Logging.xml*",".{0,1000}\\DWRCWHD\.Logging\.xml.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15193"
"*\DWRCWHDAPI.dll*",".{0,1000}\\DWRCWHDAPI\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15194"
"*\DWRCWHDUI.dll*",".{0,1000}\\DWRCWHDUI\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15195"
"*\DWRCWHDUIRES.dll*",".{0,1000}\\DWRCWHDUIRES\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15196"
"*\DWRCWol.dll*",".{0,1000}\\DWRCWol\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15197"
"*\DWRCWXL.dll*",".{0,1000}\\DWRCWXL\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15198"
"*\DWRTD.dll*",".{0,1000}\\DWRTD\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15199"
"*\DWRTDE.exe*",".{0,1000}\\DWRTDE\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15200"
"*\DWRTDR.dll*",".{0,1000}\\DWRTDR\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15201"
"*\DWRTDR.dll*",".{0,1000}\\DWRTDR\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15202"
"*\DWSGRWRP.dll*",".{0,1000}\\DWSGRWRP\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15203"
"*\DWUtil.dll*",".{0,1000}\\DWUtil\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15204"
"*\DWWFDS.dll*",".{0,1000}\\DWWFDS\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","15205"
"*\eHorus Agent Menu.lnk*",".{0,1000}\\eHorus\sAgent\sMenu\.lnk.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15234"
"*\eHorus Agent.lnk*",".{0,1000}\\eHorus\sAgent\.lnk.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15235"
"*\ehorus standalone.exe*",".{0,1000}\\ehorus\sstandalone\.exe.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15236"
"*\ehorus_agent.conf*",".{0,1000}\\ehorus_agent\.conf.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15237"
"*\ehorus_agent.exe*",".{0,1000}\\ehorus_agent\.exe.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15238"
"*\ehorus_agent.log*",".{0,1000}\\ehorus_agent\.log.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#logfile","N/A","10","10","N/A","N/A","N/A","N/A","15239"
"*\ehorus_agent_disconn.log*",".{0,1000}\\ehorus_agent_disconn\.log.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#logfile","N/A","10","10","N/A","N/A","N/A","N/A","15240"
"*\ehorus_cmd.exe*",".{0,1000}\\ehorus_cmd\.exe.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15241"
"*\ehorus_display.exe*",".{0,1000}\\ehorus_display\.exe.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15242"
"*\ehorus_installer_windows-*",".{0,1000}\\ehorus_installer_windows\-.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15243"
"*\ehorus_launcher.exe*",".{0,1000}\\ehorus_launcher\.exe.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15244"
"*\ehorus_uit.exe*",".{0,1000}\\ehorus_uit\.exe.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15245"
"*\eHorusMsiCustomActions.dll*",".{0,1000}\\eHorusMsiCustomActions\.dll.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15246"
"*\embedhook-x64.exe*",".{0,1000}\\embedhook\-x64\.exe.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15264"
"*\embedhook-x86.exe*",".{0,1000}\\embedhook\-x86\.exe.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15265"
"*\enable dameware remote everywhere agent.lnk*",".{0,1000}\\enable\sdameware\sremote\severywhere\sagent\.lnk.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15269"
"*\Eraser (x64).msi*",".{0,1000}\\Eraser\s\(x64\)\.msi.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","15298"
"*\Eraser (x86).msi*",".{0,1000}\\Eraser\s\(x86\)\.msi.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","15299"
"*\Eraser 5.8.8.exe",".{0,1000}\\Eraser\s5\.8\.8\.exe","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","15300"
"*\Eraser 6.0.10.2620.exe*",".{0,1000}\\Eraser\s6\.0\.10\.2620\.exe.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","15301"
"*\Eraser 6.0.8.2273.exe*",".{0,1000}\\Eraser\s6\.0\.8\.2273\.exe.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","15302"
"*\Eraser 6.0.9.2343.exe*",".{0,1000}\\Eraser\s6\.0\.9\.2343\.exe.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","15303"
"*\Eraser 6.2.0.2994.exe*",".{0,1000}\\Eraser\s6\.2\.0\.2994\.exe.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","15304"
"*\EraserSetup.exe*",".{0,1000}\\EraserSetup\.exe.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","15305"
"*\eventlog\application\dameware *",".{0,1000}\\eventlog\\application\\dameware\s.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15326"
"*\Fiddler Everywhere *.*.*.exe*",".{0,1000}\\Fiddler\sEverywhere\s.{0,1000}\..{0,1000}\..{0,1000}\.exe.{0,1000}","greyware_tool_keyword","fiddler","fiddler - capture https requests","T1056 - T1040 - T1557","TA0009 - TA00010","N/A","N/A","Collection","https://www.telerik.com/","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","15425"
"*\file_shredder_setup.tmp*",".{0,1000}\\file_shredder_setup\.tmp.{0,1000}","greyware_tool_keyword","Shredder","File Shredder is FREE and powerfull aplication to shred and permanently remove unwanted files from your computer beyond recovery","T1070 - T1485 - T1565.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://www.fileshredder.org/","1","0","N/A","N/A","7","8","N/A","N/A","N/A","N/A","15431"
"*\file_transfer_trace.txt*",".{0,1000}\\file_transfer_trace\.txt.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://upadhyayraj.medium.com/beyond-connection-logs-understanding-file-transfer-artifacts-in-anydesk-forensics-b5812c817aad","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","15432"
"*\FileZilla_*_sponsored-setup.exe*",".{0,1000}\\FileZilla_.{0,1000}_sponsored\-setup\.exe.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","0","N/A","PUA risk of legitimate usage","5","7","N/A","N/A","N/A","N/A","15442"
"*\FILEZILLA_*_WIN64_SPONSO-*.pf*",".{0,1000}\\FILEZILLA_.{0,1000}_WIN64_SPONSO\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","0","N/A","PUA risk of legitimate usage","8","9","N/A","N/A","N/A","N/A","15443"
"*\FileZilla_*-setup.exe*",".{0,1000}\\FileZilla_.{0,1000}\-setup\.exe.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","0","N/A","PUA risk of legitimate usage","5","7","N/A","N/A","N/A","N/A","15444"
"*\FileZilla_Server_*",".{0,1000}\\FileZilla_Server_.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","0","N/A","PUA risk of legitimate usage","5","7","N/A","N/A","N/A","N/A","15445"
"*\findspn.ps1*",".{0,1000}\\findspn\.ps1.{0,1000}","greyware_tool_keyword","Dispossessor","powershell script to find a spn - abused by Dispossessor ransomware group","T1087.002 - T1046 - T1557","TA0007","N/A","Dispossessor","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15448"
"*\FreeFileSync.exe*",".{0,1000}\\FreeFileSync\.exe.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","15476"
"*\FreeFileSync\Logs\*",".{0,1000}\\FreeFileSync\\Logs\\.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","15477"
"*\FreeFileSync_*_Windows_Setup.exe*",".{0,1000}\\FreeFileSync_.{0,1000}_Windows_Setup\.exe.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","15478"
"*\FreeFileSync_x64.exe*",".{0,1000}\\FreeFileSync_x64\.exe.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","15479"
"*\FreeFileSyncPortable_*.exe*",".{0,1000}\\FreeFileSyncPortable_.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","15480"
"*\frp_0.*.*_darwin_amd64.tar.gz*",".{0,1000}\\frp_0\..{0,1000}\..{0,1000}_darwin_amd64\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","15482"
"*\frp_0.*.*_darwin_arm64.tar.gz*",".{0,1000}\\frp_0\..{0,1000}\..{0,1000}_darwin_arm64\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","15483"
"*\frp_0.*.*_freebsd_amd64.tar.gz*",".{0,1000}\\frp_0\..{0,1000}\..{0,1000}_freebsd_amd64\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","15484"
"*\frp_0.*.*_linux_amd64.tar.gz*",".{0,1000}\\frp_0\..{0,1000}\..{0,1000}_linux_amd64\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","15485"
"*\frp_0.*.*_linux_arm.tar.gz*",".{0,1000}\\frp_0\..{0,1000}\..{0,1000}_linux_arm\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","15486"
"*\frp_0.*.*_linux_arm64.tar.gz*",".{0,1000}\\frp_0\..{0,1000}\..{0,1000}_linux_arm64\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","15487"
"*\frp_0.*.*_linux_mips.tar.gz*",".{0,1000}\\frp_0\..{0,1000}\..{0,1000}_linux_mips\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","15488"
"*\frp_0.*.*_linux_mips64.tar.gz*",".{0,1000}\\frp_0\..{0,1000}\..{0,1000}_linux_mips64\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","15489"
"*\frp_0.*.*_linux_mips64le.tar.gz*",".{0,1000}\\frp_0\..{0,1000}\..{0,1000}_linux_mips64le\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","15490"
"*\frp_0.*.*_linux_mipsle.tar.gz*",".{0,1000}\\frp_0\..{0,1000}\..{0,1000}_linux_mipsle\.tar\.gz.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","15491"
"*\frpc.exe*",".{0,1000}\\frpc\.exe.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","15493"
"*\g2comm.exe*",".{0,1000}\\g2comm\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15520"
"*\g2fileh.exe*",".{0,1000}\\g2fileh\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15521"
"*\g2host.exe*",".{0,1000}\\g2host\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15522"
"*\g2mainh.exe*",".{0,1000}\\g2mainh\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15523"
"*\g2printh.exe*",".{0,1000}\\g2printh\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15524"
"*\g2svc.exe*",".{0,1000}\\g2svc\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15525"
"*\genacl_proxy_gfw_bypass_china_ip.py",".{0,1000}\\genacl_proxy_gfw_bypass_china_ip\.py","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","15532"
"*\Get-AVStatus.ps1*",".{0,1000}\\Get\-AVStatus\.ps1.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","15553"
"*\getsupportservice_common_dameware*",".{0,1000}\\getsupportservice_common_dameware.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15608"
"*\getsupportservice_dameware*",".{0,1000}\\getsupportservice_dameware.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15609"
"*\getsupportservice_dameware\*",".{0,1000}\\getsupportservice_dameware\\.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15610"
"*\goLoader.exe*",".{0,1000}\\goLoader\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15671"
"*\GoodSync-2*-*.log*",".{0,1000}\\GoodSync\-2.{0,1000}\-.{0,1000}\.log.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","15675"
"*\GOODSYNC2GO.EXE*",".{0,1000}\\GOODSYNC2GO\.EXE.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","15676"
"*\GOODSYNC2GO-V*.EXE*",".{0,1000}\\GOODSYNC2GO\-V.{0,1000}\.EXE.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","15677"
"*\GoodSync-vsub-Setup.exe*",".{0,1000}\\GoodSync\-vsub\-Setup\.exe.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","15678"
"*\Google\Chrome Remote Desktop\*",".{0,1000}\\Google\\Chrome\sRemote\sDesktop\\.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15679"
"*\gosetup[1].exe*",".{0,1000}\\gosetup\[1\]\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15690"
"*\gost.tar.gz*",".{0,1000}\\gost\.tar\.gz.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","15691"
"*\gost-windows-386.exe*",".{0,1000}\\gost\-windows\-386\.exe.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","15693"
"*\gost-windows-amd64.exe*",".{0,1000}\\gost\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","15694"
"*\GoTo Opener.exe*",".{0,1000}\\GoTo\sOpener\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15695"
"*\GoTo\Logs\goto.log*",".{0,1000}\\GoTo\\Logs\\goto\.log.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15696"
"*\gotomon.dll*",".{0,1000}\\gotomon\.dll.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15697"
"*\gotomon_x64.dll*",".{0,1000}\\gotomon_x64\.dll.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15698"
"*\GoToMyPC.cab*",".{0,1000}\\GoToMyPC\.cab.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15699"
"*\GoToMyPC\*\*\g2ldr.log*",".{0,1000}\\GoToMyPC\\.{0,1000}\\.{0,1000}\\g2ldr\.log.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15700"
"*\gotomypc\g2pre.exe*",".{0,1000}\\gotomypc\\g2pre\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15701"
"*\GoToMyPC\g2svc.exe*",".{0,1000}\\GoToMyPC\\g2svc\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15702"
"*\gotomypc_3944.exe*",".{0,1000}\\gotomypc_3944\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15703"
"*\GoToMyPCCrashHandler.exe*",".{0,1000}\\GoToMyPCCrashHandler\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15704"
"*\GoToOpener.log*",".{0,1000}\\GoToOpener\.log.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15705"
"*\GoToOpener[1].msi*",".{0,1000}\\GoToOpener\[1\]\.msi.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15706"
"*\gs-runner.exe*",".{0,1000}\\gs\-runner\.exe.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","15743"
"*\GS-SERVER.EXE*",".{0,1000}\\GS\-SERVER\.EXE.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","15744"
"*\gt-win-x86_64.exe*",".{0,1000}\\gt\-win\-x86_64\.exe.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","N/A","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","15747"
"*\host-7.2.2.0.msi*",".{0,1000}\\host\-7\.2\.2\.0\.msi.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15815"
"*\ICON_ID_GOTOMYPC*",".{0,1000}\\ICON_ID_GOTOMYPC.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15868"
"*\InjectDLL.exe*",".{0,1000}\\InjectDLL\.exe.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","15917"
"*\InternetIdService.exe*",".{0,1000}\\InternetIdService\.exe.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15930"
"*\InternetIdService_*-*-*.txt",".{0,1000}\\InternetIdService_.{0,1000}\-.{0,1000}\-.{0,1000}\.txt","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15931"
"*\InventoryApplicationFile\aeroadmin*",".{0,1000}\\InventoryApplicationFile\\aeroadmin.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15956"
"*\InventoryApplicationFile\rpcattendedadmin*",".{0,1000}\\InventoryApplicationFile\\rpcattendedadmin.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15958"
"*\InventoryApplicationFile\screenconnect.cl*",".{0,1000}\\InventoryApplicationFile\\screenconnect\.cl.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15959"
"*\InventoryApplicationFile\screenconnect.wi*",".{0,1000}\\InventoryApplicationFile\\screenconnect\.wi.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15960"
"*\InventoryApplicationFile\tacticalagent-v2*",".{0,1000}\\InventoryApplicationFile\\tacticalagent\-v2.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","#registry","registry","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","15961"
"*\InventoryApplicationFile\ultravnc_*",".{0,1000}\\InventoryApplicationFile\\ultravnc_.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","#registry","registry path","10","10","N/A","N/A","N/A","N/A","15962"
"*\InventoryApplicationFile\zaservice.exe*",".{0,1000}\\InventoryApplicationFile\\zaservice\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","15963"
"*\Invoke-Maldaptive-main*",".{0,1000}\\Invoke\-Maldaptive\-main.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","0","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","15976"
"*\IObit Unlocker.lnk*",".{0,1000}\\IObit\sUnlocker\.lnk.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","15992"
"*\IObitUnlocker.dll*",".{0,1000}\\IObitUnlocker\.dll.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","15993"
"*\IObitUnlocker.exe*",".{0,1000}\\IObitUnlocker\.exe.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","15994"
"*\IObitUnlocker.ini*",".{0,1000}\\IObitUnlocker\.ini.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","15995"
"*\IObitUnlocker.log*",".{0,1000}\\IObitUnlocker\.log.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","15996"
"*\IObitUnlockerExtension.dll*",".{0,1000}\\IObitUnlockerExtension\.dll.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","15997"
"*\ipscan-*-setup.exe*",".{0,1000}\\ipscan\-.{0,1000}\-setup\.exe.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","16005"
"*\ipscan.exe*",".{0,1000}\\ipscan\.exe.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","16006"
"*\ipscan221.exe*",".{0,1000}\\ipscan221\.exe.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","16007"
"*\ipscan-crash.txt*",".{0,1000}\\ipscan\-crash\.txt.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","16008"
"*\ITarian Remote Access.lnk*",".{0,1000}\\ITarian\sRemote\sAccess\.lnk.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16013"
"*\itarian\endpoint manager\itsmagent.exe*",".{0,1000}\\itarian\\endpoint\smanager\\itsmagent\.exe.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16014"
"*\itarian\endpoint manager\itsmservice.exe*",".{0,1000}\\itarian\\endpoint\smanager\\itsmservice\.exe.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16015"
"*\itarian\endpoint manager\rhost.exe*",".{0,1000}\\itarian\\endpoint\smanager\\rhost\.exe.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16016"
"*\ITarian\RemoteControl*",".{0,1000}\\ITarian\\RemoteControl.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16017"
"*\ITarian_Remote_Access_*.log*",".{0,1000}\\ITarian_Remote_Access_.{0,1000}\.log.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16018"
"*\ITarianRemoteAccess.exe*",".{0,1000}\\ITarianRemoteAccess\.exe.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16019"
"*\jprq-windows-386.exe*",".{0,1000}\\jprq\-windows\-386\.exe.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","16035"
"*\jprq-windows-amd64.exe*",".{0,1000}\\jprq\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","16036"
"*\JWrapper-SimpleHelp Remote Work*",".{0,1000}\\JWrapper\-SimpleHelp\sRemote\sWork.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16052"
"*\JWrapper-SimpleHelp Technician*",".{0,1000}\\JWrapper\-SimpleHelp\sTechnician.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16053"
"*\JWrapper-SimpleHelp Technician\*",".{0,1000}\\JWrapper\-SimpleHelp\sTechnician\\.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16054"
"*\Kaseya\PC Monitor\*",".{0,1000}\\Kaseya\\PC\sMonitor\\.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","16063"
"*\keygen.exe*",".{0,1000}\\keygen\.exe.{0,1000}","greyware_tool_keyword","_","generic suspicious keyword keygen.exe observed in multiple cracked software often packed with malwares","T1204 - T1027 - T1059 - T1055 - T1060 - T1195","TA0005 - TA0002 - TA0011","N/A","N/A","Phishing","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","16119"
"*\killProcessPOC*",".{0,1000}\\killProcessPOC.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","N/A","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","16146"
"*\ksjjhav.log*",".{0,1000}\\ksjjhav\.log.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","16185"
"*\lansearch.exe*",".{0,1000}\\lansearch\.exe.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","16199"
"*\LansweeperService.exe*",".{0,1000}\\LansweeperService\.exe.{0,1000}","greyware_tool_keyword","Lansweeper","Lansweeper discovers and inventories IT assets - gathering system - software and user data - abused by attackers","T1016 - T1082","TA0007","N/A","EvilCorp*","Discovery","https://www.lansweeper.com/","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","16200"
"*\LansweeperSetup_*.exe*",".{0,1000}\\LansweeperSetup_.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Lansweeper","Lansweeper discovers and inventories IT assets - gathering system - software and user data - abused by attackers","T1016 - T1082","TA0007","N/A","EvilCorp*","Discovery","https://www.lansweeper.com/","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","16201"
"*\level.exe*--check-service*",".{0,1000}\\level\.exe.{0,1000}\-\-check\-service.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16231"
"*\level-remote-control-ffmpeg.exe.download*",".{0,1000}\\level\-remote\-control\-ffmpeg\.exe\.download.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16232"
"*\level-windows-amd64.exe*",".{0,1000}\\level\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16233"
"*\level-windows-arm64.exe*",".{0,1000}\\level\-windows\-arm64\.exe.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16234"
"*\librustdesk.dll*",".{0,1000}\\librustdesk\.dll.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","16238"
"*\Licenses\OpenVPN.txt*",".{0,1000}\\Licenses\\OpenVPN\.txt.{0,1000}","greyware_tool_keyword","OPENVPN","OpenVPN is a legitimate tool that might be used by an adversary to maintain persistence or exfiltrate data","T1071  - T1573 - T1133","TA0003 - TA0008 - TA0011","N/A","N/A","Defense Evasion","https://openvpn.net/","1","0","#VPN","N/A","6","8","N/A","N/A","N/A","N/A","16240"
"*\linuxconsole_dw (1).zip*",".{0,1000}\\linuxconsole_dw\s\(1\)\.zip.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16253"
"*\list-recycle-bin.ps1*",".{0,1000}\\list\-recycle\-bin\.ps1.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","16287"
"*\LMI_Rescue.exe*",".{0,1000}\\LMI_Rescue\.exe.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16290"
"*\lmi_rescue_srv.exe*",".{0,1000}\\lmi_rescue_srv\.exe.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16291"
"*\LMIGuardianEvt.dll*",".{0,1000}\\LMIGuardianEvt\.dll.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16292"
"*\LMIR*.tmp\rarcc.dll*",".{0,1000}\\LMIR.{0,1000}\.tmp\\rarcc\.dll.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16293"
"*\LMIRescue-*.clog*",".{0,1000}\\LMIRescue\-.{0,1000}\.clog.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16294"
"*\LMIRescue-*.connlog*",".{0,1000}\\LMIRescue\-.{0,1000}\.connlog.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16295"
"*\LMIRescueCOL.log*",".{0,1000}\\LMIRescueCOL\.log.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16296"
"*\LMIRescueMqttMessages_*.dat*",".{0,1000}\\LMIRescueMqttMessages_.{0,1000}\.dat.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16297"
"*\LMIRescueUpdater.log*",".{0,1000}\\LMIRescueUpdater\.log.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16298"
"*\LMIRhook.000.dll*",".{0,1000}\\LMIRhook\.000\.dll.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16299"
"*\lmirtechconsole.exe*",".{0,1000}\\lmirtechconsole\.exe.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16300"
"*\LMIRTechConsole.exe*",".{0,1000}\\LMIRTechConsole\.exe.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16301"
"*\LMITrs-*.trs*",".{0,1000}\\LMITrs\-.{0,1000}\.trs.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16302"
"*\Local\Temp\Advanced IP Scanner 2\*",".{0,1000}\\Local\\Temp\\Advanced\sIP\sScanner\s2\\.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","16320"
"*\Local\Temp\LogMeInLogs\GoToOpenerMsi\*",".{0,1000}\\Local\\Temp\\LogMeInLogs\\GoToOpenerMsi\\.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16322"
"*\loclx.exe*",".{0,1000}\\loclx\.exe.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","16348"
"*\loclx-windows-amd64.zip*",".{0,1000}\\loclx\-windows\-amd64\.zip.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","16349"
"*\log\FileTransferWindowAppLog.log*",".{0,1000}\\log\\FileTransferWindowAppLog\.log.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16350"
"*\LogMeIn Rescue Applet\LMIR*",".{0,1000}\\LogMeIn\sRescue\sApplet\\LMIR.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16352"
"*\LogMeIn Rescue Applet\LMIR*",".{0,1000}\\LogMeIn\sRescue\sApplet\\LMIR.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16353"
"*\LogMeIn Rescue AVI Codec\*",".{0,1000}\\LogMeIn\sRescue\sAVI\sCodec\\.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16354"
"*\logmein rescue technician console\*",".{0,1000}\\logmein\srescue\stechnician\sconsole\\.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16355"
"*\LogMeIn\Dumps\*",".{0,1000}\\LogMeIn\\Dumps\\.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16356"
"*\LogMeInLogs\GoToOpenerMsi*",".{0,1000}\\LogMeInLogs\\GoToOpenerMsi.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16357"
"*\LogMeInRescue_ipc*",".{0,1000}\\LogMeInRescue_ipc.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","pipename","10","10","N/A","N/A","N/A","N/A","16358"
"*\LogMeInRescue_rarc_r_*",".{0,1000}\\LogMeInRescue_rarc_r_.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","pipename","10","10","N/A","N/A","N/A","N/A","16359"
"*\LogMeInRescue_rarc_w_*",".{0,1000}\\LogMeInRescue_rarc_w_.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","pipename","10","10","N/A","N/A","N/A","N/A","16360"
"*\LogMeInRescueTechnicianConsole_x64*",".{0,1000}\\LogMeInRescueTechnicianConsole_x64.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16361"
"*\logs\baseclient_*.log*",".{0,1000}\\logs\\baseclient_.{0,1000}\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16366"
"*\logs\baseconsoleapp_*.log*",".{0,1000}\\logs\\baseconsoleapp_.{0,1000}\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16367"
"*\logs\basupclphlp_*.log*",".{0,1000}\\logs\\basupclphlp_.{0,1000}\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16368"
"*\Logs\DNTU.log*",".{0,1000}\\Logs\\DNTU\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","16369"
"*\logs\RCService.txt*",".{0,1000}\\logs\\RCService\.txt.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16370"
"*\Logs\rut_log_*.html*",".{0,1000}\\Logs\\rut_log_.{0,1000}\.html.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16371"
"*\lsass.dmp*",".{0,1000}\\lsass\.dmp.{0,1000}","greyware_tool_keyword","Procdump","dump lsass process with procdump","T1003.001","TA0006","N/A","LockBit - Kimsuky - Conti - Quantum - PYSA - NetWalker - 8BASE - APT1 - APT15 - APT20 - APT27 - APT28 - Antlion - FIN13 - GOBLIN PANDA - Lazarus Group - PowerPool - PARINACOTA - Scattered Spider - BERSERK BEAR - Dispossessor","Credential Access","https://learn.microsoft.com/en-us/sysinternals/downloads/procdump","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16401"
"*\lsa-whisperer-*",".{0,1000}\\lsa\-whisperer\-.{0,1000}","greyware_tool_keyword","lsa-whisperer","Tools for interacting with authentication packages using their individual message protocols","T1556.002 - T1003.001","TA0006 - TA0005","N/A","N/A","Credential Access","https://github.com/EvanMcBroom/lsa-whisperer","1","0","N/A","N/A","6","4","316","29","2025-04-01T13:54:17Z","2022-08-04T14:35:45Z","16415"
"*\LTProxy-main*","\\LTProxy\-main","greyware_tool_keyword","LTProxy","Linux Transparent Proxy (Similar to Proxifiter)","T1090 - T1573.001 - T1571 - T1071.001","TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://github.com/L-codes/LTProxy","1","0","#linux","N/A","10","1","31","5","2024-11-27T05:09:47Z","2021-11-11T15:17:54Z","16417"
"*\MEGA Website.lnk*",".{0,1000}\\MEGA\sWebsite\.lnk.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16456"
"*\MEGA Website.url*",".{0,1000}\\MEGA\sWebsite\.url.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16457"
"*\mega-attr.bat*",".{0,1000}\\mega\-attr\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16458"
"*\mega-backup.bat*",".{0,1000}\\mega\-backup\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16459"
"*\mega-cancel.bat*",".{0,1000}\\mega\-cancel\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16460"
"*\mega-cat.bat*",".{0,1000}\\mega\-cat\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16461"
"*\mega-cd.bat*",".{0,1000}\\mega\-cd\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16462"
"*\MEGAclient.exe*",".{0,1000}\\MEGAclient\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16463"
"*\megaclient_statecache*.db*",".{0,1000}\\megaclient_statecache.{0,1000}\.db.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16464"
"*\megaclient_syncconfig_*",".{0,1000}\\megaclient_syncconfig_.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16465"
"*\MEGAcmd.exe*",".{0,1000}\\MEGAcmd\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16466"
"*\MEGAcmd.lnk*",".{0,1000}\\MEGAcmd\.lnk.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16467"
"*\megacmdpipe_*",".{0,1000}\\megacmdpipe_.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#namedpipe","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16468"
"*\MEGAcmdServer.exe*",".{0,1000}\\MEGAcmdServer\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16469"
"*\MEGAcmdSetup.exe*",".{0,1000}\\MEGAcmdSetup\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16470"
"*\MEGAcmdSetup32.exe*",".{0,1000}\\MEGAcmdSetup32\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16471"
"*\MEGAcmdSetup64.exe*",".{0,1000}\\MEGAcmdSetup64\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16472"
"*\MEGAcmdSetup64.exe*",".{0,1000}\\MEGAcmdSetup64\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16473"
"*\MEGAcmdShell.exe*",".{0,1000}\\MEGAcmdShell\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16474"
"*\MEGAcmdUpdater.exe*",".{0,1000}\\MEGAcmdUpdater\.exe.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16475"
"*\mega-confirm.bat*",".{0,1000}\\mega\-confirm\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16476"
"*\mega-confirmcancel.bat*",".{0,1000}\\mega\-confirmcancel\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16477"
"*\mega-cp.bat*",".{0,1000}\\mega\-cp\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16478"
"*\mega-debug.bat*",".{0,1000}\\mega\-debug\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16479"
"*\mega-deleteversions.bat*",".{0,1000}\\mega\-deleteversions\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16480"
"*\mega-df.bat*",".{0,1000}\\mega\-df\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16481"
"*\mega-du.bat*",".{0,1000}\\mega\-du\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16482"
"*\mega-errorcode.bat*",".{0,1000}\\mega\-errorcode\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16483"
"*\mega-exclude.bat*",".{0,1000}\\mega\-exclude\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16484"
"*\mega-export.bat*",".{0,1000}\\mega\-export\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16485"
"*\mega-find.bat*",".{0,1000}\\mega\-find\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16486"
"*\mega-ftp.bat*",".{0,1000}\\mega\-ftp\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16487"
"*\mega-get.bat*",".{0,1000}\\mega\-get\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16488"
"*\mega-graphics.bat*",".{0,1000}\\mega\-graphics\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16489"
"*\mega-help.bat*",".{0,1000}\\mega\-help\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16490"
"*\mega-https.bat*",".{0,1000}\\mega\-https\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16491"
"*\mega-import.bat*",".{0,1000}\\mega\-import\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16492"
"*\mega-invite.bat*",".{0,1000}\\mega\-invite\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16493"
"*\mega-ipc.bat*",".{0,1000}\\mega\-ipc\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16494"
"*\mega-killsession.bat*",".{0,1000}\\mega\-killsession\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16495"
"*\mega-lcd.bat*",".{0,1000}\\mega\-lcd\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16496"
"*\megalimited-megasync_*",".{0,1000}\\megalimited\-megasync_.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16497"
"*\mega-log.bat*",".{0,1000}\\mega\-log\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16498"
"*\mega-login.bat*",".{0,1000}\\mega\-login\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16499"
"*\mega-logout.bat*",".{0,1000}\\mega\-logout\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16500"
"*\mega-lpwd.bat*",".{0,1000}\\mega\-lpwd\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16501"
"*\mega-lpwd.bat*",".{0,1000}\\mega\-lpwd\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16502"
"*\mega-ls.bat*",".{0,1000}\\mega\-ls\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16503"
"*\mega-mediainfo.bat*",".{0,1000}\\mega\-mediainfo\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16504"
"*\mega-mkdir.bat*",".{0,1000}\\mega\-mkdir\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16505"
"*\mega-mount.bat*",".{0,1000}\\mega\-mount\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16506"
"*\mega-mv.bat*",".{0,1000}\\mega\-mv\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16507"
"*\mega-passwd.bat*",".{0,1000}\\mega\-passwd\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16508"
"*\mega-preview.bat*",".{0,1000}\\mega\-preview\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16509"
"*\MEGAprivacyMEGAsync*",".{0,1000}\\MEGAprivacyMEGAsync.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","named pipe","10","10","N/A","N/A","N/A","N/A","16510"
"*\mega-proxy.bat*",".{0,1000}\\mega\-proxy\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16511"
"*\mega-put.bat*",".{0,1000}\\mega\-put\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16512"
"*\mega-pwd.bat*",".{0,1000}\\mega\-pwd\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16513"
"*\mega-pwd.bat*",".{0,1000}\\mega\-pwd\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16514"
"*\mega-quit.bat*",".{0,1000}\\mega\-quit\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16515"
"*\mega-reload.bat*",".{0,1000}\\mega\-reload\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16516"
"*\mega-rm.bat*",".{0,1000}\\mega\-rm\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16517"
"*\mega-session.bat*",".{0,1000}\\mega\-session\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16518"
"*\mega-share.bat*",".{0,1000}\\mega\-share\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16519"
"*\mega-showpcr.bat*",".{0,1000}\\mega\-showpcr\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16520"
"*\mega-signup.bat*",".{0,1000}\\mega\-signup\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16521"
"*\mega-speedlimit.bat*",".{0,1000}\\mega\-speedlimit\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16522"
"*\mega-sync.bat*",".{0,1000}\\mega\-sync\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16523"
"*\MEGAsync.cfg*",".{0,1000}\\MEGAsync\.cfg.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16524"
"*\megasync.exe*",".{0,1000}\\megasync\.exe.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16525"
"*\MEGAsync.lnk*",".{0,1000}\\MEGAsync\.lnk.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16526"
"*\megasync.lock*",".{0,1000}\\megasync\.lock.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16527"
"*\MEGAsync.log*",".{0,1000}\\MEGAsync\.log.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16528"
"*\megasync.version*",".{0,1000}\\megasync\.version.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16529"
"*\MEGAsyncSetup32.exe*",".{0,1000}\\MEGAsyncSetup32\.exe.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16530"
"*\MEGAsyncSetup64.exe*",".{0,1000}\\MEGAsyncSetup64\.exe.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16531"
"*\mega-thumbnail.bat*",".{0,1000}\\mega\-thumbnail\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16532"
"*\megatools-*-win64\*",".{0,1000}\\megatools\-.{0,1000}\-win64\\.{0,1000}","greyware_tool_keyword","megatools","Megatools is a collection of free and open source programs for accessing Mega service from a command line. Abused by attackers for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/megous/megatools","1","0","N/A","N/A","9","","N/A","","","","16533"
"*\megatools.exe*",".{0,1000}\\megatools\.exe.{0,1000}","greyware_tool_keyword","megatools","Megatools is a collection of free and open source programs for accessing Mega service from a command line. Abused by attackers for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/megous/megatools","1","0","N/A","N/A","9","","N/A","","","","16534"
"*\mega-transfers.bat*",".{0,1000}\\mega\-transfers\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16535"
"*\mega-tree.bat*",".{0,1000}\\mega\-tree\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16536"
"*\MEGAupdater.exe*",".{0,1000}\\MEGAupdater\.exe.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16537"
"*\mega-userattr.bat*",".{0,1000}\\mega\-userattr\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16538"
"*\mega-users.bat*",".{0,1000}\\mega\-users\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16539"
"*\mega-version.bat*",".{0,1000}\\mega\-version\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16540"
"*\mega-webdav.bat*",".{0,1000}\\mega\-webdav\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16541"
"*\mega-whoami.bat*",".{0,1000}\\mega\-whoami\.bat.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","16542"
"*\meshagent.db*",".{0,1000}\\meshagent\.db.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","16550"
"*\MeshAgent.sln*",".{0,1000}\\MeshAgent\.sln.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","16551"
"*\MeshAgentKvm.log*",".{0,1000}\\MeshAgentKvm\.log.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","16552"
"*\MeshAgent-master*",".{0,1000}\\MeshAgent\-master.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","16553"
"*\meshcentral.db*",".{0,1000}\\meshcentral\.db.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","16554"
"*\meshcentral.js*",".{0,1000}\\meshcentral\.js.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","16555"
"*\MeshCentral.sln*",".{0,1000}\\MeshCentral\.sln.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","16556"
"*\MeshCentral\*",".{0,1000}\\MeshCentral\\.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","16557"
"*\MeshCmd.exe*",".{0,1000}\\MeshCmd\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","16558"
"*\meshcmd.js*",".{0,1000}\\meshcmd\.js.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","16559"
"*\meshcommander.dmp*",".{0,1000}\\meshcommander\.dmp.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","16560"
"*\MeshMessenger.exe*",".{0,1000}\\MeshMessenger\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","16561"
"*\MeshService.rc*",".{0,1000}\\MeshService\.rc.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","16562"
"*\Microsoft Azure Storage Explorer.zip*",".{0,1000}\\Microsoft\sAzure\sStorage\sExplorer\.zip.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","16574"
"*\Microsoft.RemoteAssistance.QuickAssist\*",".{0,1000}\\Microsoft\.RemoteAssistance\.QuickAssist\\.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","16575"
"*\microsoft.remoteassistance.quickassist\*",".{0,1000}\\microsoft\.remoteassistance\.quickassist\\.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","16576"
"*\Microsoft\Windows\CurrentVersion\Run\Eraser*",".{0,1000}\\Microsoft\\Windows\\CurrentVersion\\Run\\Eraser.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","#registry","N/A","7","10","N/A","N/A","N/A","N/A","16577"
"*\Microsoft\Windows\Start Menu\Programs\eHorus Agent\*",".{0,1000}\\Microsoft\\Windows\\Start\sMenu\\Programs\\eHorus\sAgent\\.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16578"
"*\Microsoft\Windows\Start Menu\Programs\Eraser\Eraser.lnk*",".{0,1000}\\Microsoft\\Windows\\Start\sMenu\\Programs\\Eraser\\Eraser\.lnk.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","16579"
"*\Mini Remote Control Client Agent MSI Builder.lnk*",".{0,1000}\\Mini\sRemote\sControl\sClient\sAgent\sMSI\sBuilder\.lnk.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","16621"
"*\Mini Remote Control Diagnostics.lnk*",".{0,1000}\\Mini\sRemote\sControl\sDiagnostics\.lnk.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","16622"
"*\Mini Remote Control Help.lnk*",".{0,1000}\\Mini\sRemote\sControl\sHelp\.lnk.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","16623"
"*\Mini Remote Control Log Adjuster.lnk*",".{0,1000}\\Mini\sRemote\sControl\sLog\sAdjuster\.lnk.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","16624"
"*\Mini Remote Control Service*",".{0,1000}\\Mini\sRemote\sControl\sService.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","16625"
"*\Mini Remote Control Service\Settings\SFT: Upload Folder*",".{0,1000}\\Mini\sRemote\sControl\sService\\Settings\\SFT\:\sUpload\sFolder.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","16626"
"*\Mini Remote Control.lnk*",".{0,1000}\\Mini\sRemote\sControl\.lnk.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","16627"
"*\mlnhcpkomdeavomsjalt*",".{0,1000}\\mlnhcpkomdeavomsjalt.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","named pipe https://github.com/mthcht/awesome-lists/blob/9080701200e4f9f2e523bee7cde7b335121b1cb2/Lists/suspicious_named_pipe_list.csv#L2","10","10","N/A","N/A","N/A","N/A","16643"
"*\MMSOFT Design\PC Monitor*",".{0,1000}\\MMSOFT\sDesign\\PC\sMonitor.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","16645"
"*\MMSOFT Design\Pulseway\*",".{0,1000}\\MMSOFT\sDesign\\Pulseway\\.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","16646"
"*\MRC_12.0_Bootstrap_Install_Log.txt*",".{0,1000}\\MRC_12\.0_Bootstrap_Install_Log\.txt.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","16665"
"*\MRCCv2.db*",".{0,1000}\\MRCCv2\.db.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","16666"
"*\mspacredentialprovider_*_dameware.dll*",".{0,1000}\\mspacredentialprovider_.{0,1000}_dameware\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16692"
"*\msparegedithelper_*",".{0,1000}\\msparegedithelper_.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16693"
"*\mspxtshlpsrv_*",".{0,1000}\\mspxtshlpsrv_.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16694"
"*\mspxwebcom.dll*",".{0,1000}\\mspxwebcom\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16695"
"*\multiplicar negocios\beanywhere support express*",".{0,1000}\\multiplicar\snegocios\\beanywhere\ssupport\sexpress.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16709"
"*\MWDiagnosticCollector.exe*",".{0,1000}\\MWDiagnosticCollector\.exe.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16714"
"*\MWDiagnosticCollectorResult_*.zip*",".{0,1000}\\MWDiagnosticCollectorResult_.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16715"
"*\mzcv.exe*",".{0,1000}\\mzcv\.exe.{0,1000}","greyware_tool_keyword","MozillaCookiesView","nirsoft utility that displays the details of all cookies stored inside the cookies file (cookies.txt or cookies.sqlite) - abused by threat actors","T1070 - T1552.001 - T1125 - T1005","TA0009 - TA0005","N/A","MuddyWater","Credential Access","https://www.nirsoft.net/utils/mzcv.html","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","16717"
"*\mzcv-x64.zip*",".{0,1000}\\mzcv\-x64\.zip.{0,1000}","greyware_tool_keyword","MozillaCookiesView","nirsoft utility that displays the details of all cookies stored inside the cookies file (cookies.txt or cookies.sqlite) - abused by threat actors","T1070 - T1552.001 - T1125 - T1005","TA0009 - TA0005","N/A","MuddyWater","Credential Access","https://www.nirsoft.net/utils/mzcv.html","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","16718"
"*\nc.exe -Ldp * -e cmd.exe*",".{0,1000}\\nc\.exe\s\-Ldp\s.{0,1000}\s\-e\scmd\.exe.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16742"
"*\nc.exe*",".{0,1000}\\nc\.exe.{0,1000}","greyware_tool_keyword","netcat","ncat reverse shell","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","APT15 - Calypso - EMBER BEAR - Black Basta","C2","https://nmap.org/ncat/","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","16743"
"*\nc64.exe -i *",".{0,1000}\\nc64\.exe\s\-i\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16745"
"*\nc64.exe -i*",".{0,1000}\\nc64\.exe\s\-i.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16746"
"*\nc64.exe -lvp *",".{0,1000}\\nc64\.exe\s\-lvp\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16747"
"*\nc64.exe -zv *",".{0,1000}\\nc64\.exe\s\-zv\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16748"
"*\nc64.exe"" -i *",".{0,1000}\\nc64\.exe\""\s\-i\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16749"
"*\nc64.exe"" -lvp *",".{0,1000}\\nc64\.exe\""\s\-lvp\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16750"
"*\nc64.exe"" -zv *",".{0,1000}\\nc64\.exe\""\s\-zv\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16751"
"*\ncat* -e cmd.exe --keep-open*",".{0,1000}\\ncat.{0,1000}\s\-e\scmd\.exe\s\-\-keep\-open.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16752"
"*\net.exe"" accounts*",".{0,1000}\\net\.exe\""\saccounts.{0,1000}","greyware_tool_keyword","net","Enumerate local accounts","T1087.001 - T1003","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","discovery","https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","16759"
"*\net.exe* localgroup admin*",".{0,1000}\\net\.exe.{0,1000}\slocalgroup\sadmin.{0,1000}","greyware_tool_keyword","net","showing users in a privileged group. ","T1069 - T1003","TA0007 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","16760"
"*\net.exe* sessions*",".{0,1000}\\net\.exe.{0,1000}\ssessions.{0,1000}","greyware_tool_keyword","net","List active SMB session","T1135 - T1047","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","16761"
"*\net.exe* view */domain*",".{0,1000}\\net\.exe.{0,1000}\sview\s.{0,1000}\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","16762"
"*\net1 sessions*",".{0,1000}\\net1\ssessions.{0,1000}","greyware_tool_keyword","net","List active SMB session","T1135 - T1047","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","16785"
"*\netcat-win32-*.zip*",".{0,1000}\\netcat\-win32\-.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","netcat","ncat reverse shell","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","APT15 - Calypso - EMBER BEAR - Black Basta","C2","https://nmap.org/ncat/","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","16788"
"*\netscan.dbm-journal*",".{0,1000}\\netscan\.dbm\-journal.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","16809"
"*\netscan.exe*",".{0,1000}\\netscan\.exe.{0,1000}","greyware_tool_keyword","netscan","SoftPerfect Network Scanner abused by threat actor","T1040 - T1046 - T1018","TA0007 - TA0010 - TA0001","N/A","BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - AvosLocker - FiveHands - Yanluowang - MONTI - DarkSide - Everest - Cicada3301 - MedusaLocker - DragonForce - Phobos - Lynx","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","network exploitation tool","6","10","N/A","N/A","N/A","N/A","16810"
"*\netscan.exe*",".{0,1000}\\netscan\.exe.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","16811"
"*\netscan.lic*",".{0,1000}\\netscan\.lic.{0,1000}","greyware_tool_keyword","netscan","SoftPerfect Network Scanner abused by threat actor","T1040 - T1046 - T1018","TA0007 - TA0010 - TA0001","N/A","BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - AvosLocker - FiveHands - Yanluowang - MONTI - DarkSide - Everest - Cicada3301 - MedusaLocker - DragonForce - Phobos - Lynx","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","network exploitation tool","6","10","N/A","N/A","N/A","N/A","16812"
"*\netscan.xml*",".{0,1000}\\netscan\.xml.{0,1000}","greyware_tool_keyword","netscan","SoftPerfect Network Scanner abused by threat actor","T1040 - T1046 - T1018","TA0007 - TA0010 - TA0001","N/A","BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - AvosLocker - FiveHands - Yanluowang - MONTI - DarkSide - Everest - Cicada3301 - MedusaLocker - DragonForce - Phobos - Lynx","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","network exploitation tool","6","10","N/A","N/A","N/A","N/A","16813"
"*\netscan_linux.tar.gz*",".{0,1000}\\netscan_linux\.tar\.gz.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","16814"
"*\netscan_portable.zip*",".{0,1000}\\netscan_portable\.zip.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","16815"
"*\netscan_portable\*",".{0,1000}\\netscan_portable\\.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","16816"
"*\netscan_setup.exe*",".{0,1000}\\netscan_setup\.exe.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","16817"
"*\netscan_setup.tmp*",".{0,1000}\\netscan_setup\.tmp.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","16818"
"*\netscan64.exe*",".{0,1000}\\netscan64\.exe.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","16819"
"*\netsh.exe"" wlan show profiles*",".{0,1000}netsh\.exe\swlan\sshow\sprofiles\skey\=clear.{0,1000}","greyware_tool_keyword","netsh","display saved Wi-Fi profiles on a Windows system","T1003 - T1552.001","TA0006 - TA0009","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Credential Access","N/A","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","16822"
"*\NETSUP~1\PCIShellExt64.dll*",".{0,1000}\\NETSUP\~1\\PCIShellExt64\.dll.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16830"
"*\NetSupport Ltd\Client32*",".{0,1000}\\NetSupport\sLtd\\Client32.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","16831"
"*\NetSupport Ltd\PCICTL*",".{0,1000}\\NetSupport\sLtd\\PCICTL.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","16832"
"*\netsupport manager\*",".{0,1000}\\netsupport\smanager\\.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16833"
"*\NetSupport School Console*",".{0,1000}\\NetSupport\sSchool\sConsole.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16834"
"*\NetSupport School\*",".{0,1000}\\NetSupport\sSchool\\.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16835"
"*\NetSupport School\NetSupport*",".{0,1000}\\NetSupport\sSchool\\NetSupport.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16836"
"*\ngrok.exe*",".{0,1000}\\ngrok\.exe.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","16845"
"*\ngrok.go*",".{0,1000}\\ngrok\.go.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","0","N/A","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","16846"
"*\ngrok.log*",".{0,1000}\\ngrok\.log.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","0","N/A","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","16847"
"*\ngrok\config.yml*",".{0,1000}\\ngrok\\config\.yml.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","0","N/A","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","16848"
"*\ngrok\ng.psm1*",".{0,1000}\\ngrok\\ng\.psm1.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","0","N/A","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","16849"
"*\ngrokd.go*",".{0,1000}\\ngrokd\.go.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","0","N/A","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","16850"
"*\NimScan.exe*",".{0,1000}\\NimScan\.exe.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","N/A","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","16871"
"*\NimScan.nim*",".{0,1000}\\NimScan\.nim.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","N/A","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","16872"
"*\nircmd.exe*",".{0,1000}\\nircmd\.exe.{0,1000}","greyware_tool_keyword","nircmd","Nirsoft tool - NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface","T1059 - T1036","TA0005 - TA0002 - TA0003","N/A","N/A","Defense Evasion","https://www.nirsoft.net/utils/nircmd.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16874"
"*\nircmd.zip*",".{0,1000}\\nircmd\.zip.{0,1000}","greyware_tool_keyword","nircmd","Nirsoft tool - NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface","T1059 - T1036","TA0005 - TA0002 - TA0003","N/A","N/A","Defense Evasion","https://www.nirsoft.net/utils/nircmd.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16875"
"*\nircmdc.exe*",".{0,1000}\\nircmdc\.exe.{0,1000}","greyware_tool_keyword","nircmd","Nirsoft tool - NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface","T1059 - T1036","TA0005 - TA0002 - TA0003","N/A","N/A","Defense Evasion","https://www.nirsoft.net/utils/nircmd.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16876"
"*\nircmd-x64.zip*",".{0,1000}\\nircmd\-x64\.zip.{0,1000}","greyware_tool_keyword","nircmd","Nirsoft tool - NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface","T1059 - T1036","TA0005 - TA0002 - TA0003","N/A","N/A","Defense Evasion","https://www.nirsoft.net/utils/nircmd.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16877"
"*\nmap.exe*/24*",".{0,1000}\\nmap\.exe.{0,1000}\/24.{0,1000}","greyware_tool_keyword","nmap","When Nmap is used on Windows systems. it can perform various types of scans such as TCP SYN scans. UDP scans. and service/version detection. These scans enable the identification of open ports. services running on those ports. and potential vulnerabilities in target systems.","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","N/A","1","0","N/A","greyware tool - risks of False positive !","8","10","N/A","N/A","N/A","N/A","16887"
"*\node_modules\meshcentral*",".{0,1000}\\node_modules\\meshcentral.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","16935"
"*\novaPDF11OEM(x64).msi*",".{0,1000}\\novaPDF11OEM\(x64\)\.msi.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16963"
"*\nspowershell.exe*",".{0,1000}\\nspowershell\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16977"
"*\nssadmui.exe*",".{0,1000}\\nssadmui\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","16978"
"*\Obfuscated_Command.txt*",".{0,1000}\\Obfuscated_Command\.txt.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","0","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","17021"
"*\OfflineSamTool.exe*",".{0,1000}\\OfflineSamTool\.exe.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17037"
"*\OfflineSamTool.h*",".{0,1000}\\OfflineSamTool\.h.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17038"
"*\Open Source\MeshCentral\*",".{0,1000}\\Open\sSource\\MeshCentral\\.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","17044"
"*\OpenSSHTestTasks\*",".{0,1000}\\OpenSSHTestTasks\\.{0,1000}","greyware_tool_keyword","openssh-portable","monitoring openssh usage","T1098.003 - T1562.004 - T1021.004","TA0006 - TA0002 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider*","C2","https://github.com/PowerShell/openssh-portable","1","0","N/A","N/A","10","10","1859","333","2025-04-18T17:52:43Z","2016-11-02T04:18:48Z","17047"
"*\openvpn.exe*",".{0,1000}\\openvpn\.exe.{0,1000}","greyware_tool_keyword","OPENVPN","OpenVPN is a legitimate tool that might be used by an adversary to maintain persistence or exfiltrate data","T1071  - T1573 - T1133","TA0003 - TA0008 - TA0011","N/A","N/A","Defense Evasion","https://openvpn.net/","1","0","#VPN","N/A","6","8","N/A","N/A","N/A","N/A","17048"
"*\options.vnc*",".{0,1000}\\options\.vnc.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","#registry","registry path","10","10","N/A","N/A","N/A","N/A","17052"
"*\oset.exe*",".{0,1000}\\oset\.exe.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17059"
"*\oset.zip*",".{0,1000}\\oset\.zip.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17060"
"*\OutlookEmails.log*",".{0,1000}\\OutlookEmails\.log.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","17066"
"*\PAExec.cpp*",".{0,1000}\\PAExec\.cpp.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","17082"
"*\PAExec.exe*",".{0,1000}\\PAExec\.exe.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","17083"
"*\PAEXEC.EXE-*.pf*",".{0,1000}\\PAEXEC\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","17084"
"*\PAExec.log*",".{0,1000}\\PAExec\.log.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","17085"
"*\paexec.obj*",".{0,1000}\\paexec\.obj.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","17086"
"*\paexec.pdb*",".{0,1000}\\paexec\.pdb.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","17087"
"*\PAExec.sln*",".{0,1000}\\PAExec\.sln.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","17088"
"*\PAExec\*.exe*",".{0,1000}\\PAExec\\.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","17089"
"*\paexec_eula.txt*",".{0,1000}\\paexec_eula\.txt.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","17090"
"*\PAExec_Move*",".{0,1000}\\PAExec_Move.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","17091"
"*\pagekite.cfg*",".{0,1000}\\pagekite\.cfg.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","17092"
"*\pagekite.py*",".{0,1000}\\pagekite\.py.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","17093"
"*\pagekite-gtk.py*",".{0,1000}\\pagekite\-gtk\.py.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","17094"
"*\PAYMENT.hta*",".{0,1000}\\PAYMENT\.hta.{0,1000}","greyware_tool_keyword","_","suspicious file name - has been used by threat actors","T1566","TA0001","N/A","N/A","Phishing","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17152"
"*\PAYMENT.hta*",".{0,1000}\\PAYMENT\.hta.{0,1000}","greyware_tool_keyword","_","suspicious file name - has been used by threat actors","T1566","TA0001","N/A","N/A","Phishing","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17153"
"*\PAYMENTS.exe*",".{0,1000}\\PAYMENTS\.exe.{0,1000}","greyware_tool_keyword","_","suspicious file name - has been used by threat actors","T1566","TA0001","N/A","N/A","Phishing","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17154"
"*\PC Monitor\Addons*",".{0,1000}\\PC\sMonitor\\Addons.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","17155"
"*\PCHunter.exe*",".{0,1000}\\PCHunter\.exe.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","17156"
"*\PCHunter_free.zip*",".{0,1000}\\PCHunter_free\.zip.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","17157"
"*\PCHunter32.pdb*",".{0,1000}\\PCHunter32\.pdb.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","17158"
"*\PCHunter64ar.sys*",".{0,1000}\\PCHunter64ar\.sys.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","17159"
"*\pcicfgui_client.exe*",".{0,1000}\\pcicfgui_client\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17160"
"*\pciconn.exe*",".{0,1000}\\pciconn\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17161"
"*\PCICTL\ConfigList\Standard\UI\*",".{0,1000}\\PCICTL\\ConfigList\\Standard\\UI\\.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","17162"
"*\pcictlui.exe*",".{0,1000}\\pcictlui\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17163"
"*\PCIDEPLY.exe*",".{0,1000}\\PCIDEPLY\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17164"
"*\PCINSSCD.exe*",".{0,1000}\\PCINSSCD\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17165"
"*\PCINSSUI.exe*",".{0,1000}\\PCINSSUI\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17166"
"*\PCISCRUI.exe*",".{0,1000}\\PCISCRUI\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17167"
"*\PCIShellExt64.dll*",".{0,1000}\\PCIShellExt64\.dll.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17168"
"*\PCMonitorManager.exe*",".{0,1000}\\PCMonitorManager\.exe.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17169"
"*\PCMonitorSrv.exe*",".{0,1000}\\PCMonitorSrv\.exe.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17170"
"*\PCMonitorTypes.dll*",".{0,1000}\\PCMonitorTypes\.dll.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17171"
"*\pcmontask.exe*",".{0,1000}\\pcmontask\.exe.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17172"
"*\pcmrdp-client.dll*",".{0,1000}\\pcmrdp\-client\.dll.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17173"
"*\pcmupdate.exe*",".{0,1000}\\pcmupdate\.exe.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17174"
"*\pcmupdate.exe*",".{0,1000}\\pcmupdate\.exe.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17175"
"*\pcmupdate.exe.config*",".{0,1000}\\pcmupdate\.exe\.config.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17176"
"*\pcunlocker.iso*",".{0,1000}\\pcunlocker\.iso.{0,1000}","greyware_tool_keyword","pcunlocker","Reset and unlock forgotten Windows login password","T1078","TA0005 - TA0006 - TA0009","N/A","N/A","Credential Access","https://www.pcunlocker.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17177"
"*\pcunlocker_trial.zip*",".{0,1000}\\pcunlocker_trial\.zip.{0,1000}","greyware_tool_keyword","pcunlocker","Reset and unlock forgotten Windows login password","T1078","TA0005 - TA0006 - TA0009","N/A","N/A","Credential Access","https://www.pcunlocker.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17178"
"*\pgrok.exe*",".{0,1000}\\pgrok\.exe.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/jerson/pgrok","1","0","N/A","N/A","10","10","283","55","2022-05-30T14:53:46Z","2019-07-31T13:23:51Z","17234"
"*\pgrok.yml*",".{0,1000}\\pgrok\.yml.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","17235"
"*\pgrokd.exe*",".{0,1000}\\pgrokd\.exe.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/jerson/pgrok","1","0","N/A","N/A","10","10","283","55","2022-05-30T14:53:46Z","2019-07-31T13:23:51Z","17236"
"*\pgrokd.yml",".{0,1000}\\pgrokd\.yml","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","17237"
"*\pgrokd_*.zip*",".{0,1000}\\pgrokd_.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","17238"
"*\Pictures\AnyDesk*",".{0,1000}\\Pictures\\AnyDesk.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","17257"
"*\PingCastle.zip*",".{0,1000}\\PingCastle\.zip.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","17260"
"*\PingCastleAutoUpdater.*",".{0,1000}\\PingCastleAutoUpdater\..{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","17261"
"*\pipe\chrome_remote_desktop*",".{0,1000}\\pipe\\chrome_remote_desktop.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","#namedpipe","N/A","10","10","N/A","N/A","N/A","N/A","17269"
"*\pipe\openssh-ssh-agent*",".{0,1000}\\pipe\\openssh\-ssh\-agent.{0,1000}","greyware_tool_keyword","openssh-portable","monitoring openssh usage","T1098.003 - T1562.004 - T1021.004","TA0006 - TA0002 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider*","C2","https://github.com/PowerShell/openssh-portable","1","0","#namedpipe","N/A","10","10","1859","333","2025-04-18T17:52:43Z","2016-11-02T04:18:48Z","17275"
"*\pipe\PAExecErr*",".{0,1000}\\pipe\\PAExecErr.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","#namedpipe","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","17276"
"*\pipe\PAExecIn*",".{0,1000}\\pipe\\PAExecIn.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","#namedpipe","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","17277"
"*\pipe\PAExecOut*",".{0,1000}\\pipe\\PAExecOut.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","#namedpipe","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","17278"
"*\PortQry.exe*",".{0,1000}\\PortQry\.exe.{0,1000}","greyware_tool_keyword","PortQry","Microsoft port scanning tool abused by threat actors","T1046 - T1016 - T1049","TA0007","N/A","APT15","Discovery","https://www.microsoft.com/en-us/download/details.aspx?id=17148","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","17328"
"*\PortQryV2.exe*",".{0,1000}\\PortQryV2\.exe.{0,1000}","greyware_tool_keyword","PortQry","Microsoft port scanning tool abused by threat actors","T1046 - T1016 - T1049","TA0007","N/A","APT15","Discovery","https://www.microsoft.com/en-us/download/details.aspx?id=17148","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","17329"
"*\PortQryV2\*",".{0,1000}\\PortQryV2\\.{0,1000}","greyware_tool_keyword","PortQry","Microsoft port scanning tool abused by threat actors","T1046 - T1016 - T1049","TA0007","N/A","APT15","Discovery","https://www.microsoft.com/en-us/download/details.aspx?id=17148","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","17330"
"*\portr.exe*",".{0,1000}\\portr\.exe.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","17331"
"*\portr-main\*",".{0,1000}\\portr\-main\\.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","17332"
"*\powershell.exe* += hidden*",".{0,1000}\\powershell\.exe.{0,1000}\s\+\=\shidden.{0,1000}","greyware_tool_keyword","powershell","command aiming to hide a file. It can be performed with  powershell on a WINDOWS machine with command option =hidden","T1562.002","TA0040 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","17382"
"*\powershell.exe* +=hidden*",".{0,1000}\\powershell\.exe.{0,1000}\s\+\=hidden.{0,1000}","greyware_tool_keyword","powershell","command aiming to hide a file. It can be performed with  powershell on a WINDOWS machine with command option =hidden","T1562.002","TA0040 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","17383"
"*\powershell.exe* = hidden*",".{0,1000}\\powershell\.exe.{0,1000}\s\=\shidden.{0,1000}","greyware_tool_keyword","powershell","command aiming to hide a file. It can be performed with  powershell on a WINDOWS machine with command option =hidden","T1562.002","TA0040 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","17384"
"*\powershell.exe* =hidden*",".{0,1000}\\powershell\.exe.{0,1000}\s\=hidden.{0,1000}","greyware_tool_keyword","powershell","command aiming to hide a file.  It can be performed with  powershell on a WINDOWS machine with command option =hidden","T1562.002","TA0040 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","17385"
"*\PowerTool.exe*",".{0,1000}\\PowerTool\.exe.{0,1000}","greyware_tool_keyword","Powertool","tool abused by threat actors to desactive Antivirus","T1562.001 - T1089 - T1562.009","TA0005","N/A","Play - Dispossessor","Defense Evasion","https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17390"
"*\PowerTool.pdb*",".{0,1000}\\PowerTool\.pdb.{0,1000}","greyware_tool_keyword","Powertool","tool abused by threat actors to desactive Antivirus","T1562.001 - T1089 - T1562.009","TA0005","N/A","Play - Dispossessor","Defense Evasion","https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml","1","0","#content","N/A","10","10","N/A","N/A","N/A","N/A","17391"
"*\PowerTool32.exe*",".{0,1000}\\PowerTool32\.exe.{0,1000}","greyware_tool_keyword","Powertool","tool abused by threat actors to desactive Antivirus","T1562.001 - T1089 - T1562.009","TA0005","N/A","Play - Dispossessor","Defense Evasion","https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17392"
"*\PowerTool64.exe*",".{0,1000}\\PowerTool64\.exe.{0,1000}","greyware_tool_keyword","Powertool","tool abused by threat actors to desactive Antivirus","T1562.001 - T1089 - T1562.009","TA0005","N/A","Play - Dispossessor","Defense Evasion","https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17393"
"*\Prefetch\ANYDESK.EXE*",".{0,1000}\\Prefetch\\ANYDESK\.EXE.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","17428"
"*\prefetch\baconsoleapp.exe*",".{0,1000}\\prefetch\\baconsoleapp\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17429"
"*\prefetch\baseclient.exe*",".{0,1000}\\prefetch\\baseclient\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17430"
"*\prefetch\basupclphlp.exe*",".{0,1000}\\prefetch\\basupclphlp\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17431"
"*\prefetch\basupregedithlpr.exe*",".{0,1000}\\prefetch\\basupregedithlpr\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17432"
"*\prefetch\basupsrvc.exe*",".{0,1000}\\prefetch\\basupsrvc\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17433"
"*\prefetch\basupsrvccnfg.exe*",".{0,1000}\\prefetch\\basupsrvccnfg\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17434"
"*\prefetch\basupsrvcupdater.exe*",".{0,1000}\\prefetch\\basupsrvcupdater\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17435"
"*\prefetch\basupsysinf.exe*",".{0,1000}\\prefetch\\basupsysinf\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17436"
"*\prefetch\basuptshelper.exe*",".{0,1000}\\prefetch\\basuptshelper\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17437"
"*\prefetch\damewareagent.exe*",".{0,1000}\\prefetch\\damewareagent\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17438"
"*\prefetch\damewareremoteeverywhereconso*",".{0,1000}\\prefetch\\damewareremoteeverywhereconso.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17439"
"*\Prefetch\QUASAR.EXE*",".{0,1000}\\Prefetch\\QUASAR\.EXE.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","17440"
"*\prefetch\tcrmtshellagent.exe*",".{0,1000}\\prefetch\\tcrmtshellagent\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17441"
"*\prefetch\tcrmtshellviewer.exe*",".{0,1000}\\prefetch\\tcrmtshellviewer\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17442"
"*\prefetch\tkcuploader.exe*",".{0,1000}\\prefetch\\tkcuploader\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17443"
"*\Print\Printers\RemotePC Printer\*",".{0,1000}\\Print\\Printers\\RemotePC\sPrinter\\.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","17451"
"*\Printers\Remote Utilities Printer\*",".{0,1000}\\Printers\\Remote\sUtilities\sPrinter\\.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","17455"
"*\privoxy.exe*",".{0,1000}\\privoxy\.exe.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","17480"
"*\Procdump.zip*",".{0,1000}\\Procdump\.zip.{0,1000}","greyware_tool_keyword","Procdump","dump lsass process with procdump","T1003.001","TA0006","N/A","LockBit - Kimsuky - Conti - Quantum - PYSA - NetWalker - 8BASE - APT1 - APT15 - APT20 - APT27 - APT28 - Antlion - FIN13 - GOBLIN PANDA - Lazarus Group - PowerPool - PARINACOTA - Scattered Spider - BERSERK BEAR - Dispossessor","Credential Access","https://learn.microsoft.com/en-us/sysinternals/downloads/procdump","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17482"
"*\Process Hacker 2\*",".{0,1000}\\Process\sHacker\s2\\.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","17483"
"*\ProduKey.exe*",".{0,1000}\\ProduKey\.exe.{0,1000}","greyware_tool_keyword","produkey","ProduKey is a small utility that displays the ProductID and the CD-Key of Microsoft Office (Microsoft Office 2003. Microsoft Office 2007). Windows (Including Windows 8/7/Vista). Exchange Server. and SQL Server installed on your computer. You can view this information for your current running operating system. or for another operating system/computer - by using command-line options. This utility can be useful if you lost the product key of your Windows/Office. and you want to reinstall it on your computer.","T1003.001 - T1003.002 - T1012 - T1057 - T1518","TA0006 - TA0007 - TA0009","N/A","Evilnum","Credential Access","https://www.nirsoft.net/utils/product_cd_key_viewer.html","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","17489"
"*\progra~2\damewa~1\remoteshell\*",".{0,1000}\\progra\~2\\damewa\~1\\remoteshell\\.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17490"
"*\Program Files (x86)\Acunetix\Web Vulnerability Scanner*",".{0,1000}\\Program\sFiles\s\(x86\)\\Acunetix\\Web\sVulnerability\sScanner.{0,1000}","greyware_tool_keyword","Acunetix Web Vulnerability Scanner","Vulnerability Scanner abused by threat actors","T1190 - T1046 - T1210 - T1213","TA0001 - TA0008 - TA0009","N/A","Clever Kitten - EMBER BEAR","Vulnerability Scanner","https://www.acunetix.com/vulnerability-scanner/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","17491"
"*\Program Files (x86)\Advanced IP Scanner\*",".{0,1000}\\Program\sFiles\s\(x86\)\\Advanced\sIP\sScanner\\.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","17492"
"*\Program Files (x86)\Advanced Monitoring Agent\*",".{0,1000}\\Program\sFiles\s\(x86\)\\Advanced\sMonitoring\sAgent\\.{0,1000}","greyware_tool_keyword","Nsight RMM","Nsight RMM usage","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Scattered Spider*","RMM","https://www.n-able.com/products/n-sight-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17493"
"*\Program Files (x86)\Anyplace Control*",".{0,1000}\\Program\sFiles\s\(x86\)\\Anyplace\sControl.{0,1000}","greyware_tool_keyword","AnyplaceControl","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyplace-control[.]com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17494"
"*\Program Files (x86)\Atera Networks*",".{0,1000}\\Program\sFiles\s\(x86\)\\Atera\sNetworks.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17495"
"*\Program Files (x86)\Barracuda RMM\*",".{0,1000}\\Program\sFiles\s\(x86\)\\Barracuda\sRMM\\.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17496"
"*\program files (x86)\gotomypc\g2tray.exe*",".{0,1000}\\program\sfiles\s\(x86\)\\gotomypc\\g2tray\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17497"
"*\Program Files (x86)\IObit\IObit Unlocker*",".{0,1000}\\Program\sFiles\s\(x86\)\\IObit\\IObit\sUnlocker.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","17498"
"*\Program Files (x86)\ITarian\Endpoint Manager\*",".{0,1000}\\Program\sFiles\s\(x86\)\\ITarian\\Endpoint\sManager\\.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17499"
"*\Program Files (x86)\ITarian\RemoteControl\*",".{0,1000}\\Program\sFiles\s\(x86\)\\ITarian\\RemoteControl\\.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17500"
"*\Program Files (x86)\Lansweeper*",".{0,1000}\\Program\sFiles\s\(x86\)\\Lansweeper.{0,1000}","greyware_tool_keyword","Lansweeper","Lansweeper discovers and inventories IT assets - gathering system - software and user data - abused by attackers","T1016 - T1082","TA0007","N/A","EvilCorp*","Discovery","https://www.lansweeper.com/","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","17502"
"*\Program Files (x86)\Level Platforms\*",".{0,1000}\\Program\sFiles\s\(x86\)\\Level\sPlatforms\\.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17503"
"*\Program Files (x86)\Level\*",".{0,1000}\\Program\sFiles\s\(x86\)\\Level\\.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17504"
"*\Program Files (x86)\RemotePC\*",".{0,1000}\\Program\sFiles\s\(x86\)\\RemotePC\\.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17505"
"*\program files (x86)\remotepc\remotepcperformance\*",".{0,1000}\\program\sfiles\s\(x86\)\\remotepc\\remotepcperformance\\.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17506"
"*\Program Files (x86)\SoftEther VPN*",".{0,1000}\\Program\sFiles\s\(x86\)\\SoftEther\sVPN.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","17507"
"*\Program Files (x86)\stunnel\*",".{0,1000}\\Program\sFiles\s\(x86\)\\stunnel\\.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","0","N/A","N/A","7","8","N/A","N/A","N/A","N/A","17508"
"*\Program Files (x86)\uvnc bvba\*",".{0,1000}\\Program\sFiles\s\(x86\)\\uvnc\sbvba\\.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17509"
"*\Program Files\Advanced Monitoring Agent\*",".{0,1000}\\Program\sFiles\\Advanced\sMonitoring\sAgent\\.{0,1000}","greyware_tool_keyword","Nsight RMM","Nsight RMM usage","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Scattered Spider*","RMM","https://www.n-able.com/products/n-sight-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17510"
"*\Program Files\Atera Networks*",".{0,1000}\\Program\sFiles\\Atera\sNetworks.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17511"
"*\Program Files\AutoHotkey*",".{0,1000}\\Program\sFiles\\AutoHotkey.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","17512"
"*\Program Files\Aweray*",".{0,1000}\\Program\sFiles\\Aweray.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17513"
"*\Program Files\Barracuda RMM\*",".{0,1000}\\Program\sFiles\\Barracuda\sRMM\\.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17515"
"*\Program Files\Box\Box\*",".{0,1000}\\Program\sFiles\\Box\\Box\\.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","17516"
"*\Program Files\CyberGhost*",".{0,1000}\\Program\sFiles\\CyberGhost.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","17517"
"*\Program Files\ehorus_agent\*",".{0,1000}\\Program\sFiles\\ehorus_agent\\.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17518"
"*\Program Files\Eraser\*",".{0,1000}\\Program\sFiles\\Eraser\\.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","17519"
"*\Program Files\FileZilla FTP Client\*",".{0,1000}\\Program\sFiles\\FileZilla\sFTP\sClient\\.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","0","N/A","PUA risk of legitimate usage","5","7","N/A","N/A","N/A","N/A","17520"
"*\Program Files\FileZilla Server*",".{0,1000}\\Program\sFiles\\FileZilla\sServer.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","0","N/A","PUA risk of legitimate usage","5","7","N/A","N/A","N/A","N/A","17521"
"*\Program Files\FreeFileSync*",".{0,1000}\\Program\sFiles\\FreeFileSync.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","17522"
"*\Program Files\IObit\IObit Unlocker*",".{0,1000}\\Program\sFiles\\IObit\\IObit\sUnlocker.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","17523"
"*\Program Files\Level Platforms\*",".{0,1000}\\Program\sFiles\\Level\sPlatforms\\.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17524"
"*\Program Files\Level\level.db*",".{0,1000}\\Program\sFiles\\Level\\level\.db.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17525"
"*\Program Files\Level\osqueryi.exe*",".{0,1000}\\Program\sFiles\\Level\\osqueryi\.exe.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17526"
"*\Program Files\Level\winpty.dll*",".{0,1000}\\Program\sFiles\\Level\\winpty\.dll.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17527"
"*\Program Files\Level\winpty-agent.exe*",".{0,1000}\\Program\sFiles\\Level\\winpty\-agent\.exe.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17528"
"*\Program Files\remoteit*",".{0,1000}\\Program\sFiles\\remoteit.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","17530"
"*\Program Files\SIBER SYSTEMS\GOODSYNC\*",".{0,1000}\\Program\sFiles\\SIBER\sSYSTEMS\\GOODSYNC\\.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","17531"
"*\Program Files\SoftEther VPN*",".{0,1000}\\Program\sFiles\\SoftEther\sVPN.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","17532"
"*\Program Files\SubDir\Client.exe*",".{0,1000}\\Program\sFiles\\SubDir\\Client\.exe.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","17533"
"*\Program Files\Supremo\*",".{0,1000}\\Program\sFiles\\Supremo\\.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17534"
"*\Program Files\TacticalAgent\*",".{0,1000}\\Program\sFiles\\TacticalAgent\\.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","17535"
"*\Program Files\TAP-Windows\*",".{0,1000}\\Program\sFiles\\TAP\-Windows\\.{0,1000}","greyware_tool_keyword","OPENVPN","OpenVPN is a legitimate tool that might be used by an adversary to maintain persistence or exfiltrate data","T1071  - T1573 - T1133","TA0003 - TA0008 - TA0011","N/A","N/A","Defense Evasion","https://openvpn.net/","1","0","#VPN","N/A","6","8","N/A","N/A","N/A","N/A","17536"
"*\Program Files\TeamViewer*",".{0,1000}\\Program\sFiles\\TeamViewer.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","17537"
"*\Program Files\WinSCP*",".{0,1000}\\Program\sFiles\\WinSCP.{0,1000}","greyware_tool_keyword","WinSCP","SFTP connexion with winscp - legit tool abused by threat actors to exfiltrate data","T1105","TA0010","N/A","Akia - Unit 29155","Data Exfiltration","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","17538"
"*\Program Files\WizTree*",".{0,1000}\\Program\sFiles\\WizTree.{0,1000}","greyware_tool_keyword","wiztree","legitimate tool abused by threat actors to obtain network files and directory listings","T1083","TA0007","N/A","Fox Kitten - Faust - Bitlocker - Akira - Cactus - BlackSuit - Royal","Discovery","N/A","1","0","N/A","N/A","3","6","N/A","N/A","N/A","N/A","17539"
"*\ProgramData\*\code-tunnel.exe*",".{0,1000}\\ProgramData\\.{0,1000}\\code\-tunnel\.exe.{0,1000}","greyware_tool_keyword","vscode","the binary for the code-tunnels component is self-contained / portable and signed - seing it in different location than \Programs\Microsoft VS Code\bin\ is suspicious ","T1090 - T1003 - T1571","TA0010 - TA0002 - TA0009","N/A","N/A","C2","https://twitter.com/code/status/1699869087071899669","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17541"
"*\ProgramData\Acunetix WVS *",".{0,1000}\\ProgramData\\Acunetix\sWVS\s.{0,1000}","greyware_tool_keyword","Acunetix Web Vulnerability Scanner","Vulnerability Scanner abused by threat actors","T1190 - T1046 - T1210 - T1213","TA0001 - TA0008 - TA0009","N/A","Clever Kitten - EMBER BEAR","Vulnerability Scanner","https://www.acunetix.com/vulnerability-scanner/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","17542"
"*\ProgramData\Aeroadmin\*",".{0,1000}\\ProgramData\\Aeroadmin\\.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","C:\ProgramData\Aeroadmin\log.json","10","10","N/A","N/A","N/A","N/A","17543"
"*\ProgramData\AMMYY\*",".{0,1000}\\ProgramData\\AMMYY\\.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17544"
"*\ProgramData\Amperage*",".{0,1000}\\ProgramData\\Amperage.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","17545"
"*\ProgramData\Anyplace Control *",".{0,1000}\\ProgramData\\Anyplace\sControl\s.{0,1000}","greyware_tool_keyword","AnyplaceControl","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyplace-control[.]com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17546"
"*\ProgramData\Barracuda MSP\*",".{0,1000}\\ProgramData\\Barracuda\sMSP\\.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17548"
"*\programdata\bomgar-scc-*",".{0,1000}\\programdata\\bomgar\-scc\-.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17549"
"*\ProgramData\LogMeIn\*",".{0,1000}\\ProgramData\\LogMeIn\\.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17551"
"*\ProgramData\megatmp.M1.txt*",".{0,1000}\\ProgramData\\megatmp\.M1\.txt.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17552"
"*\ProgramData\megatmp.M2.txt*",".{0,1000}\\ProgramData\\megatmp\.M2\.txt.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17553"
"*\ProgramData\Remote Utilities*",".{0,1000}\\ProgramData\\Remote\sUtilities.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17554"
"*\ProgramData\remoteit*",".{0,1000}\\ProgramData\\remoteit.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","17555"
"*\ProgramData\RemotePC*",".{0,1000}\\ProgramData\\RemotePC.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17556"
"*\ProgramData\RustDesk\*",".{0,1000}\\ProgramData\\RustDesk\\.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","17557"
"*\ProgramData\SupremoRemoteDesktop*",".{0,1000}\\ProgramData\\SupremoRemoteDesktop.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17559"
"*\ProgramData\TacticalRMM\*",".{0,1000}\\ProgramData\\TacticalRMM\\.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","17560"
"*\ProgramFile*\previous-version",".{0,1000}\\ProgramFile.{0,40}\\previous-version","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","old anydesk version after update","10","10","N/A","N/A","N/A","N/A","17561"
"*\Programs\Advanced IP Scanner Portable\*",".{0,1000}\\Programs\\Advanced\sIP\sScanner\sPortable\\.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","17562"
"*\Programs\GoToMyPC.lnk*",".{0,1000}\\Programs\\GoToMyPC\.lnk.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17563"
"*\Programs\SimpleHelp Remote Work""*",".{0,1000}\\Programs\\SimpleHelp\sRemote\sWork\"".{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","17564"
"*\Programs\SimpleHelp Technician*",".{0,1000}\\Programs\\SimpleHelp\sTechnician.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","17565"
"*\Programs\TightVNC*",".{0,1000}\\Programs\\TightVNC.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17567"
"*\Proxifier Service Manager.lnk*",".{0,1000}\\Proxifier\sService\sManager\.lnk.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","17575"
"*\Proxifier.exe*",".{0,1000}\\Proxifier\.exe.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","17576"
"*\Proxifier.lnk*",".{0,1000}\\Proxifier\.lnk.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","17577"
"*\ProxifierDrv.sys*",".{0,1000}\\ProxifierDrv\.sys.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","17578"
"*\ProxifierPE.zip*",".{0,1000}\\ProxifierPE\.zip.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","17579"
"*\ProxifierSetup.exe*",".{0,1000}\\ProxifierSetup\.exe.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","17580"
"*\ProxifierSetup.tmp*",".{0,1000}\\ProxifierSetup\.tmp.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","17581"
"*\ProxifierShellExt.dll*",".{0,1000}\\ProxifierShellExt\.dll.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","17582"
"*\ProxyChecker.exe*",".{0,1000}\\ProxyChecker\.exe.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","17583"
"*\ps2exe.ps1*",".{0,1000}\\ps2exe\.ps1.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","17594"
"*\PsExec.exe*",".{0,1000}\\PsExec\.exe.{0,1000}","greyware_tool_keyword","psexec","PsExec is a legitimate Microsoft tool for remote administration. However. attackers can misuse it to execute malicious commands or software on other network machines. install persistent threats. and evade some security systems. ","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Lateral Movement","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","17602"
"*\pslist.exe*",".{0,1000}\\pslist\.exe.{0,1000}","greyware_tool_keyword","pslist","Microsoft sysinternal comandline tool to list running process abused by threat actors","T1057 - T1012 - T1106","TA0007","N/A","APT10 - APT15 - APT33 - APT34 - Sandworm - APT35 - CHRYSENE - menuPass - GhostEmperor - Magnallium - Elfin","Discovery","https://learn.microsoft.com/pt-br/sysinternals/downloads/pslist","1","0","N/A","N/A","3","9","N/A","N/A","N/A","N/A","17612"
"*\pslist64.exe*",".{0,1000}\\pslist64\.exe.{0,1000}","greyware_tool_keyword","pslist","Microsoft sysinternal comandline tool to list running process abused by threat actors","T1057 - T1012 - T1106","TA0007","N/A","APT10 - APT15 - APT33 - APT34 - Sandworm - APT35 - CHRYSENE - menuPass - GhostEmperor - Magnallium - Elfin","Discovery","https://learn.microsoft.com/pt-br/sysinternals/downloads/pslist","1","0","N/A","N/A","3","9","N/A","N/A","N/A","N/A","17613"
"*\PTASpy.dll*",".{0,1000}\\PTASpy\.dll.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","17629"
"*\PTASpy.ps1*",".{0,1000}\\PTASpy\.ps1.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","17630"
"*\Public\Desktop\Eraser.lnk*",".{0,1000}\\Public\\Desktop\\Eraser\.lnk.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","17634"
"*\Public\Desktop\SoftEther VPN *",".{0,1000}\\Public\\Desktop\\SoftEther\sVPN\s.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","17635"
"*\Pulseway Remote Control\*",".{0,1000}\\Pulseway\sRemote\sControl\\.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17644"
"*\Pulseway\*",".{0,1000}\\Pulseway\\.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17645"
"*\pulseway_x64.deb*",".{0,1000}\\pulseway_x64\.deb.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17646"
"*\Pulseway_x64.msi*",".{0,1000}\\Pulseway_x64\.msi.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17647"
"*\pulseway_x86.deb*",".{0,1000}\\pulseway_x86\.deb.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17648"
"*\PulsewayServiceCheck*",".{0,1000}\\PulsewayServiceCheck.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","17649"
"*\pwyrc-agent.dll*",".{0,1000}\\pwyrc\-agent\.dll.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17675"
"*\pwy-rd\shell\open\command*",".{0,1000}\\pwy\-rd\\shell\\open\\command.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","17676"
"*\py2exe*",".{0,1000}\\py2exe.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","0","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","17678"
"*\pyshark\src\*",".{0,1000}\\pyshark\\src\\.{0,1000}","greyware_tool_keyword","pyshark","Python wrapper for tshark allowing python packet parsing using wireshark dissectors","T1040 - T1213 - T1105 - T1572","TA0009 - TA0007","N/A","N/A","Discovery","https://github.com/KimiNewt/pyshark","1","0","N/A","N/A","6","10","2355","439","2024-12-04T15:41:20Z","2013-12-28T14:38:22Z","17693"
"*\Quasar.Client\*",".{0,1000}\\Quasar\.Client\\.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","17702"
"*\Quasar.Common\*.cs*",".{0,1000}\\Quasar\.Common\\.{0,1000}\.cs.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","17703"
"*\quasar.p12*",".{0,1000}\\quasar\.p12.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","17706"
"*\Quasar.v*.zip*",".{0,1000}\\Quasar\.v.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","17707"
"*\Quasar-master*",".{0,1000}\\Quasar\-master.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","17708"
"*\Quick Assist Installer.exe*",".{0,1000}\\Quick\sAssist\sInstaller\.exe.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","17710"
"*\quick launch\dameware remote everywhere tech console.lnk*",".{0,1000}\\quick\slaunch\\dameware\sremote\severywhere\stech\sconsole\.lnk.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17711"
"*\QuickAssist.exe*",".{0,1000}\\QuickAssist\.exe.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","17712"
"*\QuickAssist.pdb*",".{0,1000}\\QuickAssist\.pdb.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","17713"
"*\ractrlkeyhook.dll*",".{0,1000}\\ractrlkeyhook\.dll.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17726"
"*\Radmin.exe*",".{0,1000}\\Radmin\.exe.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17727"
"*\RADMIN.EXE-*.pf*",".{0,1000}\\RADMIN\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17728"
"*\Radmin\radmin.rpb*",".{0,1000}\\Radmin\\radmin\.rpb.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17729"
"*\Radmin_Server_*.msi*",".{0,1000}\\Radmin_Server_.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17730"
"*\Radmin_Viewer_*.msi*",".{0,1000}\\Radmin_Viewer_.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17731"
"*\Radmin_VPN_1.*.exe*",".{0,1000}\\Radmin_VPN_1\..{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17732"
"*\rathole.exe",".{0,1000}\\rathole\.exe","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","17752"
"*\rathole\src\*",".{0,1000}\\rathole\\src\\.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","17753"
"*\rathole-aarch64-*",".{0,1000}\\rathole\-aarch64\-.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","17754"
"*\rathole-arm*",".{0,1000}\\rathole\-arm.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","17755"
"*\rathole-main\*",".{0,1000}\\rathole\-main\\.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","17756"
"*\rathole-mips-*",".{0,1000}\\rathole\-mips\-.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","17757"
"*\rathole-x86_64*",".{0,1000}\\rathole\-x86_64.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","17758"
"*\rclone.conf*",".{0,1000}\\rclone\.conf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","17774"
"*\rclone.exe*",".{0,1000}\\rclone\.exe.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","interactive mode","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","17775"
"*\rclone.old.exe*",".{0,1000}\\rclone\.old\.exe.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","17776"
"*\rclone.rar*",".{0,1000}\\rclone\.rar.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","17777"
"*\rclone.zip*",".{0,1000}\\rclone\.zip.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","17778"
"*\RDP Wrapper\*",".{0,1000}\\RDP\sWrapper\\.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","17785"
"*\RDPCheck.exe*",".{0,1000}\\RDPCheck\.exe.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","17788"
"*\RDPWInst.exe*",".{0,1000}\\RDPWInst\.exe.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","17803"
"*\RDPWInst-v*.msi*",".{0,1000}\\RDPWInst\-v.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","17804"
"*\RDPWrap.cpp*",".{0,1000}\\RDPWrap\.cpp.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","17805"
"*\rdpwrap.dll*",".{0,1000}\\rdpwrap\.dll.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","17806"
"*\rdpwrap.ini*",".{0,1000}\\rdpwrap\.ini.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","17807"
"*\RDPWrap.sln*",".{0,1000}\\RDPWrap\.sln.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","17808"
"*\rdpwrap.txt*",".{0,1000}\\rdpwrap\.txt.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","17809"
"*\rdpwrap-master*",".{0,1000}\\rdpwrap\-master.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","17810"
"*\RDPWrapSetup*",".{0,1000}\\RDPWrapSetup.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","17811"
"*\RDPWrap-v*.zip*",".{0,1000}\\RDPWrap\-v.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","17812"
"*\RealTimeSync.exe*",".{0,1000}\\RealTimeSync\.exe.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","17824"
"*\RedTeaming-Tactics-and-Techniques-master*",".{0,1000}\\RedTeaming\-Tactics\-and\-Techniques\-master.{0,1000}","greyware_tool_keyword","ired.team","Red Teaming Tactics and Techniques","T1593.003","TA0043","N/A","N/A","Reconnaissance","https://github.com/mantvydasb/RedTeaming-Tactics-and-Techniques","1","0","N/A","N/A","7","10","4234","1071","2024-08-22T07:17:31Z","2019-03-02T13:33:33Z","17872"
"*\reg.exe* save HKLM*",".{0,1000}\\reg\.exe.{0,1000}\ssave\sHKLM.{0,1000}","greyware_tool_keyword","reg","","T1003.002 - T1564.001","TA0006 - TA0010","N/A","N/A","Collection","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","17882"
"*\RemCom.cpp*",".{0,1000}\\RemCom\.cpp.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","17903"
"*\RemCom.exe*",".{0,1000}\\RemCom\.exe.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","17904"
"*\RemCom.pdb*",".{0,1000}\\RemCom\.pdb.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","17905"
"*\RemCom.vcxproj*",".{0,1000}\\RemCom\.vcxproj.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","17906"
"*\RemCom-master\*",".{0,1000}\\RemCom\-master\\.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","17907"
"*\RemComSvc.exe*",".{0,1000}\\RemComSvc\.exe.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","17908"
"*\RemComSvc\*",".{0,1000}\\RemComSvc\\.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","17909"
"*\remote access session.exe*",".{0,1000}\\remote\saccess\ssession\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17911"
"*\remote access.exe*",".{0,1000}\\remote\saccess\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17912"
"*\Remote AccessEmbedExample.html*",".{0,1000}\\Remote\sAccessEmbedExample\.html.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17913"
"*\Remote Access-java-online.jar*",".{0,1000}\\Remote\sAccess\-java\-online\.jar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17914"
"*\Remote Command Executor.sln*",".{0,1000}\\Remote\sCommand\sExecutor\.sln.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","17915"
"*\remote support.exe*",".{0,1000}\\remote\ssupport\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17916"
"*\Remote SupportEmbedExample.html*",".{0,1000}\\Remote\sSupportEmbedExample\.html.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17917"
"*\remote utilities - host\*",".{0,1000}\\remote\sutilities\s\-\shost\\.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17918"
"*\Remote Utilities - Host\*",".{0,1000}\\Remote\sUtilities\s\-\sHost\\.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17919"
"*\remote utilities agent\*",".{0,1000}\\remote\sutilities\sagent\\.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17920"
"*\Remote Utilities Agent\Logs*",".{0,1000}\\Remote\sUtilities\sAgent\\Logs.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17921"
"*\Remote Utilities Files\rdp_connections\*",".{0,1000}\\Remote\sUtilities\sFiles\\rdp_connections\\.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17922"
"*\Remote Utilities Server\*",".{0,1000}\\Remote\sUtilities\sServer\\.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17923"
"*\Remote Utilities\Logs*",".{0,1000}\\Remote\sUtilities\\Logs.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17924"
"*\Remote Utilities\MiniInternetId*",".{0,1000}\\Remote\sUtilities\\MiniInternetId.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","17925"
"*\Remote.It-Installer-*",".{0,1000}\\Remote\.It\-Installer\-.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","17926"
"*\remote_assistance_host.exe*",".{0,1000}\\remote_assistance_host\.exe.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17927"
"*\Remote_Control_by_ITarian_*.log*",".{0,1000}\\Remote_Control_by_ITarian_.{0,1000}\.log.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17928"
"*\remoteaccess-jar-with-dependencies.jar*",".{0,1000}\\remoteaccess\-jar\-with\-dependencies\.jar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17929"
"*\remotecontrol\rcontrol.exe*",".{0,1000}\\remotecontrol\\rcontrol\.exe.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17932"
"*\remotecontrol\rviewer.exe*",".{0,1000}\\remotecontrol\\rviewer\.exe.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17933"
"*\RemoteControlbyITarian (3).exe*",".{0,1000}\\RemoteControlbyITarian\s\(3\)\.exe.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17934"
"*\RemoteControlbyITarian_(3).exe*",".{0,1000}\\RemoteControlbyITarian_\(3\)\.exe.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17935"
"*\RemoteControlSetup.exe*",".{0,1000}\\RemoteControlSetup\.exe.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17936"
"*\RemoteDesktop.exe*",".{0,1000}\\RemoteDesktop\.exe.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17937"
"*\RemoteDesktop_x64.msi*",".{0,1000}\\RemoteDesktop_x64\.msi.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17939"
"*\remoteit.exe*",".{0,1000}\\remoteit\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","17941"
"*\remoteit.log*",".{0,1000}\\remoteit\.log.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","17942"
"*\remoteit.x86-win.exe*",".{0,1000}\\remoteit\.x86\-win\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","17943"
"*\remoteit-desktop.exe*",".{0,1000}\\remoteit\-desktop\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","17944"
"*\remoteit-headless.service*",".{0,1000}\\remoteit\-headless\.service.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","17945"
"*\RemotePC (1).exe*",".{0,1000}\\RemotePC\s\(1\)\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17952"
"*\RemotePC Attended.lnk*",".{0,1000}\\RemotePC\sAttended\.lnk.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17953"
"*\RemotePC Attended\*",".{0,1000}\\RemotePC\sAttended\\.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17954"
"*\RemotePC Performance Host\*",".{0,1000}\\RemotePC\sPerformance\sHost\\.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17955"
"*\RemotePC.Common.dll*",".{0,1000}\\RemotePC\.Common\.dll.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17956"
"*\RemotePC.exe*",".{0,1000}\\RemotePC\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17957"
"*\RemotePC.exe*",".{0,1000}\\RemotePC\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17958"
"*\RemotePC.lnk*",".{0,1000}\\RemotePC\.lnk.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17959"
"*\RemotePC.tmp*",".{0,1000}\\RemotePC\.tmp.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17960"
"*\RemotePC.tmp*",".{0,1000}\\RemotePC\.tmp.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17961"
"*\RemotePC\*.dll*",".{0,1000}\\RemotePC\\.{0,1000}\.dll.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17962"
"*\RemotePCAttended.dmg*",".{0,1000}\\RemotePCAttended\.dmg.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","#macos","N/A","10","10","N/A","N/A","N/A","N/A","17963"
"*\RemotePCCopyPaste.txt*",".{0,1000}\\RemotePCCopyPaste\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17964"
"*\RemotePCDDriver.cat*",".{0,1000}\\RemotePCDDriver\.cat.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17965"
"*\RemotePCDDriver.inf*",".{0,1000}\\RemotePCDDriver\.inf.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17966"
"*\RemotePCDDriverumode1_0.dll*",".{0,1000}\\RemotePCDDriverumode1_0\.dll.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17967"
"*\RemotePCDDriverumode1_2.dll*",".{0,1000}\\RemotePCDDriverumode1_2\.dll.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17968"
"*\RemotePCDesktop.txt*",".{0,1000}\\RemotePCDesktop\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17969"
"*\RemotePCDnD.dll*",".{0,1000}\\RemotePCDnD\.dll.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17970"
"*\RemotePCDnDLauncher.exe*",".{0,1000}\\RemotePCDnDLauncher\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17971"
"*\RemotePCHDDesktop.txt*",".{0,1000}\\RemotePCHDDesktop\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17972"
"*\RemotePCHDService.txt*",".{0,1000}\\RemotePCHDService\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17973"
"*\remotepclauncher.exe*",".{0,1000}\\remotepclauncher\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17974"
"*\RemotePCModules.log*",".{0,1000}\\RemotePCModules\.log.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17975"
"*\RemotePCPDF.conf*",".{0,1000}\\RemotePCPDF\.conf.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17976"
"*\RemotePCPerformancePlugins.exe*",".{0,1000}\\RemotePCPerformancePlugins\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17977"
"*\RemotePCPrinter.exe*",".{0,1000}\\RemotePCPrinter\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17978"
"*\RemotePCPrinter.exe.config*",".{0,1000}\\RemotePCPrinter\.exe\.config.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17979"
"*\RemotePCPrinter.pdb*",".{0,1000}\\RemotePCPrinter\.pdb.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17980"
"*\RemotePCPrinterCore.dll*",".{0,1000}\\RemotePCPrinterCore\.dll.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17981"
"*\RemotePCPrinterCore.pdb*",".{0,1000}\\RemotePCPrinterCore\.pdb.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17982"
"*\RemotePCProxys.dat*",".{0,1000}\\RemotePCProxys\.dat.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17983"
"*\RemotePCPS5UI.DLL*",".{0,1000}\\RemotePCPS5UI\.DLL.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17984"
"*\RemotePCPS5UI.DLL*",".{0,1000}\\RemotePCPS5UI\.DLL.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17985"
"*\RemotePCPSCRIPT.*",".{0,1000}\\RemotePCPSCRIPT\..{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17986"
"*\RemotePCPSCRIPT.HLP*",".{0,1000}\\RemotePCPSCRIPT\.HLP.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17987"
"*\RemotePCPSCRIPT.NTF*",".{0,1000}\\RemotePCPSCRIPT\.NTF.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17988"
"*\RemotePCPSCRIPT5.DLL*",".{0,1000}\\RemotePCPSCRIPT5\.DLL.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17989"
"*\RemotePCService.exe*",".{0,1000}\\RemotePCService\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17990"
"*\RemotePCService.txt*",".{0,1000}\\RemotePCService\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17991"
"*\RemotePCService_2.txt*",".{0,1000}\\RemotePCService_2\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17992"
"*\RemotePCSuite.dmg*",".{0,1000}\\RemotePCSuite\.dmg.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","#macos","N/A","10","10","N/A","N/A","N/A","N/A","17993"
"*\RemotePCUDE.cat*",".{0,1000}\\RemotePCUDE\.cat.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17994"
"*\RemotePCUDE.inf*",".{0,1000}\\RemotePCUDE\.inf.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17995"
"*\RemotePCUDE.sys*",".{0,1000}\\RemotePCUDE\.sys.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17996"
"*\RemotePCUDEHost.cat*",".{0,1000}\\RemotePCUDEHost\.cat.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17997"
"*\RemotePCUDEHost.inf*",".{0,1000}\\RemotePCUDEHost\.inf.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17998"
"*\RemotePCUDEHost.sys*",".{0,1000}\\RemotePCUDEHost\.sys.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","17999"
"*\RemotePCUIA.exe*",".{0,1000}\\RemotePCUIA\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18000"
"*\RemotePCUIU.exe*",".{0,1000}\\RemotePCUIU\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18001"
"*\remotepcuiu.exe*",".{0,1000}\\remotepcuiu\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18002"
"*\RemotePCViewer.msi*",".{0,1000}\\RemotePCViewer\.msi.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18003"
"*\RemoteSupport\127.0.0.1.tvc*",".{0,1000}\\RemoteSupport\\127\.0\.0\.1\.tvc.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","18011"
"*\remoting_desktop.exe*",".{0,1000}\\remoting_desktop\.exe.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18012"
"*\remoting_host.exe*",".{0,1000}\\remoting_host\.exe.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18013"
"*\remoting_native_messaging_host.exe*",".{0,1000}\\remoting_native_messaging_host\.exe.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18014"
"*\remoting_start_host.exe*",".{0,1000}\\remoting_start_host\.exe.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18015"
"*\RescueWinRTLib.dll*",".{0,1000}\\RescueWinRTLib\.dll.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18022"
"*\RescueWinRTLib.dll*",".{0,1000}\\RescueWinRTLib\.dll.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18023"
"*\restic-*.tar.gz*",".{0,1000}\\restic\-.{0,1000}\.tar\.gz.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","18029"
"*\restic.exe*",".{0,1000}\\restic\.exe.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","18030"
"*\RESTIC_*_WINDOWS_AMD64.E-FC5783E7.pf*",".{0,1000}\\RESTIC_.{0,1000}_WINDOWS_AMD64\.E\-FC5783E7\.pf.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","18031"
"*\restic_*_windows_amd64.zip*",".{0,1000}\\restic_.{0,1000}_windows_amd64\.zip.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","18032"
"*\restic-completion.ps1*",".{0,1000}\\restic\-completion\.ps1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","18033"
"*\restic-master\*",".{0,1000}\\restic\-master\\.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","18034"
"*\RevoUninProSetup.exe*",".{0,1000}\\RevoUninProSetup\.exe.{0,1000}","greyware_tool_keyword","RevoUninstaller","legitimate tool abused by the Dispossessor ransomware group","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18051"
"*\rfusclient.exe*",".{0,1000}\\rfusclient\.exe.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18064"
"*\rmm-client-site-server.exe*",".{0,1000}\\rmm\-client\-site\-server\.exe.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","18074"
"*\rmm-client-site-server.exe*",".{0,1000}\\rmm\-client\-site\-server\.exe.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","18075"
"*\rmm-installer.ps1*",".{0,1000}\\rmm\-installer\.ps1.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","18076"
"*\RmmService.exe*",".{0,1000}\\RmmService\.exe.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18077"
"*\Root\InventoryApplicationFile\boxui.exe*",".{0,1000}\\Root\\InventoryApplicationFile\\boxui\.exe.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","0","#registry","N/A","6","7","N/A","N/A","N/A","N/A","18093"
"*\Root\InventoryApplicationFile\offlinesamtool*",".{0,1000}\\Root\\InventoryApplicationFile\\offlinesamtool.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","18095"
"*\Root\InventoryApplicationFile\support-logmeinr*",".{0,1000}\\Root\\InventoryApplicationFile\\support\-logmeinr.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18097"
"*\Root\InventoryApplicationFile\tap-windows*",".{0,1000}\\Root\\InventoryApplicationFile\\tap\-windows.{0,1000}","greyware_tool_keyword","OPENVPN","OpenVPN is a legitimate tool that might be used by an adversary to maintain persistence or exfiltrate data","T1071  - T1573 - T1133","TA0003 - TA0008 - TA0011","N/A","N/A","Defense Evasion","https://openvpn.net/","1","0","#VPN","N/A","6","8","N/A","N/A","N/A","N/A","18098"
"*\Root\InventoryApplicationFile\za_connect.exe*",".{0,1000}\\Root\\InventoryApplicationFile\\za_connect\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18099"
"*\RpcAccessPermissionNotifier.exe*",".{0,1000}\\RpcAccessPermissionNotifier\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18115"
"*\RpcApp\RPCCodecEngine.exe*",".{0,1000}\\RpcApp\\RPCCodecEngine\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18116"
"*\RpcApp\Tools\Chat.exe*",".{0,1000}\\RpcApp\\Tools\\Chat\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18117"
"*\RpcApp\Tools\TransferServer.exe*",".{0,1000}\\RpcApp\\Tools\\TransferServer\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18118"
"*\RPCAppLauncherLogFile.txt*",".{0,1000}\\RPCAppLauncherLogFile\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18119"
"*\RPCAttended.log*",".{0,1000}\\RPCAttended\.log.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18120"
"*\RPCAttendedAdmin.exe*",".{0,1000}\\RPCAttendedAdmin\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18121"
"*\RPCCertificate.log*",".{0,1000}\\RPCCertificate\.log.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18126"
"*\RPCClipboard.exe*",".{0,1000}\\RPCClipboard\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18127"
"*\RPCClipboardAttended.exe*",".{0,1000}\\RPCClipboardAttended\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18128"
"*\RPCConfig.ini*",".{0,1000}\\RPCConfig\.ini.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18129"
"*\RPCCoreViewer.exe*",".{0,1000}\\RPCCoreViewer\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18130"
"*\RpcDND_Console.exe*",".{0,1000}\\RpcDND_Console\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18131"
"*\RPCDownloader.exe*",".{0,1000}\\RPCDownloader\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18132"
"*\RPCDownloaderLogFile.txt*",".{0,1000}\\RPCDownloaderLogFile\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18133"
"*\RPCDragDrop.txt*",".{0,1000}\\RPCDragDrop\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18134"
"*\RPCFirewallAttended.exe*",".{0,1000}\\RPCFirewallAttended\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18138"
"*\RPCFireWallRule.exe*",".{0,1000}\\RPCFireWallRule\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18139"
"*\RPCFireWallRulelogfile.txt*",".{0,1000}\\RPCFireWallRulelogfile\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18140"
"*\RPCKeyMouseHandler.txt*",".{0,1000}\\RPCKeyMouseHandler\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18141"
"*\RPCOTABootstrapper.exe*",".{0,1000}\\RPCOTABootstrapper\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18143"
"*\RPCOTADesktop.exe*",".{0,1000}\\RPCOTADesktop\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18144"
"*\RPCOTADesktopUAC.exe*",".{0,1000}\\RPCOTADesktopUAC\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18145"
"*\RpcOTADND_Console.exe*",".{0,1000}\\RpcOTADND_Console\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18146"
"*\RPCOTAElevator.exe*",".{0,1000}\\RPCOTAElevator\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18147"
"*\RPCOTAFTHost.exe*",".{0,1000}\\RPCOTAFTHost\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18148"
"*\RPCOTAKillService.exe*",".{0,1000}\\RPCOTAKillService\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18149"
"*\RPCOTARelauncher.exe*",".{0,1000}\\RPCOTARelauncher\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18150"
"*\RPCOTAService.exe*",".{0,1000}\\RPCOTAService\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18151"
"*\RPCOTAServiceUAC.exe*",".{0,1000}\\RPCOTAServiceUAC\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18152"
"*\RPCOTAUtilityHost.exe*",".{0,1000}\\RPCOTAUtilityHost\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18153"
"*\RPCOTAViewerHostKeyPopup.exe*",".{0,1000}\\RPCOTAViewerHostKeyPopup\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18154"
"*\RPCPerformanceService.exe*",".{0,1000}\\RPCPerformanceService\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18155"
"*\RPCPerformanceService.log*",".{0,1000}\\RPCPerformanceService\.log.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18156"
"*\RPCPerfViewer.exe*",".{0,1000}\\RPCPerfViewer\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18157"
"*\rpcperfviewer.exe*",".{0,1000}\\rpcperfviewer\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18158"
"*\RPCPerfViewer.log*",".{0,1000}\\RPCPerfViewer\.log.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18159"
"*\RPCPing.txt*",".{0,1000}\\RPCPing\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18160"
"*\RPCPreUninstall.log*",".{0,1000}\\RPCPreUninstall\.log.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18161"
"*\RPCPreUninstall.log*",".{0,1000}\\RPCPreUninstall\.log.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18162"
"*\RPCPrinterDownloader.exe*",".{0,1000}\\RPCPrinterDownloader\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18163"
"*\RPCPrinterDownloader.txt*",".{0,1000}\\RPCPrinterDownloader\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18164"
"*\RPCProxyLatency.exe*",".{0,1000}\\RPCProxyLatency\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18165"
"*\RPCProxyLatencyAttended.exe*",".{0,1000}\\RPCProxyLatencyAttended\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18166"
"*\RPCSettings.ini*",".{0,1000}\\RPCSettings\.ini.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18168"
"*\RpcStickyNotes.exe*",".{0,1000}\\RpcStickyNotes\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18169"
"*\RPCSuite_*_Inc.log*",".{0,1000}\\RPCSuite_.{0,1000}_Inc\.log.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18170"
"*\RPCsuiteLaunch.txt*",".{0,1000}\\RPCsuiteLaunch\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18171"
"*\RpcView.exe*",".{0,1000}\\RpcView\.exe.{0,1000}","greyware_tool_keyword","RpcView","RpcView is a free tool to explore and decompile Microsoft RPC interfaces","T1082 - T1016 - T1046 - T1622","TA0007 - TA0008","N/A","Dispossessor","Discovery","https://github.com/silverf0x/RpcView","1","0","N/A","N/A","6","10","965","255","2023-09-24T19:58:04Z","2017-03-14T19:14:45Z","18172"
"*\RpcView64.7z*",".{0,1000}\\RpcView64\.7z.{0,1000}","greyware_tool_keyword","RpcView","RpcView is a free tool to explore and decompile Microsoft RPC interfaces","T1082 - T1016 - T1046 - T1622","TA0007 - TA0008","N/A","Dispossessor","Discovery","https://github.com/silverf0x/RpcView","1","0","N/A","N/A","6","10","965","255","2023-09-24T19:58:04Z","2017-03-14T19:14:45Z","18173"
"*\rserver3.exe*",".{0,1000}\\rserver3\.exe.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18175"
"*\rsetup64.exe*/stop*",".{0,1000}\\rsetup64\.exe.{0,1000}\/stop.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18176"
"*\rsl.exe /setup*",".{0,1000}\\rsl\.exe\s\/setup.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18177"
"*\rsl.exe*/stop*",".{0,1000}\\rsl\.exe.{0,1000}\/stop.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18178"
"*\rsocks_windows_386.exe*",".{0,1000}\\rsocks_windows_386\.exe.{0,1000}","greyware_tool_keyword","rsocks","reverse socks5 client & server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/brimstone/rsocks","1","0","N/A","N/A","10","10","85","29","2020-01-09T20:45:32Z","2018-01-05T03:09:07Z","18179"
"*\RSTemp\ZohoMeeting\*",".{0,1000}\\RSTemp\\ZohoMeeting\\.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18183"
"*\rtun-server-windows-amd64.exe*",".{0,1000}\\rtun\-server\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","18185"
"*\rtun-windows-amd64.exe*",".{0,1000}\\rtun\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","18186"
"*\RunOnce\*LogMeInRescue_*",".{0,1000}\\RunOnce\\.{0,1000}LogMeInRescue_.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18221"
"*\RunOnce\wextract_cleanup0*",".{0,1000}\\RunOnce\\wextract_cleanup0.{0,1000}","greyware_tool_keyword","PortQry","Microsoft port scanning tool abused by threat actors","T1046 - T1016 - T1049","TA0007","N/A","APT15","Discovery","https://www.microsoft.com/en-us/download/details.aspx?id=17148","1","0","#registry","N/A","6","7","N/A","N/A","N/A","N/A","18222"
"*\rustdesk-*-x86_64.exe*",".{0,1000}\\rustdesk\-.{0,1000}\-x86_64\.exe.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","18228"
"*\RustDesk.exe*",".{0,1000}\\RustDesk\.exe.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","18229"
"*\RustDesk.lnk*",".{0,1000}\\RustDesk\.lnk.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","18230"
"*\RustDesk\query*",".{0,1000}\\RustDesk\\query.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","named pipe","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","18231"
"*\RustDeskIddDriver\*",".{0,1000}\\RustDeskIddDriver\\.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","18232"
"*\rutserv.exe*",".{0,1000}\\rutserv\.exe.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18240"
"*\rutview.exe*",".{0,1000}\\rutview\.exe.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18241"
"*\ru-viewer-portable\*",".{0,1000}\\ru\-viewer\-portable\\.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18242"
"*\Safeboot\Network\AltMeshAgent*",".{0,1000}\\Safeboot\\Network\\AltMeshAgent.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","18251"
"*\SafeBoot\Network\ShTemporaryService*",".{0,1000}\\SafeBoot\\Network\\ShTemporaryService.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18252"
"*\SafeBoot\Network\SimpleHelp Server*",".{0,1000}\\SafeBoot\\Network\\SimpleHelp\sServer.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18253"
"*\SafeBoot\Network\Zoho Assist-Remote Support*",".{0,1000}\\SafeBoot\\Network\\Zoho\sAssist\-Remote\sSupport.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18254"
"*\Schedule\TaskCache\Tree\RemotePC*",".{0,1000}\\Schedule\\TaskCache\\Tree\\RemotePC.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18289"
"*\ScreenConnect Client (*",".{0,1000}\\ScreenConnect\sClient\s\(.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18301"
"*\ScreenConnect.Client.exe*",".{0,1000}\\ScreenConnect\.Client\.exe.{0,1000}","greyware_tool_keyword","ScreenConnect","control remote servers - abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","screenconnect.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18302"
"*\ScreenConnect.ClientService.exe*",".{0,1000}\\ScreenConnect\.ClientService\.exe.{0,1000}","greyware_tool_keyword","ScreenConnect","control remote servers - abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18303"
"*\ScreenConnect.ClientSetup.exe*",".{0,1000}\\ScreenConnect\.ClientSetup\.exe.{0,1000}","greyware_tool_keyword","ScreenConnect","control remote servers - abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18304"
"*\ScreenConnect.Core.dll*",".{0,1000}\\ScreenConnect\.Core\.dll.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18305"
"*\ScreenConnect.InstallerActions.dll*",".{0,1000}\\ScreenConnect\.InstallerActions\.dll.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18306"
"*\ScreenConnect.Windows.dll*",".{0,1000}\\ScreenConnect\.Windows\.dll.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18307"
"*\ScreenConnect.WindowsBackstageShell.exe*",".{0,1000}\\ScreenConnect\.WindowsBackstageShell\.exe.{0,1000}","greyware_tool_keyword","ScreenConnect","control remote servers - abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18308"
"*\ScreenConnect.WindowsClient.exe*",".{0,1000}\\ScreenConnect\.WindowsClient\.exe.{0,1000}","greyware_tool_keyword","ScreenConnect","control remote servers - abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18309"
"*\ScreenConnect\Bin\*",".{0,1000}\\ScreenConnect\\Bin\\.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18310"
"*\Screenshot.exe *",".{0,1000}\\Screenshot\.exe\s.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","18311"
"*\Screenshot.ps1*",".{0,1000}\\Screenshot\.ps1.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","18312"
"*\Scripts\CreateRegKey.scp*",".{0,1000}\\Scripts\\CreateRegKey\.scp.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18314"
"*\Scripts\DirLst.log*",".{0,1000}\\Scripts\\DirLst\.log.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18315"
"*\Scripts\DirLst.scp*",".{0,1000}\\Scripts\\DirLst\.scp.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18316"
"*\Scripts\DrvSize.scp*",".{0,1000}\\Scripts\\DrvSize\.scp.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18317"
"*\Scripts\writetofile.scp*",".{0,1000}\\Scripts\\writetofile\.scp.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18318"
"*\sdelete.exe*",".{0,1000}\\sdelete\.exe.{0,1000}","greyware_tool_keyword","sdelete","delete one or more files and/or directories, or to cleanse the free space on a logical disk - abused by attackers","T1485 - T1070.004","TA0005 - TA0040 ","N/A","APT29 - Sandworm - Cobalt Group - FIN5 - Silence - BOSS SPIDER","Defense Evasion","https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","18326"
"*\SDelete.zip*",".{0,1000}\\SDelete\.zip.{0,1000}","greyware_tool_keyword","sdelete","delete one or more files and/or directories, or to cleanse the free space on a logical disk - abused by attackers","T1485 - T1070.004","TA0005 - TA0040 ","N/A","APT29 - Sandworm - Cobalt Group - FIN5 - Silence - BOSS SPIDER","Defense Evasion","https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","18327"
"*\sdelete64.exe*",".{0,1000}\\sdelete64\.exe.{0,1000}","greyware_tool_keyword","sdelete","delete one or more files and/or directories, or to cleanse the free space on a logical disk - abused by attackers","T1485 - T1070.004","TA0005 - TA0040 ","N/A","APT29 - Sandworm - Cobalt Group - FIN5 - Silence - BOSS SPIDER","Defense Evasion","https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","18328"
"*\sdelete64a.exe*",".{0,1000}\\sdelete64a\.exe.{0,1000}","greyware_tool_keyword","sdelete","delete one or more files and/or directories, or to cleanse the free space on a logical disk - abused by attackers","T1485 - T1070.004","TA0005 - TA0040 ","N/A","APT29 - Sandworm - Cobalt Group - FIN5 - Silence - BOSS SPIDER","Defense Evasion","https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","18329"
"*\Service Install Overwrite Remote CFG*",".{0,1000}\\Service\sInstall\sOverwrite\sRemote\sCFG.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","18363"
"*\Services\AteraAgent*",".{0,1000}\\Services\\AteraAgent.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18365"
"*\Services\DWAgent*",".{0,1000}\\Services\\DWAgent.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","18366"
"*\Services\EventLog\Application\UltraVNC\*",".{0,1000}\\Services\\EventLog\\Application\\UltraVNC\\.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","#registry","registry path","10","10","N/A","N/A","N/A","N/A","18367"
"*\Services\EventLog\Application\VSA X*",".{0,1000}\\Services\\EventLog\\Application\\VSA\sX.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18368"
"*\Services\EventLog\Application\VSAX*",".{0,1000}\\Services\\EventLog\\Application\\VSAX.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18369"
"*\Services\RemotePCAttendedService*",".{0,1000}\\Services\\RemotePCAttendedService.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18372"
"*\Services\SimpleHelp Server*",".{0,1000}\\Services\\SimpleHelp\sServer.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18373"
"*\Services\TeamViewer\*",".{0,1000}\\Services\\TeamViewer\\.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","#registry","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","18374"
"*\SetACL.exe*",".{0,1000}\\SetACL\.exe.{0,1000}","greyware_tool_keyword","SetACL","Manage Windows permissions from the command line","T1069 - T1222","TA0002 - TA0004 - TA0005","N/A","N/A","Defense Evasion","https://helgeklein.com/download/","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","18384"
"*\SetACL64.exe*",".{0,1000}\\SetACL64\.exe.{0,1000}","greyware_tool_keyword","SetACL","Manage Windows permissions from the command line","T1069 - T1222","TA0002 - TA0004 - TA0005","N/A","N/A","Defense Evasion","https://helgeklein.com/download/","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","18385"
"*\SetExeSubsystem.ahk*",".{0,1000}\\SetExeSubsystem\.ahk.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","18387"
"*\set-proxy.ps1*",".{0,1000}\\set\-proxy\.ps1.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","18389"
"*\SFT: Enable Simple File Transfer*",".{0,1000}\\SFT\:\sEnable\sSimple\sFile\sTransfer.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","18392"
"*\Shadowsocks-*.zip*",".{0,1000}\\Shadowsocks\-.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","18404"
"*\Shadowsocks.CLI\*",".{0,1000}\\Shadowsocks\.CLI\\.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","18405"
"*\Shadowsocks.csproj*",".{0,1000}\\Shadowsocks\.csproj.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","18406"
"*\Shadowsocks.zip*",".{0,1000}\\Shadowsocks\.zip.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","18407"
"*\shadowsocks-windows.sln*",".{0,1000}\\shadowsocks\-windows\.sln.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","18408"
"*\ShellIconOverlayIdentifiers\_ MEGA (Pending)*",".{0,1000}\\ShellIconOverlayIdentifiers\\_\sMEGA\s\(Pending\).{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18788"
"*\ShellIconOverlayIdentifiers\_ MEGA (Synced)*",".{0,1000}\\ShellIconOverlayIdentifiers\\_\sMEGA\s\(Synced\).{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18789"
"*\ShellIconOverlayIdentifiers\_ MEGA (Syncing)*",".{0,1000}\\ShellIconOverlayIdentifiers\\_\sMEGA\s\(Syncing\).{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18790"
"*\Shredder.exe*",".{0,1000}\\Shredder\.exe.{0,1000}","greyware_tool_keyword","Shredder","File Shredder is FREE and powerfull aplication to shred and permanently remove unwanted files from your computer beyond recovery","T1070 - T1485 - T1565.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://www.fileshredder.org/","1","0","N/A","N/A","7","8","N/A","N/A","N/A","N/A","18811"
"*\Siber Systems\GoodSync\*",".{0,1000}\\Siber\sSystems\\GoodSync\\.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","18815"
"*\simplegateway.service""*",".{0,1000}\\simplegateway\.service\"".{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18834"
"*\SimpleHelp TechnicianEmbedExample.html*",".{0,1000}\\SimpleHelp\sTechnicianEmbedExample\.html.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18835"
"*\SimpleHelp.RemoteWork.127_0_0_1*",".{0,1000}\\SimpleHelp\.RemoteWork\.127_0_0_1.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18836"
"*\SimpleHelp.Technician.127_0_0_1*",".{0,1000}\\SimpleHelp\.Technician\.127_0_0_1.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18837"
"*\simplehelper64.exe*",".{0,1000}\\simplehelper64\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18838"
"*\simplehelp-rw\shell*",".{0,1000}\\simplehelp\-rw\\shell.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18839"
"*\simplehelpuninstall.exe*",".{0,1000}\\simplehelpuninstall\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18840"
"*\SimpleService.exe*",".{0,1000}\\SimpleService\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18843"
"*\sirtunnel.py*",".{0,1000}\\sirtunnel\.py.{0,1000}","greyware_tool_keyword","SirTunnel","SirTunnel enables you to securely expose a webserver running on your computer to a public URL using HTTPS.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/anderspitman/SirTunnel","1","0","N/A","N/A","10","10","1436","119","2024-03-24T20:15:50Z","2020-09-23T00:15:26Z","18859"
"*\sish.log*",".{0,1000}\\sish\.log.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","0","N/A","N/A","10","10","4203","325","2025-04-10T20:04:08Z","2019-02-15T15:36:23Z","18860"
"*\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\*",".{0,1000}\\slave\\workspace\\GIT_WIN_SRS_Formal\\Source\\irisserver\\.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://hybrid-analysis.com/sample/18c10b0235bd341e065ac5c53ca04b68eaeacd98a120e043fb4883628baf644e/6267eb693836e7217b1a3c72","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","18863"
"*\SoftEther VPN *\client_log\client_20*.log*",".{0,1000}\\SoftEther\sVPN\s.{0,1000}\\client_log\\client_20.{0,1000}\.log.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","18940"
"*\SoftEther VPN Client Developer Edition\*",".{0,1000}\\SoftEther\sVPN\sClient\sDeveloper\sEdition\\.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","18941"
"*\SoftEtherVPN-*.tar.xz*",".{0,1000}\\SoftEtherVPN\-.{0,1000}\.tar\.xz.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","18942"
"*\SoftEtherVPN_build-*.zip*",".{0,1000}\\SoftEtherVPN_build\-.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","18943"
"*\softether-vpnclient-*.exe*",".{0,1000}\\softether\-vpnclient\-.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","18944"
"*\softether-vpnserver_*.exe*",".{0,1000}\\softether\-vpnserver_.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","18945"
"*\softether-vpnserver_vpnbridge-*.exe*",".{0,1000}\\softether\-vpnserver_vpnbridge\-.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","18946"
"*\SoftPerfect Network Scanner*",".{0,1000}\\SoftPerfect\sNetwork\sScanner.{0,1000}","greyware_tool_keyword","netscan","SoftPerfect Network Scanner abused by threat actor","T1040 - T1046 - T1018","TA0007 - TA0010 - TA0001","N/A","BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - AvosLocker - FiveHands - Yanluowang - MONTI - DarkSide - Everest - Cicada3301 - MedusaLocker - DragonForce - Phobos - Lynx","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","network exploitation tool","6","10","N/A","N/A","N/A","N/A","18947"
"*\SoftPerfect Network Scanner\*",".{0,1000}\\SoftPerfect\sNetwork\sScanner\\.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","18948"
"*\SOFTWARE\Ammyy\Admin*",".{0,1000}\\SOFTWARE\\Ammyy\\Admin.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","18949"
"*\Software\AweSun\SunLogin\SunloginClient*",".{0,1000}\\Software\\AweSun\\SunLogin\\SunloginClient.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","18950"
"*\SOFTWARE\Classes\.ahk\*",".{0,1000}\\SOFTWARE\\Classes\\\.ahk\\.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","#registry","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","18951"
"*\SOFTWARE\Classes\AutoHotkeyScript\*",".{0,1000}\\SOFTWARE\\Classes\\AutoHotkeyScript\\.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","#registry","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","18952"
"*\SOFTWARE\Clients\Media\AnyDesk*",".{0,1000}\\SOFTWARE\\Clients\\Media\\AnyDesk.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-003/","1","0","#registry","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","18953"
"*\SOFTWARE\eHorusDispl\*",".{0,1000}\\SOFTWARE\\eHorusDispl\\.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","18954"
"*\SOFTWARE\ITarian\RemoteControl*",".{0,1000}\\SOFTWARE\\ITarian\\RemoteControl.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","18955"
"*\SOFTWARE\Kaseya\*",".{0,1000}\\SOFTWARE\\Kaseya\\.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18956"
"*\SOFTWARE\Level Platforms\Managed Workplace\*",".{0,1000}\\SOFTWARE\\Level\sPlatforms\\Managed\sWorkplace\\.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","18958"
"*\Software\LogMeInRescue\*",".{0,1000}\\Software\\LogMeInRescue\\.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","18959"
"*\SOFTWARE\Martin Prikryl\WinSCP 2\*",".{0,1000}\\SOFTWARE\\Martin\sPrikryl\\WinSCP\s2\\.{0,1000}","greyware_tool_keyword","WinSCP","SFTP connexion with winscp - legit tool abused by threat actors to exfiltrate data","T1105","TA0010","N/A","Akia - Unit 29155","Data Exfiltration","N/A","1","0","#registry","N/A","8","10","N/A","N/A","N/A","N/A","18960"
"*\SOFTWARE\Microsoft\Tracing\PCMonitorSrv_RAS*",".{0,1000}\\SOFTWARE\\Microsoft\\Tracing\\PCMonitorSrv_RAS.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18961"
"*\SOFTWARE\Microsoft\Tracing\Quick Assist Installer*",".{0,1000}\\SOFTWARE\\Microsoft\\Tracing\\Quick\sAssist\sInstaller.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","#registry","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","18962"
"*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftEther VPN*",".{0,1000}\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SoftEther\sVPN.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#registry #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","18964"
"*\Software\MSDART\Active Directory Explorer*",".{0,1000}\\Software\\MSDART\\Active\sDirectory\sExplorer.{0,1000}","greyware_tool_keyword","adexplorer","Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database. It can be abused by malicious actors","T1003.001 - T1087.001","TA0006 - TA0007","N/A","Lapsus$ - Scattered Spider* - BlackBasta","Discovery","https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer","1","0","#registry","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","18965"
"*\Software\NetSupport Ltd\*",".{0,1000}\\Software\\NetSupport\sLtd\\.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","18966"
"*\Software\OpenSSH\DefaultShell*",".{0,1000}\\Software\\OpenSSH\\DefaultShell.{0,1000}","greyware_tool_keyword","openssh-portable","monitoring openssh usage","T1098.003 - T1562.004 - T1021.004","TA0006 - TA0002 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider*","C2","https://github.com/PowerShell/openssh-portable","1","0","#registry","N/A","10","10","1859","333","2025-04-18T17:52:43Z","2016-11-02T04:18:48Z","18967"
"*\SOFTWARE\ORL\VNCHooks\Application_Prefs\WinVNC*",".{0,1000}\\SOFTWARE\\ORL\\VNCHooks\\Application_Prefs\\WinVNC.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","#registry","registry path","10","10","N/A","N/A","N/A","N/A","18968"
"*\SOFTWARE\Policies\Microsoft\VisualStudio\Devtunnels* -Name ""DisableDevTunnelsInVisualStudio"" -Value 0 -Type Dword*",".{0,1000}\\SOFTWARE\\Policies\\Microsoft\\VisualStudio\\Devtunnels.{0,1000}\s\-Name\s\""DisableDevTunnelsInVisualStudio\""\s\-Value\s0\s\-Type\sDword.{0,1000}","greyware_tool_keyword","powershell","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","18969"
"*\SOFTWARE\Supremo\*",".{0,1000}\\SOFTWARE\\Supremo\\.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18972"
"*\Software\Supremo\Printer\*",".{0,1000}\\Software\\Supremo\\Printer\\.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18973"
"*\Software\Sysinternals\Active Directory Explorer*",".{0,1000}\\Software\\Sysinternals\\Active\sDirectory\sExplorer.{0,1000}","greyware_tool_keyword","adexplorer","Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database. It can be abused by malicious actors","T1003.001 - T1087.001","TA0006 - TA0007","N/A","Lapsus$ - Scattered Spider* - BlackBasta","Discovery","https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer","1","0","#registry","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","18974"
"*\SOFTWARE\Sysinternals\ProcDump\*",".{0,1000}\\SOFTWARE\\Sysinternals\\ProcDump\\.{0,1000}","greyware_tool_keyword","Procdump","dump lsass process with procdump","T1003.001","TA0006","N/A","LockBit - Kimsuky - Conti - Quantum - PYSA - NetWalker - 8BASE - APT1 - APT15 - APT20 - APT27 - APT28 - Antlion - FIN13 - GOBLIN PANDA - Lazarus Group - PowerPool - PARINACOTA - Scattered Spider - BERSERK BEAR - Dispossessor","Credential Access","https://learn.microsoft.com/en-us/sysinternals/downloads/procdump","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","18975"
"*\SOFTWARE\Sysinternals\PsExec\EulaAccepted*",".{0,1000}\\SOFTWARE\\Sysinternals\\PsExec\\EulaAccepted.{0,1000}","greyware_tool_keyword","psexec","PsExec is a legitimate Microsoft tool for remote administration. However. attackers can misuse it to execute malicious commands or software on other network machines. install persistent threats. and evade some security systems. ","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0008 - TA0009 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Lateral Movement","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","#registry","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","18976"
"*\Software\Sysinternals\Sdelete*",".{0,1000}\\Software\\Sysinternals\\Sdelete.{0,1000}","greyware_tool_keyword","sdelete","delete one or more files and/or directories, or to cleanse the free space on a logical disk - abused by attackers","T1485 - T1070.004","TA0005 - TA0040 ","N/A","APT29 - Sandworm - Cobalt Group - FIN5 - Silence - BOSS SPIDER","Defense Evasion","https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete","1","0","#registry","N/A","6","10","N/A","N/A","N/A","N/A","18977"
"*\SOFTWARE\TAP-Windows*",".{0,1000}\\SOFTWARE\\TAP\-Windows.{0,1000}","greyware_tool_keyword","OPENVPN","OpenVPN is a legitimate tool that might be used by an adversary to maintain persistence or exfiltrate data","T1071  - T1573 - T1133","TA0003 - TA0008 - TA0011","N/A","N/A","Defense Evasion","https://openvpn.net/","1","0","#registry #VPN","N/A","6","8","N/A","N/A","N/A","N/A","18978"
"*\Software\TeamViewer\Temp*",".{0,1000}\\Software\\TeamViewer\\Temp.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","#registry","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","18979"
"*\SOFTWARE\Usoris\Remote Utilities\*",".{0,1000}\\SOFTWARE\\Usoris\\Remote\sUtilities\\.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18980"
"*\Software\WOW6432Node\FileZilla Client*",".{0,1000}\\Software\\WOW6432Node\\FileZilla\sClient.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","0","#registry","PUA risk of legitimate usage","5","7","N/A","N/A","N/A","N/A","18981"
"*\SOFTWARE\WOW6432Node\ITarian\ITSM\*",".{0,1000}\\SOFTWARE\\WOW6432Node\\ITarian\\ITSM\\.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","18982"
"*\SOFTWARE\WOW6432Node\Microsoft\Tracing\Proxifier_*",".{0,1000}\\SOFTWARE\\WOW6432Node\\Microsoft\\Tracing\\Proxifier_.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","#registry","N/A","8","9","N/A","N/A","N/A","N/A","18983"
"*\SOFTWARE\WOW6432Node\NSIS_stunnel\*",".{0,1000}\\SOFTWARE\\WOW6432Node\\NSIS_stunnel\\.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","0","#registry","N/A","7","8","N/A","N/A","N/A","N/A","18984"
"*\SOFTWARE\WOW6432Node\Supremo\*",".{0,1000}\\SOFTWARE\\WOW6432Node\\Supremo\\.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18985"
"*\SOFTWARE\WOW6432Node\TightVNC\*",".{0,1000}\\SOFTWARE\\WOW6432Node\\TightVNC\\.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","18986"
"*\SOFTWARE\Zoho Assist*",".{0,1000}\\SOFTWARE\\Zoho\sAssist.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","18988"
"*\SolarWinds.DepInjectedClassWalker.dll*",".{0,1000}\\SolarWinds\.DepInjectedClassWalker\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","18990"
"*\SolarWinds.Diags.Contract.dll*",".{0,1000}\\SolarWinds\.Diags\.Contract\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","18991"
"*\SolarWinds.Diags.DameWare.Extensions.dll*",".{0,1000}\\SolarWinds\.Diags\.DameWare\.Extensions\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","18992"
"*\SolarWinds.Diags.exe*",".{0,1000}\\SolarWinds\.Diags\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","18993"
"*\SolarWinds.Diags.exe.config*",".{0,1000}\\SolarWinds\.Diags\.exe\.config.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","18994"
"*\SolarWinds.Diags.Extensions.Common.dll*",".{0,1000}\\SolarWinds\.Diags\.Extensions\.Common\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","18995"
"*\SolarWinds.Diags.Extensions.dll*",".{0,1000}\\SolarWinds\.Diags\.Extensions\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","18996"
"*\SolarWinds.Diags.Platform.Extensions.dll*",".{0,1000}\\SolarWinds\.Diags\.Platform\.Extensions\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","18997"
"*\SolarWinds.Diags.Strings.dll*",".{0,1000}\\SolarWinds\.Diags\.Strings\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","18998"
"*\SOLARWINDS.DRS.LICENSOR.EXE-*",".{0,1000}\\SOLARWINDS\.DRS\.LICENSOR\.EXE\-.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","18999"
"*\SolarWinds.LicenseManager.msi*",".{0,1000}\\SolarWinds\.LicenseManager\.msi.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19000"
"*\SolarWinds.Licensing.Gen4.dll*",".{0,1000}\\SolarWinds\.Licensing\.Gen4\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19001"
"*\SolarWinds.Licensing.Gen4.dll.config*",".{0,1000}\\SolarWinds\.Licensing\.Gen4\.dll\.config.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19002"
"*\SolarWinds.Licensing.Gen4.Resources.dll*",".{0,1000}\\SolarWinds\.Licensing\.Gen4\.Resources\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19003"
"*\SolarWinds.Licensing.Gen4.UI.dll*",".{0,1000}\\SolarWinds\.Licensing\.Gen4\.UI\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19004"
"*\SolarWinds.Licensing.MRC.COMWrapper.dll*",".{0,1000}\\SolarWinds\.Licensing\.MRC\.COMWrapper\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19005"
"*\SolarWinds.Licensing.MRC.COMWrapper.dll.config*",".{0,1000}\\SolarWinds\.Licensing\.MRC\.COMWrapper\.dll\.config.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19006"
"*\SolarWinds.Licensing.MRC.COMWrapper.tlb*",".{0,1000}\\SolarWinds\.Licensing\.MRC\.COMWrapper\.tlb.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19007"
"*\SolarWinds.Logging.dll*",".{0,1000}\\SolarWinds\.Logging\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19008"
"*\SolarWinds.MRC.Licensor.exe*",".{0,1000}\\SolarWinds\.MRC\.Licensor\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19009"
"*\SolarWinds.MRC.Licensor.exe*",".{0,1000}\\SolarWinds\.MRC\.Licensor\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19010"
"*\SolarWinds.MRC.Licensor.exe.config*",".{0,1000}\\SolarWinds\.MRC\.Licensor\.exe\.config.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19011"
"*\SolarWinds.MRC.Licensor.log*",".{0,1000}\\SolarWinds\.MRC\.Licensor\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19012"
"*\SolarWinds.Pluggability.Contract.dll*",".{0,1000}\\SolarWinds\.Pluggability\.Contract\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19013"
"*\SolarWinds.Pluggability.dll*",".{0,1000}\\SolarWinds\.Pluggability\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19014"
"*\SolarWinds\Dameware Mini Remote Control*",".{0,1000}\\SolarWinds\\Dameware\sMini\sRemote\sControl.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19015"
"*\SolarWinds\Logs\Dameware*",".{0,1000}\\SolarWinds\\Logs\\Dameware.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","19016"
"*\SOLARWINDS-DAMEWARE-DRS-ST.EX-*",".{0,1000}\\SOLARWINDS\-DAMEWARE\-DRS\-ST\.EX\-.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","19017"
"*\SolarWinds-Dameware-DRS-St.exe*",".{0,1000}\\SolarWinds\-Dameware\-DRS\-St\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","19018"
"*\spacerunner.exe*",".{0,1000}\\spacerunner\.exe.{0,1000}","greyware_tool_keyword","SpaceRunner","enables the compilation of a C# program that will execute arbitrary PowerShell code without launching PowerShell processes through the use of runspace.","T1059.001 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/Mr-B0b/SpaceRunner","1","0","N/A","N/A","7","2","195","38","2020-07-26T10:39:53Z","2020-07-26T09:31:09Z","19022"
"*\speedtest.exe --accept-license*",".{0,1000}\\speedtest\.exe\s\-\-accept\-license.{0,1000}","greyware_tool_keyword","speedtest","legitimate tool from speedtest.net abused by threat actors to assess the network speed and determine the feasibility and duration of their exfiltration efforts","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","","Dispossessor - Dagon Locker","Data Exfiltration","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","19034"
"*\speedtest.exe"" --accept-license*",".{0,1000}\\speedtest\.exe\""\s\-\-accept\-license.{0,1000}","greyware_tool_keyword","speedtest","legitimate tool from speedtest.net abused by threat actors to assess the network speed and determine the feasibility and duration of their exfiltration efforts","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","","Dispossessor - Dagon Locker","Data Exfiltration","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","19035"
"*\Splashtop Remote\*",".{0,1000}\\Splashtop\sRemote\\.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://hybrid-analysis.com/sample/18c10b0235bd341e065ac5c53ca04b68eaeacd98a120e043fb4883628baf644e/6267eb693836e7217b1a3c72","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19042"
"*\Splashtop\Temp\*",".{0,1000}\\Splashtop\\Temp\\.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19043"
"*\Splashtop\Temp\log\FTCLog.txt*",".{0,1000}\\Splashtop\\Temp\\log\\FTCLog\.txt.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19044"
"*\spool\drivers\x64\rupd.*",".{0,1000}\\spool\\drivers\\x64\\rupd\..{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19051"
"*\SRService.exe*",".{0,1000}\\SRService\.exe.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://hybrid-analysis.com/sample/18c10b0235bd341e065ac5c53ca04b68eaeacd98a120e043fb4883628baf644e/6267eb693836e7217b1a3c72","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19086"
"*\ss_privoxy.log*",".{0,1000}\\ss_privoxy\.log.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","19087"
"*\sshtunnel.py*",".{0,1000}\\sshtunnel\.py.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","0","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","19091"
"*\sshx-*.tar.gz*",".{0,1000}\\sshx\-.{0,1000}\.tar\.gz.{0,1000}","greyware_tool_keyword","sshx","Fast collaborative live terminal sharing over the web","T1021.004 - T1041 - T1059 - T1071.001","TA0002 - TA0009 - TA0011 - TA0010","N/A","N/A","C2","https://github.com/ekzhang/sshx","1","0","N/A","N/A","10","10","6379","220","2025-02-12T20:40:30Z","2022-02-12T23:29:33Z","19092"
"*\start dameware remote everywhere agent.lnk*",".{0,1000}\\start\sdameware\sremote\severywhere\sagent\.lnk.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19110"
"*\Start Menu\Programs\Advanced IP Scanner v2*",".{0,1000}\\Start\sMenu\\Programs\\Advanced\sIP\sScanner\sv2.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","19111"
"*\Start Menu\Programs\Advanced Monitoring Agent.lnk*",".{0,1000}\\Start\sMenu\\Programs\\Advanced\sMonitoring\sAgent\.lnk.{0,1000}","greyware_tool_keyword","Nsight RMM","Nsight RMM usage","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Scattered Spider*","RMM","https://www.n-able.com/products/n-sight-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19112"
"*\start menu\programs\dameware*",".{0,1000}\\start\smenu\\programs\\dameware.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19113"
"*\Start Menu\Programs\DWAgent*",".{0,1000}\\Start\sMenu\\Programs\\DWAgent.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","19114"
"*\Start Menu\Programs\LogMeIn Rescue\*",".{0,1000}\\Start\sMenu\\Programs\\LogMeIn\sRescue\\.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19115"
"*\Start Menu\Programs\LogMeIn*",".{0,1000}\\Start\sMenu\\Programs\\LogMeIn.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19116"
"*\Start Menu\Programs\MEGAsync\*",".{0,1000}\\Start\sMenu\\Programs\\MEGAsync\\.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19117"
"*\Start Menu\Programs\NetSupport*",".{0,1000}\\Start\sMenu\\Programs\\NetSupport.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19118"
"*\Start Menu\Programs\Proxifier*",".{0,1000}\\Start\sMenu\\Programs\\Proxifier.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","19119"
"*\Start Menu\Programs\Radmin Server *",".{0,1000}\\Start\sMenu\\Programs\\Radmin\sServer\s.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19120"
"*\Start Menu\Programs\Radmin Viewer *",".{0,1000}\\Start\sMenu\\Programs\\Radmin\sViewer\s.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19121"
"*\Start Menu\Programs\StartUp\SoftEther VPN Client*",".{0,1000}\\Start\sMenu\\Programs\\StartUp\\SoftEther\sVPN\sClient.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","19122"
"*\StartupTNotiMEGAsync.lnk*",".{0,1000}\\StartupTNotiMEGAsync\.lnk.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","19125"
"*\StopSimpleGatewayService.exe*",".{0,1000}\\StopSimpleGatewayService\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19150"
"*\strwinclt.exe*",".{0,1000}\\strwinclt\.exe.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://hybrid-analysis.com/sample/18c10b0235bd341e065ac5c53ca04b68eaeacd98a120e043fb4883628baf644e/6267eb693836e7217b1a3c72","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19155"
"*\stunnel-*-win64-installer.exe*",".{0,1000}\\stunnel\-.{0,1000}\-win64\-installer\.exe.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","0","N/A","N/A","7","8","N/A","N/A","N/A","N/A","19156"
"*\stunnel\config\stunnel.pem*",".{0,1000}\\stunnel\\config\\stunnel\.pem.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","0","N/A","N/A","7","8","N/A","N/A","N/A","N/A","19157"
"*\stunnel-latest-win64-installer.exe*",".{0,1000}\\stunnel\-latest\-win64\-installer\.exe.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","0","N/A","N/A","7","8","N/A","N/A","N/A","N/A","19158"
"*\suo5-gui-darwin.app.zip*",".{0,1000}\\suo5\-gui\-darwin\.app\.zip.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#linux","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","19164"
"*\suo5-gui-windows.exe*",".{0,1000}\\suo5\-gui\-windows\.exe.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","N/A","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","19165"
"*\suo5-windows-amd64.exe*",".{0,1000}\\suo5\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","N/A","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","19166"
"*\Supremo Remote Printer\*",".{0,1000}\\Supremo\sRemote\sPrinter\\.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19172"
"*\Supremo.exe*",".{0,1000}\\Supremo\.exe.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19173"
"*\SUPREMO.EXE-*.pf*",".{0,1000}\\SUPREMO\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19174"
"*\Supremo_Client_2*",".{0,1000}\\Supremo_Client_2.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","pipename","10","10","N/A","N/A","N/A","N/A","19175"
"*\Supremo_Helper_2*",".{0,1000}\\Supremo_Helper_2.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","pipename","10","10","N/A","N/A","N/A","N/A","19176"
"*\Supremo_Service*",".{0,1000}\\Supremo_Service.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","pipename","10","10","N/A","N/A","N/A","N/A","19177"
"*\SupremoHelper.exe*",".{0,1000}\\SupremoHelper\.exe.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19178"
"*\SupremoRemoteDesktop\*",".{0,1000}\\SupremoRemoteDesktop\\.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19179"
"*\syncthing.exe*",".{0,1000}\\syncthing\.exe.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","0","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","19195"
"*\System\CurrentControlSet\Services\ehorus*",".{0,1000}\\System\\CurrentControlSet\\Services\\ehorus.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#servicename #registry","N/A","10","10","N/A","N/A","N/A","N/A","19198"
"*\System\CurrentControlSet\Services\EHORUSAGENT*",".{0,1000}\\System\\CurrentControlSet\\Services\\EHORUSAGENT.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#servicename #registry","N/A","10","10","N/A","N/A","N/A","N/A","19199"
"*\system32.zip*",".{0,1000}\\system32\.zip.{0,1000}","greyware_tool_keyword","ntdsutil","creating a full backup of the Active Directory database and saving it to the \temp directory","T1003.001 - T1070.004 - T1059","TA0005 - TA0003 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","19200"
"*\System32\rupdpm.dll*",".{0,1000}\\System32\\rupdpm\.dll.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19202"
"*\System32\yak.exe*",".{0,1000}\\System32\\yak\.exe.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","19203"
"*\SysWOW64\rserver30\FamItrf2*",".{0,1000}\\SysWOW64\\rserver30\\FamItrf2.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19206"
"*\SysWOW64\rserver30\FamItrfc*",".{0,1000}\\SysWOW64\\rserver30\\FamItrfc.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19207"
"*\tacticalagent-v*-linux-arm.exe*",".{0,1000}\\tacticalagent\-v.{0,1000}\-linux\-arm\.exe.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","19208"
"*\tacticalagent-v*-windows-amd64.exe*",".{0,1000}\\tacticalagent\-v.{0,1000}\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","19209"
"*\tacticalrmm.exe*",".{0,1000}\\tacticalrmm\.exe.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","19210"
"*\tacticalrmm\*",".{0,1000}\\tacticalrmm\\.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","19211"
"*\tailscale.exe*",".{0,1000}\\tailscale\.exe.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","19212"
"*\tailscale\cli\*",".{0,1000}\\tailscale\\cli\\.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","19213"
"*\tailscale\client\*",".{0,1000}\\tailscale\\client\\.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","19214"
"*\tailscale\clientupdate\*",".{0,1000}\\tailscale\\clientupdate\\.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","19215"
"*\tailscale\cmd\*",".{0,1000}\\tailscale\\cmd\\.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","19216"
"*\tailscale_*_*.deb*",".{0,1000}\\tailscale_.{0,1000}_.{0,1000}\.deb.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","19217"
"*\tailscale_*_*.tgz*",".{0,1000}\\tailscale_.{0,1000}_.{0,1000}\.tgz.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","19218"
"*\tailscaled.go*",".{0,1000}\\tailscaled\.go.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","19219"
"*\tailscale-setup-*.exe*",".{0,1000}\\tailscale\-setup\-.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","19220"
"*\tap-windows-*.exe*",".{0,1000}\\tap\-windows\-.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","OPENVPN","OpenVPN is a legitimate tool that might be used by an adversary to maintain persistence or exfiltrate data","T1071  - T1573 - T1133","TA0003 - TA0008 - TA0011","N/A","N/A","Defense Evasion","https://openvpn.net/","1","0","#VPN","N/A","6","8","N/A","N/A","N/A","N/A","19224"
"*\TaskCache\Tree\VSA XServiceCheck*",".{0,1000}\\TaskCache\\Tree\\VSA\sXServiceCheck.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","19225"
"*\Tasks\PulsewayServiceCheck*",".{0,1000}\\Tasks\\PulsewayServiceCheck.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19228"
"*\tcdirectchat.exe*",".{0,1000}\\tcdirectchat\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19231"
"*\tcdirectchatde.dll*",".{0,1000}\\tcdirectchatde\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19232"
"*\tcdirectchaten.dll*",".{0,1000}\\tcdirectchaten\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19233"
"*\tcdirectchates.dll*",".{0,1000}\\tcdirectchates\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19234"
"*\tcdirectchatfr.dll*",".{0,1000}\\tcdirectchatfr\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19235"
"*\tcdirectchatit.dll*",".{0,1000}\\tcdirectchatit\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19236"
"*\tcdirectchatpt.dll*",".{0,1000}\\tcdirectchatpt\.dll.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19237"
"*\tcrmtshellagent.exe*",".{0,1000}\\tcrmtshellagent\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19242"
"*\tcrmtshellagent_*.log*",".{0,1000}\\tcrmtshellagent_.{0,1000}\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19243"
"*\tcrmtshellagentmodule_*",".{0,1000}\\tcrmtshellagentmodule_.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19244"
"*\tcrmtshellviewer.exe*",".{0,1000}\\tcrmtshellviewer\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19245"
"*\tcrmtshellviewer_*.log*",".{0,1000}\\tcrmtshellviewer_.{0,1000}\.log.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19246"
"*\tcrmtshellviewermodule_*",".{0,1000}\\tcrmtshellviewermodule_.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19247"
"*\TDSSKiller.exe*",".{0,1000}\\TDSSKiller\.exe.{0,1000}","greyware_tool_keyword","TDSKiller","TDSKiller detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Avaddon","Defense Evasion","https://www.majorgeeks.com/files/details/kaspersky_tdsskiller.html","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","19248"
"*\tdsskiller.zip*",".{0,1000}\\tdsskiller\.zip.{0,1000}","greyware_tool_keyword","TDSKiller","TDSKiller detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Avaddon","Defense Evasion","https://www.majorgeeks.com/files/details/kaspersky_tdsskiller.html","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","19249"
"*\TeamViewer.exe*",".{0,1000}\\TeamViewer\.exe.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19262"
"*\TeamViewer\Connections.txt*",".{0,1000}\\TeamViewer\\Connections\.txt.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19263"
"*\TeamViewer\Connections_incoming.txt*",".{0,1000}\\TeamViewer\\Connections_incoming\.txt.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19264"
"*\TeamViewer_.ex*",".{0,1000}\\TeamViewer_\.ex.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19265"
"*\teamviewer_note.exe*",".{0,1000}\\teamviewer_note\.exe.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19266"
"*\TeamViewerSession\shell\open*",".{0,1000}\\TeamViewerSession\\shell\\open.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19267"
"*\TeamViewerTermsOfUseAccepted*",".{0,1000}\\TeamViewerTermsOfUseAccepted.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19268"
"*\Temp\*\ntds.dit*",".{0,1000}\\Temp\\.{0,1000}\\ntds\.dit.{0,1000}","greyware_tool_keyword","wmic","The NTDS.dit file is the heart of Active Directory including user accounts If it's found in the Temp directory it could indicate that an attacker has copied the file here in an attempt to extract sensitive information.","T1047 - T1005 - T1567.001","TA0002 - TA0003 - TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Credential Access","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19269"
"*\Temp\*\ntds.jfm*",".{0,1000}\\Temp\\.{0,1000}\\ntds\.jfm.{0,1000}","greyware_tool_keyword","wmic","Like the ntds.dit file it should not normally be found in the Temp directory.","T1047 - T1005 - T1567.001","TA0002 - TA0003 - TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Credential Access","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19270"
"*\temp\__SentinelAgentKernel.dmp*",".{0,1000}\\temp\\__SentinelAgentKernel\.dmp.{0,1000}","greyware_tool_keyword","SentinelAgent","dump a process with SentinelAgent.exe","T1003 - T1055","TA0006 - TA0005","N/A","N/A","Credential Access","https://gist.github.com/adamsvoboda/8e248c6b7fb812af5d04daba141c867e","1","0","N/A","N/A","8","7","N/A","N/A","N/A","N/A","19271"
"*\temp\__SentinelAgentUser.dmp*",".{0,1000}\\temp\\__SentinelAgentUser\.dmp.{0,1000}","greyware_tool_keyword","SentinelAgent","dump a process with SentinelAgent.exe","T1003 - T1055","TA0006 - TA0005","N/A","N/A","Credential Access","https://gist.github.com/adamsvoboda/8e248c6b7fb812af5d04daba141c867e","1","0","N/A","N/A","8","7","N/A","N/A","N/A","N/A","19272"
"*\Temp\2\Advanced Port Scanner 2\*",".{0,1000}\\Temp\\2\\Advanced\sPort\sScanner\s2\\.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","19273"
"*\Temp\AnyDeskUninst*",".{0,1000}\\Temp\\AnyDeskUninst.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","19274"
"*\TEMP\AteraUpgradeAgentPackage\*",".{0,1000}\\TEMP\\AteraUpgradeAgentPackage\\.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19275"
"*\Temp\BitLockerToGo*",".{0,1000}\\Temp\\BitLockerToGo.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Defense Evasion","https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19276"
"*\Temp\clipboard.log*",".{0,1000}\\Temp\\clipboard\.log.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","19278"
"*\temp\code-tunnel.exe*",".{0,1000}\\temp\\code\-tunnel\.exe.{0,1000}","greyware_tool_keyword","vscode","the binary for the code-tunnels component is self-contained / portable and signed - seing it in different location than \Programs\Microsoft VS Code\bin\ is suspicious ","T1090 - T1003 - T1571","TA0010 - TA0002 - TA0009","N/A","N/A","C2","https://twitter.com/code/status/1699869087071899669","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19280"
"*\Temp\dave.log*",".{0,1000}\\Temp\\dave\.log.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","19282"
"*\Temp\fsdgss.log*",".{0,1000}\\Temp\\fsdgss\.log.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","19286"
"*\Temp\install_windows.exe*",".{0,1000}\\Temp\\install_windows\.exe.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19291"
"*\TEMP\ScreenConnect\*.ps1*",".{0,1000}\\TEMP\\ScreenConnect\\.{0,1000}\.ps1.{0,1000}","greyware_tool_keyword","ScreenConnect","control remote servers - abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","screenconnect.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19299"
"*\Temp\ScreenConnect\*\setup.msi*",".{0,1000}\\Temp\\ScreenConnect\\.{0,1000}\\setup\.msi.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19300"
"*\Temp\SupremoRemoteDesktop*",".{0,1000}\\Temp\\SupremoRemoteDesktop.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19301"
"*\Temp\WizTree.exe*",".{0,1000}\\Temp\\WizTree\.exe.{0,1000}","greyware_tool_keyword","wiztree","legitimate tool abused by threat actors to obtain network files and directory listings","T1083","TA0007","N/A","Fox Kitten - Faust - Bitlocker - Akira - Cactus - BlackSuit - Royal","Discovery","N/A","1","0","N/A","N/A","3","6","N/A","N/A","N/A","N/A","19309"
"*\Temp\XEOX*",".{0,1000}\\Temp\\XEOX.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19310"
"*\test_rustdesk.log*",".{0,1000}\\test_rustdesk\.log.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","19316"
"*\test_tailscale.sh*",".{0,1000}\\test_tailscale\.sh.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","19317"
"*\TightVNC Server*",".{0,1000}\\TightVNC\sServer.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19348"
"*\tightvnc-*",".{0,1000}\\tightvnc\-.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19349"
"*\TightVNC_Service_Control*",".{0,1000}\\TightVNC_Service_Control.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","named pipe https://github.com/mthcht/awesome-lists/blob/9080701200e4f9f2e523bee7cde7b335121b1cb2/Lists/suspicious_named_pipe_list.csv#L2","10","10","N/A","N/A","N/A","N/A","19350"
"*\tir_blanc_holiseum\*.exe*",".{0,1000}\\tir_blanc_holiseum\\.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","tir_blanc_holiseum","Ransomware simulation","T1486 - T1204 - T1027 - T1059","TA0040 - TA0002 - TA0005","N/A","N/A","Ransomware","https://www.holiseum.com/services/auditer/tir-a-blanc-ransomware","1","0","N/A","N/A","4","6","N/A","N/A","N/A","N/A","19360"
"*\tkcuploader.exe*",".{0,1000}\\tkcuploader\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19361"
"*\tmole.exe*",".{0,1000}\\tmole\.exe.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","19362"
"*\Tools\Ninja.WebSockets.dll*",".{0,1000}\\Tools\\Ninja\.WebSockets\.dll.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19390"
"*\Tracing\RemotePCLauncher_*",".{0,1000}\\Tracing\\RemotePCLauncher_.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","19412"
"*\Tracing\RemotePCUIU*",".{0,1000}\\Tracing\\RemotePCUIU.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","19413"
"*\TransferClient.exe.config*",".{0,1000}\\TransferClient\.exe\.config.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19414"
"*\TransferServer.exe.config*",".{0,1000}\\TransferServer\.exe\.config.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19415"
"*\tstunnel.exe*",".{0,1000}\\tstunnel\.exe.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","0","N/A","N/A","7","8","N/A","N/A","N/A","N/A","19438"
"*\tunnelmole.bundle.js*",".{0,1000}\\tunnelmole\.bundle\.js.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","19447"
"*\tunnel-service.log*",".{0,1000}\\tunnel\-service\.log.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","19448"
"*\tunwg.exe*",".{0,1000}\\tunwg\.exe.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","19452"
"*\tunwg-arm64.exe*",".{0,1000}\\tunwg\-arm64\.exe.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","19453"
"*\TV15Install.log*",".{0,1000}\\TV15Install\.log.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19455"
"*\TVExtractTemp\TeamViewer_Resource_*",".{0,1000}\\TVExtractTemp\\TeamViewer_Resource_.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19456"
"*\TVExtractTemp\tvfiles.7z*",".{0,1000}\\TVExtractTemp\\tvfiles\.7z.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19457"
"*\TvGetVersion.dll*",".{0,1000}\\TvGetVersion\.dll.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19458"
"*\TVN_log_pipe_public_name*",".{0,1000}\\TVN_log_pipe_public_name.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","named pipe https://github.com/mthcht/awesome-lists/blob/9080701200e4f9f2e523bee7cde7b335121b1cb2/Lists/suspicious_named_pipe_list.csv#L2","10","10","N/A","N/A","N/A","N/A","19459"
"*\TVNetwork.log*",".{0,1000}\\TVNetwork\.log.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19460"
"*\TVWebRTC.dll*",".{0,1000}\\TVWebRTC\.dll.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19461"
"*\Two Pilots\Agent\Remote Utilities Printer*",".{0,1000}\\Two\sPilots\\Agent\\Remote\sUtilities\sPrinter.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","19462"
"*\ultravnc.cer*",".{0,1000}\\ultravnc\.cer.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19496"
"*\UltraVNC.ini*",".{0,1000}\\UltraVNC\.ini.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19497"
"*\unidrv_rupd.dll*",".{0,1000}\\unidrv_rupd\.dll.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19503"
"*\unidrv_rupd.hlp*",".{0,1000}\\unidrv_rupd\.hlp.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19504"
"*\unidrvui_rupd.dll*",".{0,1000}\\unidrvui_rupd\.dll.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19505"
"*\Uninstall IObit Unlocker.lnk*",".{0,1000}\\Uninstall\sIObit\sUnlocker\.lnk.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","19506"
"*\Uninstall IObit Unlocker.url*",".{0,1000}\\Uninstall\sIObit\sUnlocker\.url.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","19507"
"*\Uninstall\MeshCentralAgent*",".{0,1000}\\Uninstall\\MeshCentralAgent.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","19508"
"*\Uninstall\softether_sedevvpnclient*",".{0,1000}\\Uninstall\\softether_sedevvpnclient.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","19509"
"*\unires_vpd.dll*",".{0,1000}\\unires_vpd\.dll.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19510"
"*\Unlocker.exe*",".{0,1000}\\Unlocker\.exe.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","19514"
"*\unlocker-setup (1).exe*",".{0,1000}\\unlocker\-setup\s\(1\)\.exe.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","19515"
"*\unlocker-setup.exe*",".{0,1000}\\unlocker\-setup\.exe.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","19516"
"*\unlocker-setup.tmp*",".{0,1000}\\unlocker\-setup\.tmp.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","19517"
"*\Update MEGAcmd.lnk*",".{0,1000}\\Update\sMEGAcmd\.lnk.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","19529"
"*\Update_UVS.exe*",".{0,1000}\\Update_UVS\.exe.{0,1000}","greyware_tool_keyword","Universal Virus Sniffer","Universal Virus Sniffer detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","Phobos","Defense Evasion","https://www.majorgeeks.com/files/details/universal_virus_sniffer.html","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","19530"
"*\Update-DuckDNS.ps1*",".{0,1000}\\Update\-DuckDNS\.ps1.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","19531"
"*\updog-master\*",".{0,1000}\\updog\-master\\.{0,1000}","greyware_tool_keyword","updog","Updog is a replacement for SimpleHTTPServer. It allows uploading and downloading via HTTP/S can set ad hoc SSL certificates and use http basic auth.","T1567 - T1074.001 - T1020","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://github.com/sc0tfree/updog","1","0","N/A","N/A","9","10","3052","314","2024-03-13T15:52:39Z","2020-02-18T15:29:21Z","19532"
"*\Users\*\AppData\Local\GoodSync*",".{0,1000}\\Users\\.{0,1000}\\AppData\\Local\\GoodSync.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","19540"
"*\Users\*\AppData\Local\Temp\*.megatools.cache*",".{0,1000}\\Users\\.{0,1000}\\AppData\\Local\\Temp\\.{0,1000}\.megatools\.cache.{0,1000}","greyware_tool_keyword","megatools","Megatools is a collection of free and open source programs for accessing Mega service from a command line. Abused by attackers for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/megous/megatools","1","0","N/A","N/A","9","","N/A","","","","19541"
"*\Users\Public\*.dmp*",".{0,1000}\\Users\\Public\\.{0,1000}\.dmp.{0,1000}","greyware_tool_keyword","Procdump","Dump files might contain sensitive data and are often created as part of debugging processes or by attackers exfiltrating data. Users\Public should not be used","T1047 - T1005 - T1567.001","TA0002 - TA0003 - TA0007","N/A","LockBit - Kimsuky - Conti - Quantum - PYSA - NetWalker - 8BASE - APT1 - APT15 - APT20 - APT27 - APT28 - Antlion - FIN13 - GOBLIN PANDA - Lazarus Group - PowerPool - PARINACOTA - Scattered Spider - BERSERK BEAR - Dispossessor","Credential Access","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","false positive risks","10","10","N/A","N/A","N/A","N/A","19545"
"*\Users\Public\*ntds.dit*",".{0,1000}\\Users\\Public\\.{0,1000}ntds\.dit.{0,1000}","greyware_tool_keyword","wmic","this file shouldn't be found in the Users\Public directory. Its presence could be a sign of an ongoing or past attack.","T1047 - T1005 - T1567.001","TA0002 - TA0003 - TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Credential Access","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19546"
"*\Users\Public\*ntds.jfm*",".{0,1000}\\Users\\Public\\.{0,1000}ntds\.jfm.{0,1000}","greyware_tool_keyword","wmic","Like the ntds.dit file it should not normally be found in this directory.","T1047 - T1005 - T1567.001","TA0002 - TA0003 - TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Credential Access","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19547"
"*\Users\Public\Desktop\TVTest.tmp*",".{0,1000}\\Users\\Public\\Desktop\\TVTest\.tmp.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19558"
"*\uTorrent\*",".{0,1000}\\uTorrent\\.{0,1000}","greyware_tool_keyword","utorrent","popular BitTorrent client used for downloading files over the BitTorrent network. a peer-to-peer file sharing protocol. Can be used for collection and exfiltration. Not something we want to see installed in a enterprise network","T1193 - T1204 - T1486 - T1048","TA0005 - TA0011 - TA0010 - TA0040","N/A","N/A","Data Exfiltration","https[://]www[.]utorrent[.]com/intl/fr/","1","0","#P2P","N/A","N/A","N/A","N/A","N/A","N/A","N/A","19577"
"*\utweb.exe*",".{0,1000}\\utweb\.exe.{0,1000}","greyware_tool_keyword","utorrent","popular BitTorrent client used for downloading files over the BitTorrent network. a peer-to-peer file sharing protocol. Can be used for collection and exfiltration. Not something we want to see installed in a enterprise network","T1193 - T1204 - T1486 - T1048","TA0005 - TA0011 - TA0010 - TA0040","N/A","N/A","Data Exfiltration","https[://]www[.]utorrent[.]com/intl/fr/","1","0","#P2P","N/A","N/A","N/A","N/A","N/A","N/A","N/A","19578"
"*\uvnc bvba\UltraVNC\*",".{0,1000}\\uvnc\sbvba\\UltraVNC\\.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19580"
"*\uvnc_launch.exe*",".{0,1000}\\uvnc_launch\.exe.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","#registry","registry path","10","10","N/A","N/A","N/A","N/A","19581"
"*\uvnc_settings.ex*",".{0,1000}\\uvnc_settings\.ex.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","#registry","registry path","10","10","N/A","N/A","N/A","N/A","19582"
"*\uvnc_settings.exe*",".{0,1000}\\uvnc_settings\.exe.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19583"
"*\uvnckeyboardhelper.exe*",".{0,1000}\\uvnckeyboardhelper\.exe.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19584"
"*\uvs_v415eng.zip*",".{0,1000}\\uvs_v415eng\.zip.{0,1000}","greyware_tool_keyword","Universal Virus Sniffer","Universal Virus Sniffer detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","Phobos","Defense Evasion","https://www.majorgeeks.com/files/details/universal_virus_sniffer.html","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","19585"
"*\UX\reset-assoc.ahk*",".{0,1000}\\UX\\reset\-assoc\.ahk.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","19586"
"*\VboxHeadless.exe"" -startvm * -v off*",".{0,1000}\\VboxHeadless\.exe\""\s\-startvm\s.{0,1000}\s\-v\soff.{0,1000}","greyware_tool_keyword","VirtualBox","Starts VirtualBox in headless mode","T1202 - T1564.001 - T1072","TA0005 - TA0008","N/A","RagnarLocker ","Defense Evasion","https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","19596"
"*\vbs2exe.exe*",".{0,1000}\\vbs2exe\.exe.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","19597"
"*\Videos\AnyDesk*",".{0,1000}\\Videos\\AnyDesk.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","19612"
"*\ViewerHostKeyPopup.exe*",".{0,1000}\\ViewerHostKeyPopup\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19613"
"*\ViewerHostKeyPopup.exe*",".{0,1000}\\ViewerHostKeyPopup\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19614"
"*\viewer-portable-7.2.2.0\*",".{0,1000}\\viewer\-portable\-7\.2\.2\.0\\.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19615"
"*\VncSharp.exe*",".{0,1000}\\VncSharp\.exe.{0,1000}","greyware_tool_keyword","VncSharp","VncSharp is a GPL implementation of the VNC Remote Framebuffer (RFB) Protocol for the .NET Framework","T1021.001 - T1219  - T1071.001","TA0007 - TA0008","Carbanak","FIN7 - Carbanak","Lateral Movement","https://github.com/humphd/VncSharp","1","0","N/A","N/A","8","3","246","179","2019-02-18T16:04:27Z","2012-03-05T15:23:41Z","19624"
"*\VncSharp.sln*",".{0,1000}\\VncSharp\.sln.{0,1000}","greyware_tool_keyword","VncSharp","VncSharp is a GPL implementation of the VNC Remote Framebuffer (RFB) Protocol for the .NET Framework","T1021.001 - T1219  - T1071.001","TA0007 - TA0008","Carbanak","FIN7 - Carbanak","Lateral Movement","https://github.com/humphd/VncSharp","1","0","N/A","N/A","8","3","246","179","2019-02-18T16:04:27Z","2012-03-05T15:23:41Z","19625"
"*\vncviewer.exe*",".{0,1000}\\vncviewer\.exe.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19626"
"*\VPDAgent.exe*",".{0,1000}\\VPDAgent\.exe.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19634"
"*\vpncmgr.exe*",".{0,1000}\\vpncmgr\.exe.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","19635"
"*\VSA X Manager.lnk*",".{0,1000}\\VSA\sX\sManager\.lnk.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19636"
"*\VSA X Remote Control.lnk*",".{0,1000}\\VSA\sX\sRemote\sControl\.lnk.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19637"
"*\VSA X Remote Control\*",".{0,1000}\\VSA\sX\sRemote\sControl\\.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19638"
"*\VSA X\watchdog.bat*",".{0,1000}\\VSA\sX\\watchdog\.bat.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","19639"
"*\VSA XServiceCheck*",".{0,1000}\\VSA\sXServiceCheck.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","19640"
"*\VSAX\working*",".{0,1000}\\VSAX\\working.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19642"
"*\VSAX_x64.msi*",".{0,1000}\\VSAX_x64\.msi.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19643"
"*\vsxrc-clip.exe*",".{0,1000}\\vsxrc\-clip\.exe.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19644"
"*\webvulnscan1*.exe*",".{0,1000}\\webvulnscan1.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Acunetix Web Vulnerability Scanner","Vulnerability Scanner abused by threat actors","T1190 - T1046 - T1210 - T1213","TA0001 - TA0008 - TA0009","N/A","Clever Kitten - EMBER BEAR","Vulnerability Scanner","https://www.acunetix.com/vulnerability-scanner/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","19691"
"*\webvulnscan10_Trial*",".{0,1000}\\webvulnscan10_Trial.{0,1000}","greyware_tool_keyword","Acunetix Web Vulnerability Scanner","Vulnerability Scanner abused by threat actors","T1190 - T1046 - T1210 - T1213","TA0001 - TA0008 - TA0009","N/A","Clever Kitten - EMBER BEAR","Vulnerability Scanner","https://www.acunetix.com/vulnerability-scanner/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","19692"
"*\webvulnscan2*.exe*",".{0,1000}\\webvulnscan2.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Acunetix Web Vulnerability Scanner","Vulnerability Scanner abused by threat actors","T1190 - T1046 - T1210 - T1213","TA0001 - TA0008 - TA0009","N/A","Clever Kitten - EMBER BEAR","Vulnerability Scanner","https://www.acunetix.com/vulnerability-scanner/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","19693"
"*\webvulnscan3*.exe*",".{0,1000}\\webvulnscan3.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Acunetix Web Vulnerability Scanner","Vulnerability Scanner abused by threat actors","T1190 - T1046 - T1210 - T1213","TA0001 - TA0008 - TA0009","N/A","Clever Kitten - EMBER BEAR","Vulnerability Scanner","https://www.acunetix.com/vulnerability-scanner/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","19694"
"*\Win7Taskbar.dll*",".{0,1000}\\Win7Taskbar\.dll.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19714"
"*\Windows\Action1\scripts\*",".{0,1000}\\Windows\\Action1\\scripts\\.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19720"
"*\windows\currentversion\run -v netcat *",".{0,1000}\\windows\\currentversion\\run\s\-v\snetcat\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19723"
"*\Windows\Prefetch\PSEXEC*",".{0,1000}\\Windows\\Prefetch\\PSEXEC.{0,1000}","greyware_tool_keyword","psexec","PsExec is a legitimate Microsoft tool for remote administration. However. attackers can misuse it to execute malicious commands or software on other network machines. install persistent threats. and evade some security systems. ","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0008 - TA0009 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Lateral Movement","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","19726"
"*\Windows\PSEXEC-*.key*",".{0,1000}\\Windows\\PSEXEC\-.{0,1000}\.key.{0,1000}","greyware_tool_keyword","psexec",".key file created and deleted on the target system","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0008 - TA0009 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Lateral Movement","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","contain the hostname of the attacker in the file name","10","10","N/A","N/A","N/A","N/A","19727"
"*\Windows\Start Menu\Programs\Eraser\Eraser Verify.lnk*",".{0,1000}\\Windows\\Start\sMenu\\Programs\\Eraser\\Eraser\sVerify\.lnk.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","19728"
"*\Windows\Start Menu\Programs\Eraser\Eraser Website.url*",".{0,1000}\\Windows\\Start\sMenu\\Programs\\Eraser\\Eraser\sWebsite\.url.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","19729"
"*\Windows\system32\ROUTE.EXE"" print*",".{0,1000}\\Windows\\system32\\ROUTE\.EXE\""\sprint.{0,1000}","greyware_tool_keyword","route","display the IP routing table on a system","T1016 - T1087 - T1049","TA0007 - TA0043","N/A","Dispossessor","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19732"
"*\Windows\system32\SubDir\Client.exe*",".{0,1000}\\Windows\\system32\\SubDir\\Client\.exe.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","19733"
"*\Windows\SysWOW64\rserver30\*",".{0,1000}\\Windows\\SysWOW64\\rserver30\\.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19735"
"*\Windows\Temp\*\wireguard.sys*",".{0,1000}\\Windows\\Temp\\.{0,1000}\\wireguard\.sys.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","19740"
"*\Windows\Temp\sam.save*",".{0,1000}\\Windows\\Temp\\sam\.save.{0,1000}","greyware_tool_keyword","reg","a copy of the registry hive","T1003.002","TA0009","N/A","N/A","Collection","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","19754"
"*\Windows\Temp\ScreenConnect\*.cmd*",".{0,1000}\\Windows\\Temp\\ScreenConnect\\.{0,1000}\.cmd.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19757"
"*\Windows\Temp\ScreenConnect\*.ps1*",".{0,1000}\\Windows\\Temp\\ScreenConnect\\.{0,1000}\.ps1.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19758"
"*\Windows\Temp\TeamViewer*",".{0,1000}\\Windows\\Temp\\TeamViewer.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","19763"
"*\WindowsApps\MicrosoftCorporationII.QuickAssist_*",".{0,1000}\\WindowsApps\\MicrosoftCorporationII\.QuickAssist_.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","19771"
"*\winpty-agent64.exe*",".{0,1000}\\winpty\-agent64\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19800"
"*\WinRing0x64.sys*",".{0,1000}\\WinRing0x64\.sys.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","image loaded","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","19802"
"*\WinSxS\amd64_microsoft-windows-quickassist_*",".{0,1000}\\WinSxS\\amd64_microsoft\-windows\-quickassist_.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","19807"
"*\winvnc.exe*",".{0,1000}\\winvnc\.exe.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19808"
"*\winvncsc.exe*",".{0,1000}\\winvncsc\.exe.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19809"
"*\winwvc.exe*",".{0,1000}\\winwvc\.exe.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19810"
"*\wireguard.go*",".{0,1000}\\wireguard\.go.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","N/A","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","19813"
"*\WireGuard.lnk*",".{0,1000}\\WireGuard\.lnk.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","19814"
"*\Wireguard.zip*",".{0,1000}\\Wireguard\.zip.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","19815"
"*\wireguard-installer.exe*",".{0,1000}\\wireguard\-installer\.exe.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","19816"
"*\wireguard-installer.rar*",".{0,1000}\\wireguard\-installer\.rar.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","19817"
"*\wireproxy.service*",".{0,1000}\\wireproxy\.service.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","N/A","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","19819"
"*\wireproxy\*",".{0,1000}\\wireproxy\\.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","N/A","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","19820"
"*\wireproxy-ci-test*",".{0,1000}\\wireproxy\-ci\-test.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","N/A","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","19821"
"*\wireproxy-master*",".{0,1000}\\wireproxy\-master.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","N/A","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","19822"
"*\wireproxy-udp*",".{0,1000}\\wireproxy\-udp.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","N/A","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","19823"
"*\wiretap.exe*",".{0,1000}\\wiretap\.exe.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","19824"
"*\wiretap.log*",".{0,1000}\\wiretap\.log.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","19825"
"*\WizTree.exe*",".{0,1000}\\WizTree\.exe.{0,1000}","greyware_tool_keyword","wiztree","legitimate tool abused by threat actors to obtain network files and directory listings","T1083","TA0007","N/A","Fox Kitten - Faust - Bitlocker - Akira - Cactus - BlackSuit - Royal","Discovery","N/A","1","0","N/A","N/A","3","6","N/A","N/A","N/A","N/A","19826"
"*\wiztree_*_portable.zip*	",".{0,1000}\\wiztree_.{0,1000}_portable\.zip.{0,1000}	","greyware_tool_keyword","wiztree","legitimate tool abused by threat actors to obtain network files and directory listings","T1083","TA0007","N/A","Fox Kitten - Faust - Bitlocker - Akira - Cactus - BlackSuit - Royal","Discovery","N/A","1","0","N/A","N/A","3","6","N/A","N/A","N/A","N/A","19827"
"*\Word\Security /v AccessVBOM /t REG_DWORD /d 1 /f*",".{0,1000}\\Word\\Security\s\/v\sAccessVBOM\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","Once AccessVBOM is enabled - an attacker can use VBA to embed or execute malicious code","T1059.005 - T1027 - T1204","TA0002 - TA0005","N/A","APT28","Defense Evasion","https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","19853"
"*\Word\Security"" -Name ""AccessVBOM"" -Value 1 -Type Dword*",".{0,1000}\\Word\\Security\""\s\-Name\s\""AccessVBOM\""\s\-Value\s1\s\-Type\sDword.{0,1000}","greyware_tool_keyword","powershell","Once AccessVBOM is enabled - an attacker can use VBA to embed or execute malicious code","T1059.005 - T1027 - T1204","TA0002 - TA0005","N/A","APT28","Defense Evasion","https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","19854"
"*\WOW6432Node\Citrix\GoToMyPc*",".{0,1000}\\WOW6432Node\\Citrix\\GoToMyPc.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19857"
"*\WOW6432Node\FreeFileSync*",".{0,1000}\\WOW6432Node\\FreeFileSync.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","#registry","N/A","9","10","N/A","N/A","N/A","N/A","19858"
"*\wow6432node\multiplicar negocios\bace_dameware*",".{0,1000}\\wow6432node\\multiplicar\snegocios\\bace_dameware.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19860"
"*\WOW6432Node\RemotePC*",".{0,1000}\\WOW6432Node\\RemotePC.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","19861"
"*\WOW6432Node\Splashtop Inc.\Splashtop Remote Server*",".{0,1000}\\WOW6432Node\\Splashtop\sInc\.\\Splashtop\sRemote\sServer.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19862"
"*\WVS_InstDBLogFile.csv*",".{0,1000}\\WVS_InstDBLogFile\.csv.{0,1000}","greyware_tool_keyword","Acunetix Web Vulnerability Scanner","Vulnerability Scanner abused by threat actors","T1190 - T1046 - T1210 - T1213","TA0001 - TA0008 - TA0009","N/A","Clever Kitten - EMBER BEAR","Vulnerability Scanner","https://www.acunetix.com/vulnerability-scanner/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","19880"
"*\WVSScheduler.exe*",".{0,1000}\\WVSScheduler\.exe.{0,1000}","greyware_tool_keyword","Acunetix Web Vulnerability Scanner","Vulnerability Scanner abused by threat actors","T1190 - T1046 - T1210 - T1213","TA0001 - TA0008 - TA0009","N/A","Clever Kitten - EMBER BEAR","Vulnerability Scanner","https://www.acunetix.com/vulnerability-scanner/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","19881"
"*\x64\monblanking.sys*",".{0,1000}\\x64\\monblanking\.sys.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19888"
"*\x86_64-pc-windows-msvc\release\gt.exe*",".{0,1000}\\x86_64\-pc\-windows\-msvc\\release\\gt\.exe.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","N/A","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","19892"
"*\XEOX\Agent Watchdog on Boot*",".{0,1000}\\XEOX\\Agent\sWatchdog\son\sBoot.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","#scheduledtask","N/A","10","10","N/A","N/A","N/A","N/A","19900"
"*\XEOX\Agent Watchdog on Wakeup*",".{0,1000}\\XEOX\\Agent\sWatchdog\son\sWakeup.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","#scheduledtask","N/A","10","10","N/A","N/A","N/A","N/A","19901"
"*\XEOX\Agent Watchdog*",".{0,1000}\\XEOX\\Agent\sWatchdog.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","#scheduledtask","N/A","10","10","N/A","N/A","N/A","N/A","19902"
"*\XEOX_cloud_agent_install.bat*",".{0,1000}\\XEOX_cloud_agent_install\.bat.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19903"
"*\XEOXAgent.exe*",".{0,1000}\\XEOXAgent\.exe.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19904"
"*\xeox-agent_x64\*",".{0,1000}\\xeox\-agent_x64\\.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19905"
"*\xmrig-*-gcc-win64.zip*",".{0,1000}\\xmrig\-.{0,1000}\-gcc\-win64\.zip.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","19911"
"*\xmrig.exe*",".{0,1000}\\xmrig\.exe.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","19913"
"*\xmrig.log*",".{0,1000}\\xmrig\.log.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","19914"
"*\xmrig_setup\*",".{0,1000}\\xmrig_setup\\.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","19915"
"*\xmrig-6.20.0*",".{0,1000}\\xmrig\-6\.20\.0.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","19916"
"*\xmrig-master*",".{0,1000}\\xmrig\-master.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","19917"
"*\yak.exe*",".{0,1000}\\yak\.exe.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","19939"
"*\ZA_Connect.exe*",".{0,1000}\\ZA_Connect\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19942"
"*\ZA_Upgrader*",".{0,1000}\\ZA_Upgrader.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19943"
"*\ZAAudioClient.exe*",".{0,1000}\\ZAAudioClient\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19944"
"*\ZAFileTransfer.exe*",".{0,1000}\\ZAFileTransfer\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19945"
"*\ZAService.exe*",".{0,1000}\\ZAService\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19946"
"*\ZAudioClientPipe_*ServerReadPipe*",".{0,1000}\\ZAudioClientPipe_.{0,1000}ServerReadPipe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19947"
"*\ZAudioClientPipe_*ServerWritePipe*",".{0,1000}\\ZAudioClientPipe_.{0,1000}ServerWritePipe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19948"
"*\ZMAgent.exe*",".{0,1000}\\ZMAgent\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19958"
"*\Zoho Assist\Zoho Assist Remote support*",".{0,1000}\\Zoho\sAssist\\Zoho\sAssist\sRemote\ssupport.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19959"
"*\ZohoMeeting.7z*",".{0,1000}\\ZohoMeeting\.7z.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19960"
"*\ZohoMeeting.exe*",".{0,1000}\\ZohoMeeting\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19961"
"*\ZohoMeeting\agent.exe*",".{0,1000}\\ZohoMeeting\\agent\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19962"
"*\zohomeeting\agent.exe*",".{0,1000}\\zohomeeting\\agent\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19963"
"*\ZohoMeeting\agent_ui.exe*",".{0,1000}\\ZohoMeeting\\agent_ui\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19964"
"*\ZohoMeeting\Connect.exe*",".{0,1000}\\ZohoMeeting\\Connect\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19965"
"*\ZohoMeeting\Connection.conf*",".{0,1000}\\ZohoMeeting\\Connection\.conf.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19966"
"*\ZohoMeeting\log\*.log*",".{0,1000}\\ZohoMeeting\\log\\.{0,1000}\.log.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19967"
"*\ZohoMeeting\ViewerUI.exe*",".{0,1000}\\ZohoMeeting\\ViewerUI\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19968"
"*\ZohoTray.exe*",".{0,1000}\\ZohoTray\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19969"
"*\ZohoURS.exe*",".{0,1000}\\ZohoURS\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19970"
"*\ZohoURSService.exe*",".{0,1000}\\ZohoURSService\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","19971"
"*\zrok.exe*",".{0,1000}\\zrok\.exe.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","19972"
"*\zrok.zip*",".{0,1000}\\zrok\.zip.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","19973"
"*\zrok-controller.log*",".{0,1000}\\zrok\-controller\.log.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","19974"
"*\zrok-frontend.log*",".{0,1000}\\zrok\-frontend\.log.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","19975"
"*] Creating c3pool_miner service*",".{0,1000}\]\sCreating\sc3pool_miner\sservice.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","20012"
"*] Looking for the latest version of Monero miner*",".{0,1000}\]\sLooking\sfor\sthe\slatest\sversion\sof\sMonero\sminer.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","20052"
"*] Removing previous c3pool miner *",".{0,1000}\]\sRemoving\sprevious\sc3pool\sminer\s.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","20063"
"*] Running miner in the background*",".{0,1000}\]\sRunning\sminer\sin\sthe\sbackground.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","20066"
"*__dataplicity_remote_directory_scan___.json*",".{0,1000}__dataplicity_remote_directory_scan___\.json.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","N/A","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","20100"
"*__PRIVOXY_BIND_IP__*",".{0,1000}__PRIVOXY_BIND_IP__.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","20101"
"*__PRIVOXY_BIND_PORT__*",".{0,1000}__PRIVOXY_BIND_PORT__.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","20102"
"*_Classes\zohoassistlaunchv2*",".{0,1000}_Classes\\zohoassistlaunchv2.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20112"
"*_NetSupport_NetSupport Manager_*",".{0,1000}_NetSupport_NetSupport\sManager_.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20144"
"*_renamed_by_Action1*",".{0,1000}_renamed_by_Action1.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20169"
"*| base64 -d *",".{0,1000}\|\sbase64\s\-d\s.{0,1000}","greyware_tool_keyword","base64","suspicious base64 commands used by the offensive tool traitor and other tools","T1140 - T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","FP risks","7","10","N/A","N/A","N/A","N/A","20186"
"*| vegeta attack -duration 10s > /dev/null*",".{0,1000}\|\svegeta\sattack\s\-duration\s10s\s\>\s\/dev\/null.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","20190"
"*| vegeta attack -rate *",".{0,1000}\|\svegeta\sattack\s\-rate\s.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","20191"
"*<\Level\Level Watchdog>*",".{0,1000}\<\\Level\\Level\sWatchdog\>.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20199"
"*<a href=""rutils:*",".{0,1000}\<a\shref\=\""rutils\:.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20202"
"*<Alpemix>*",".{0,1000}\<Alpemix\>.{0,1000}","greyware_tool_keyword","Alpemix","connect to your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.alpemix.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20203"
"*<AlpemixWEB>*",".{0,1000}\<AlpemixWEB\>.{0,1000}","greyware_tool_keyword","Alpemix","connect to your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.alpemix.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20204"
"*<Data Name=""RelativeTargetName"">delete.me<*",".{0,1000}\<Data\sName\=\""RelativeTargetName\""\>delete\.me\<.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com.cach3.com/board/read.php%3F12,10134,12202.html","1","0","N/A","risk of false positive","8","10","N/A","N/A","N/A","N/A","20208"
"*<Data Name='OriginalFileName'>AdExp<*",".{0,1000}\<Data\sName\=\'OriginalFileName\'\>AdExp\<.{0,1000}","greyware_tool_keyword","adexplorer","Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database. It can be abused by malicious actors","T1003.001 - T1087.001","TA0006 - TA0007","N/A","Lapsus$ - Scattered Spider* - BlackBasta","Discovery","https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer","1","0","N/A","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","20209"
"*<Data Name='PipeName'>\lsass</Data><Data Name='Image'>*procdump*</Data>*",".{0,1000}\<Data\sName\=\'PipeName\'\>\\lsass\<\/Data\>\<Data\sName\=\'Image\'\>.{0,1000}procdump.{0,1000}\<\/Data\>.{0,1000}","greyware_tool_keyword","Procdump","dump lsass process with procdump","T1003.001","TA0006","N/A","LockBit - Kimsuky - Conti - Quantum - PYSA - NetWalker - 8BASE - APT1 - APT15 - APT20 - APT27 - APT28 - Antlion - FIN13 - GOBLIN PANDA - Lazarus Group - PowerPool - PARINACOTA - Scattered Spider - BERSERK BEAR - Dispossessor","Credential Access","https://learn.microsoft.com/en-us/sysinternals/downloads/procdump","1","0","N/A","pipe connect ED 18 sysmon","10","10","N/A","N/A","N/A","N/A","20210"
"*<Data Name='PipeName'>\lsass</Data><Data Name='Image'>C:\Windows\System32\Taskmgr.exe</Data>*",".{0,1000}\<Data\sName\=\'PipeName\'\>\\lsass\<\/Data\>\<Data\sName\=\'Image\'\>C\:\\Windows\\System32\\Taskmgr\.exe\<\/Data\>.{0,1000}","greyware_tool_keyword","Taskmgr","dump lsass process with Taskmgr","T1003.001","TA0006","N/A","N/A","Credential Access","https://learn.microsoft.com/en-us/sysinternals/downloads/procdump","1","0","N/A","pipe connect ED 18 sysmon","10","10","N/A","N/A","N/A","N/A","20212"
"*<Data Name='Product'>WireGuard*",".{0,1000}\<Data\sName\=\'Product\'\>WireGuard.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","20213"
"*<data>dameware remote everywhere</data>*",".{0,1000}\<data\>dameware\sremote\severywhere\<\/data\>.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20214"
"*<Data>Installed GoToMyPC</Data>*",".{0,1000}\<Data\>Installed\sGoToMyPC\<\/Data\>.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20215"
"*<Data>LogMeIn, Inc.</Data>*",".{0,1000}\<Data\>LogMeIn,\sInc\.\<\/Data\>.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20216"
"*<data>n-able take control</data>*",".{0,1000}\<data\>n\-able\stake\scontrol\<\/data\>.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20217"
"*<Data>Product: Chrome Remote Desktop Host*",".{0,1000}\<Data\>Product\:\sChrome\sRemote\sDesktop\sHost.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","#productname","N/A","10","10","N/A","N/A","N/A","N/A","20218"
"*<Data>Product: Remote Utilities - Host -- *",".{0,1000}\<Data\>Product\:\sRemote\sUtilities\s\-\sHost\s\-\-\s.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20219"
"*<Data>Pulseway Remote Control</Data>*",".{0,1000}\<Data\>Pulseway\sRemote\sControl\<\/Data\>.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20220"
"*<Data>Received Request Execute automation * script * from device Id*",".{0,1000}\<Data\>Received\sRequest\sExecute\sautomation\s.{0,1000}\sscript\s.{0,1000}\sfrom\sdevice\sId.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20221"
"*<Data>Received Request Get RD pool score *pulseway.com/remote*",".{0,1000}\<Data\>Received\sRequest\sGet\sRD\spool\sscore\s.{0,1000}pulseway\.com\/remote.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20222"
"*<Data>Remote Utilities - Host</Data>*",".{0,1000}\<Data\>Remote\sUtilities\s\-\sHost\<\/Data\>.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20223"
"*<Data>Remote Utilities Server<*",".{0,1000}\<Data\>Remote\sUtilities\sServer\<.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20224"
"*<Data>Removed Remote Utilities - Host.</Data>*",".{0,1000}\<Data\>Removed\sRemote\sUtilities\s\-\sHost\.\<\/Data\>.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20225"
"*<Data>ScreenConnect Software</Data>*",".{0,1000}\<Data\>ScreenConnect\sSoftware\<\/Data\>.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20226"
"*<h1>Hello from Tailscale</h1>*",".{0,1000}\<h1\>Hello\sfrom\sTailscale\<\/h1\>.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","20232"
"*<Provider Name=""chromoting"" />*",".{0,1000}\<Provider\sName\=\""chromoting\"".{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","windows event logs application provider name","10","10","N/A","N/A","N/A","N/A","20249"
"*<provider name=""dameware remote everywhere - [dameware]"" />*",".{0,1000}\<provider\sname\=\""dameware\sremote\severywhere\s\-\s\[dameware\]\""\s\/\>.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20250"
"*<Provider Name=""PC Monitor"" />*",".{0,1000}\<Provider\sName\=\""PC\sMonitor\""\s\/\>.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20251"
"*<Provider Name=""Pulseway"" />*",".{0,1000}\<Provider\sName\=\""Pulseway\""\s\/\>.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20252"
"*<Provider Name='Quick Assist'/>*",".{0,1000}\<Provider\sName\=\'Quick\sAssist\'\/\>.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","20253"
"*<Provider Name='ScreenConnect Security Manager'/>*",".{0,1000}\<Provider\sName\=\'ScreenConnect\sSecurity\sManager\'\/\>.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20254"
"*<Provider Name='ScreenConnect Web Server'/>*",".{0,1000}\<Provider\sName\=\'ScreenConnect\sWeb\sServer\'\/\>.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20255"
"*<SharedFolder name=""*"" hostPath=""C:\"" writable=""true""/>*",".{0,1000}\<SharedFolder\sname\=\"".{0,1000}\""\shostPath\=\""C\:\\\""\swritable\=\""true\""\/\>.{0,1000}","greyware_tool_keyword","VirtualBox","adding the entire C drive as a shared folder for a VM","T1021.001 - T1137 - T1072","TA0006 - TA0008 - TA0005","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20257"
"*<Teknopars Bilisim>*",".{0,1000}\<Teknopars\sBilisim\>.{0,1000}","greyware_tool_keyword","Alpemix","connect to your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.alpemix.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20258"
"*=http://www.gotomypc.com/downloads/viewer *",".{0,1000}\=http\:\/\/www\.gotomypc\.com\/downloads\/viewer\s.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20293"
"*=NetSupport Client_deleteme*",".{0,1000}\=NetSupport\sClient_deleteme.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","20296"
"*>Active Directory Editor<*",".{0,1000}\>Active\sDirectory\sEditor\<.{0,1000}","greyware_tool_keyword","adexplorer","Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database. It can be abused by malicious actors","T1003.001 - T1087.001","TA0006 - TA0007","N/A","Lapsus$ - Scattered Spider* - BlackBasta","Discovery","https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer","1","0","#productname","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","20313"
"*>Acunetix Web Vulnerability Scanner (Trial Edition)<*",".{0,1000}\>Acunetix\sWeb\sVulnerability\sScanner\s\(Trial\sEdition\)\<.{0,1000}","greyware_tool_keyword","Acunetix Web Vulnerability Scanner","Vulnerability Scanner abused by threat actors","T1190 - T1046 - T1210 - T1213","TA0001 - TA0008 - TA0009","N/A","Clever Kitten - EMBER BEAR","Vulnerability Scanner","https://www.acunetix.com/vulnerability-scanner/","1","0","#productname","N/A","8","9","N/A","N/A","N/A","N/A","20314"
"*>Acunetix Web Vulnerability Scanner<*",".{0,1000}\>Acunetix\sWeb\sVulnerability\sScanner\<.{0,1000}","greyware_tool_keyword","Acunetix Web Vulnerability Scanner","Vulnerability Scanner abused by threat actors","T1190 - T1046 - T1210 - T1213","TA0001 - TA0008 - TA0009","N/A","Clever Kitten - EMBER BEAR","Vulnerability Scanner","https://www.acunetix.com/vulnerability-scanner/","1","0","#productname","N/A","8","9","N/A","N/A","N/A","N/A","20315"
"*>AdFind<*",".{0,1000}\>AdFind\<.{0,1000}","greyware_tool_keyword","adfind","adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers are abusing it to gather valuable information about the network environment","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://www.virustotal.com/gui/file/484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384/behavior","1","0","#productname","N/A","10","10","N/A","N/A","N/A","N/A","20318"
"*>Advanced IP Scanner Setup<*",".{0,1000}\>Advanced\sIP\sScanner\sSetup\<.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","0","#description","N/A","7","10","N/A","N/A","N/A","N/A","20325"
"*>Advanced IP Scanner<*",".{0,1000}\>Advanced\sIP\sScanner\<.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","0","#productname","N/A","7","10","N/A","N/A","N/A","N/A","20326"
"*>Advanced Port Scanner Setup<*",".{0,1000}\>Advanced\sPort\sScanner\sSetup\<.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","0","#description","N/A","7","10","N/A","N/A","N/A","N/A","20327"
"*>Advanced Port Scanner<*",".{0,1000}\>Advanced\sPort\sScanner\<.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","0","#productname","N/A","7","10","N/A","N/A","N/A","N/A","20328"
"*>Anyplace Control Software<*",".{0,1000}\>Anyplace\sControl\sSoftware\<.{0,1000}","greyware_tool_keyword","AnyplaceControl","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyplace-control[.]com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20329"
"*>AnyViewer Setup<*",".{0,1000}\>AnyViewer\sSetup\<.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20330"
"*>AnyViewer<*",".{0,1000}\>AnyViewer\<.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20331"
"*>Atera Networks<*",".{0,1000}\>Atera\sNetworks\<.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","#companyname","N/A","10","10","N/A","N/A","N/A","N/A","20332"
"*>AutoHotkey installer<*",".{0,1000}\>AutoHotkey\sinstaller\<.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","20333"
"*>AutoHotkey Setup<*",".{0,1000}\>AutoHotkey\sSetup\<.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","20334"
"*>Auvik Networks Inc.<*",".{0,1000}\>Auvik\sNetworks\sInc\.\<.{0,1000}","greyware_tool_keyword","auvik","cloud-based network management software","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.auvik.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20335"
"*>AweRay Limited<*",".{0,1000}\>AweRay\sLimited\<.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20336"
"*>AweRay Pte. Ltd.<*",".{0,1000}\>AweRay\sPte\.\sLtd\.\<.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20337"
"*>AweSun.exe<*",".{0,1000}\>AweSun\.exe\<.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20338"
"*>AweSun<*",".{0,1000}\>AweSun\<.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20339"
"*>Barracuda MSP<*",".{0,1000}\>Barracuda\sMSP\<.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20341"
"*>Barracuda Networks, Inc.*",".{0,1000}\>Barracuda\sNetworks,\sInc\..{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20342"
"*>Barracuda RMM Setup AutoRun<*",".{0,1000}\>Barracuda\sRMM\sSetup\sAutoRun\<.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20343"
"*>Barracuda RMM Setup<*",".{0,1000}\>Barracuda\sRMM\sSetup\<.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20344"
"*>Barracuda RMM*<*",".{0,1000}\>Barracuda\sRMM.{0,1000}\<.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20345"
"*>Bomgar Corporation</Data>*","\>Bomgar\sCorporation\<\/Data\>.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20349"
"*>Box, Inc.<*",".{0,1000}\>Box,\sInc\.\<.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","0","#companyname","N/A","6","7","N/A","N/A","N/A","N/A","20350"
"*>CyberGhost 6 Installer<*",".{0,1000}\>CyberGhost\s6\sInstaller\<.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","20364"
"*>CyberGhost 7 Installer<*",".{0,1000}\>CyberGhost\s7\sInstaller\<.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","20365"
"*>CyberGhost 8 Installer<*",".{0,1000}\>CyberGhost\s8\sInstaller\<.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","20366"
"*>devtunnel.dll<*",".{0,1000}\>devtunnel\.dll\<.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","#originalfilename","N/A","8","10","N/A","N/A","N/A","N/A","20375"
"*>Disk to VHD converter<*",".{0,1000}\>Disk\sto\sVHD\sconverter\<.{0,1000}","greyware_tool_keyword","Disk2vhd","convert physical disks into Virtual Hard Disk (VHD) files -attackers can leverage it for Collection","T1560.002 - T1012 - T1560.003","TA0005 - TA0009","N/A","N/A","Collection","N/A","1","0","#description","N/A","8","4","N/A","N/A","N/A","N/A","20378"
"*>Disk2vhd<*",".{0,1000}\>Disk2vhd\<.{0,1000}","greyware_tool_keyword","Disk2vhd","convert physical disks into Virtual Hard Disk (VHD) files -attackers can leverage it for Collection","T1560.002 - T1012 - T1560.003","TA0005 - TA0009","N/A","N/A","Collection","N/A","1","0","#productname","N/A","8","4","N/A","N/A","N/A","N/A","20379"
"*>DWAgent<*",".{0,1000}\>DWAgent\<.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","20382"
"*>eHorus Agent Setup<*",".{0,1000}\>eHorus\sAgent\sSetup\<.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#description","N/A","10","10","N/A","N/A","N/A","N/A","20385"
"*>EHORUSAGENT<*",".{0,1000}\>EHORUSAGENT\<.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#servicename","N/A","10","10","N/A","N/A","N/A","N/A","20386"
"*>Epoolsoft Windows Information View Tools<*",".{0,1000}\>Epoolsoft\sWindows\sInformation\sView\sTools\<.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","0","#description","N/A","8","10","N/A","N/A","N/A","N/A","20388"
"*>Eraser - Secure Information Removal Tool<*",".{0,1000}\>Eraser\s\-\sSecure\sInformation\sRemoval\sTool\<.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","#description","N/A","7","10","N/A","N/A","N/A","N/A","20389"
"*>Eraser Setup Bootstrapper<*",".{0,1000}\>Eraser\sSetup\sBootstrapper\<.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","#description","N/A","7","10","N/A","N/A","N/A","N/A","20390"
"*>Famatech Corp.<*",".{0,1000}\>Famatech\sCorp\.\<.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","#companyname","N/A","10","10","N/A","N/A","N/A","N/A","20392"
"*>File Shredder by PowTools<*",".{0,1000}\>File\sShredder\sby\sPowTools\<.{0,1000}","greyware_tool_keyword","Shredder","File Shredder is FREE and powerfull aplication to shred and permanently remove unwanted files from your computer beyond recovery","T1070 - T1485 - T1565.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://www.fileshredder.org/","1","0","N/A","N/A","7","8","N/A","N/A","N/A","N/A","20393"
"*>FileZilla FTP Client<*",".{0,1000}\>FileZilla\sFTP\sClient\<.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","0","#productname","PUA risk of legitimate usage","5","7","N/A","N/A","N/A","N/A","20394"
"*>FileZilla Server<*",".{0,1000}\>FileZilla\sServer\<.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","0","#productname","PUA risk of legitimate usage","5","7","N/A","N/A","N/A","N/A","20395"
"*>FleetDeck Inc<*",".{0,1000}\>FleetDeck\sInc\<.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#companyname","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","20396"
"*>FreeFileSync - Folder Comparison and Synchronization<*",".{0,1000}\>FreeFileSync\s\-\sFolder\sComparison\sand\sSynchronization\<.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","#description","N/A","9","10","N/A","N/A","N/A","N/A","20397"
"*>FreeFileSync Setup<*",".{0,1000}\>FreeFileSync\sSetup\<.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","#description","N/A","9","10","N/A","N/A","N/A","N/A","20398"
"*>FreeFileSync<*",".{0,1000}\>FreeFileSync\<.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","#productname","N/A","9","10","N/A","N/A","N/A","N/A","20399"
"*>GoodSync<*",".{0,1000}\>GoodSync\<.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","20405"
"*>gs-runner.exe<*",".{0,1000}\>gs\-runner\.exe\<.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","20408"
"*>Installed Remote Utilities - Viewer.*",".{0,1000}\>Installed\sRemote\sUtilities\s\-\sViewer\..{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20416"
"*>Installed Remote Utilities Server.</*",".{0,1000}\>Installed\sRemote\sUtilities\sServer\.\<\/.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20417"
"*>jprq - join public router*",".{0,1000}\>jprq\s\-\sjoin\spublic\srouter.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","20420"
"*>Lansweeper Setup<*",".{0,1000}\>Lansweeper\sSetup\<.{0,1000}","greyware_tool_keyword","Lansweeper","Lansweeper discovers and inventories IT assets - gathering system - software and user data - abused by attackers","T1016 - T1082","TA0007","N/A","EvilCorp*","Discovery","https://www.lansweeper.com/","1","0","#description","N/A","6","7","N/A","N/A","N/A","N/A","20430"
"*>Lansweeper<*",".{0,1000}\>Lansweeper\<.{0,1000}","greyware_tool_keyword","Lansweeper","Lansweeper discovers and inventories IT assets - gathering system - software and user data - abused by attackers","T1016 - T1082","TA0007","N/A","EvilCorp*","Discovery","https://www.lansweeper.com/","1","0","#productname","N/A","6","7","N/A","N/A","N/A","N/A","20431"
"*>Level Software, Inc.<*",".{0,1000}\>Level\sSoftware,\sInc\.\<.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20432"
"*>LPI Level Platforms<*",".{0,1000}\>LPI\sLevel\sPlatforms\<.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20435"
"*>MEGAcmd<*",".{0,1000}\>MEGAcmd\<.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#productname","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","20439"
"*>Mesh Agent background service<*",".{0,1000}\>Mesh\sAgent\sbackground\sservice\<.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","20440"
"*>Mesh Agent Company<*",".{0,1000}\>Mesh\sAgent\sCompany\<.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","20441"
"*>meshagentRepair<*",".{0,1000}\>meshagentRepair\<.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","20442"
"*>MeshCentral Agent<*",".{0,1000}\>MeshCentral\sAgent\<.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","20443"
"*>MeshCentral<*",".{0,1000}\>MeshCentral\<.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","20444"
"*>Microsoft Azure Storage Explorer Setup<*",".{0,1000}\>Microsoft\sAzure\sStorage\sExplorer\sSetup\<.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","20445"
"*>Microsoft Azure Storage Explorer<*",".{0,1000}\>Microsoft\sAzure\sStorage\sExplorer\<.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","20446"
"*>MZCookiesView<*",".{0,1000}\>MZCookiesView\<.{0,1000}","greyware_tool_keyword","MozillaCookiesView","nirsoft utility that displays the details of all cookies stored inside the cookies file (cookies.txt or cookies.sqlite) - abused by threat actors","T1070 - T1552.001 - T1125 - T1005","TA0009 - TA0005","N/A","MuddyWater","Credential Access","https://www.nirsoft.net/utils/mzcv.html","1","0","#productname","N/A","7","10","N/A","N/A","N/A","N/A","20453"
"*>Near-Future Command Scheduler<*",".{0,1000}\>Near\-Future\sCommand\sScheduler\<.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","0","#description","N/A","7","7","N/A","N/A","N/A","N/A","20455"
"*>NetSupport Client Application</*",".{0,1000}\>NetSupport\sClient\sApplication\<\/.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20456"
"*>NETSUPPORT LTD.</*",".{0,1000}\>NETSUPPORT\sLTD\.\<\/.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20457"
"*>NetSupport Ltd</*",".{0,1000}\>NetSupport\sLtd\<\/.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20458"
"*>NetSupport Remote Control</*",".{0,1000}\>NetSupport\sRemote\sControl\<\/.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20459"
"*>NetSupport remote Control</*",".{0,1000}\>NetSupport\sremote\sControl\<\/.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20460"
"*>NimScan<*",".{0,1000}\>NimScan\<.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","N/A","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","20461"
"*>Open Source Developer, Grzegorz Tworek<*",".{0,1000}\>Open\sSource\sDeveloper,\sGrzegorz\sTworek\<.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#signature","N/A","10","10","N/A","N/A","N/A","N/A","20467"
"*>PC Hunter<*",".{0,1000}\>PC\sHunter\<.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","0","#productname","N/A","8","10","N/A","N/A","N/A","N/A","20476"
"*>PCHunter.sys<*",".{0,1000}\>PCHunter\.sys\<.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","0","#productname","N/A","8","10","N/A","N/A","N/A","N/A","20477"
"*>Ping Castle<*",".{0,1000}\>Ping\sCastle\<.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#productname","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","20480"
"*>Poor man's ngrok<*",".{0,1000}\>Poor\sman\'s\sngrok\<.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","20481"
"*>ProcDump<*",".{0,1000}\>ProcDump\<.{0,1000}","greyware_tool_keyword","Procdump","dump lsass process with procdump","T1003.001","TA0006","N/A","LockBit - Kimsuky - Conti - Quantum - PYSA - NetWalker - 8BASE - APT1 - APT15 - APT20 - APT27 - APT28 - Antlion - FIN13 - GOBLIN PANDA - Lazarus Group - PowerPool - PARINACOTA - Scattered Spider - BERSERK BEAR - Dispossessor","Credential Access","https://learn.microsoft.com/en-us/sysinternals/downloads/procdump","1","0","#productname","N/A","10","10","N/A","N/A","N/A","N/A","20484"
"*>Product: Remote Utilities - Viewer -- *",".{0,1000}\>Product\:\sRemote\sUtilities\s\-\sViewer\s\-\-\s.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20485"
"*>Product: Remote Utilities Server -- *",".{0,1000}\>Product\:\sRemote\sUtilities\sServer\s\-\-\s.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20486"
"*>Proxifier Setup<*",".{0,1000}\>Proxifier\sSetup\<.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","#description","N/A","8","9","N/A","N/A","N/A","N/A","20487"
"*>Quick Assist Component<*",".{0,1000}\>Quick\sAssist\sComponent\<.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","20490"
"*>rclone.exe<*",".{0,1000}\>rclone\.exe\<.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20491"
"*>Rclone<*",".{0,1000}\>Rclone\<.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#productname","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20492"
"*>RealVNC<*",".{0,1000}\>RealVNC\<.{0,1000}","greyware_tool_keyword","vncviewer","VNCViewer is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20494"
"*>Remote Control by Itarian<*",".{0,1000}\>Remote\sControl\sby\sItarian\<.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20496"
"*>Remote device management - https://level.io<*",".{0,1000}\>Remote\sdevice\smanagement\s\-\shttps\:\/\/level\.io\<.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20498"
"*>Remote Support Customer Client</Data>*",".{0,1000}\>Remote\sSupport\sCustomer\sClient\<\/Data\>.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20499"
"*>Remote Utilities - Viewer</*",".{0,1000}\>Remote\sUtilities\s\-\sViewer\<\/.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20500"
"*>Remote.it<*",".{0,1000}\>Remote\.it\<.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","20501"
"*>Representative Console</Data>*",".{0,1000}\>Representative\sConsole\<\/Data\>.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20503"
"*>RmmService<*",".{0,1000}\>RmmService\<.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","#servicename","N/A","10","10","N/A","N/A","N/A","N/A","20505"
"*>Rsync for cloud storage<*",".{0,1000}\>Rsync\sfor\scloud\sstorage\<.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#description","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20510"
"*>sdelete.exe<*",".{0,1000}\>sdelete\.exe\<.{0,1000}","greyware_tool_keyword","sdelete","delete one or more files and/or directories, or to cleanse the free space on a logical disk - abused by attackers","T1485 - T1070.004","TA0005 - TA0040 ","N/A","APT29 - Sandworm - Cobalt Group - FIN5 - Silence - BOSS SPIDER","Defense Evasion","https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","20515"
"*>SetACL.exe<*",".{0,1000}\>SetACL\.exe\<.{0,1000}","greyware_tool_keyword","SetACL","Manage Windows permissions from the command line","T1069 - T1222","TA0002 - TA0004 - TA0005","N/A","N/A","Defense Evasion","https://helgeklein.com/download/","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","20527"
"*>SetACL64..exe<*",".{0,1000}\>SetACL64\.\.exe\<.{0,1000}","greyware_tool_keyword","SetACL","Manage Windows permissions from the command line","T1069 - T1222","TA0002 - TA0004 - TA0005","N/A","N/A","Defense Evasion","https://helgeklein.com/download/","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","20528"
"*>SimpleHelp Ltd<*",".{0,1000}\>SimpleHelp\sLtd\<.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","#companyname","N/A","10","10","N/A","N/A","N/A","N/A","20587"
"*>SoftEther VPN Project at University of Tsukuba, Japan.<*",".{0,1000}\<SoftEther\sVPN\sProject\sat\sUniversity\sof\sTsukuba,\sJapan\.\>.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#companyname #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","20589"
"*>SoftEther VPN Setup (Developer Edition)<*",".{0,1000}\>SoftEther\sVPN\sSetup\s\(Developer\sEdition\)\<.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","20590"
"*>SoftEther VPN Setup<*",".{0,1000}\>SoftEther\sVPN\sSetup\<.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","20591"
"*>SoftPerfect Network Scanner<*",".{0,1000}\>SoftPerfect\sNetwork\sScanner\<.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","#productname","N/A","8","10","N/A","N/A","N/A","N/A","20592"
"*>Syncthing<*",".{0,1000}\>Syncthing\<.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","0","#productname","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","20593"
"*>Sysinternals ADExplorer<*",".{0,1000}\>Sysinternals\sADExplorer\<.{0,1000}","greyware_tool_keyword","adexplorer","Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database. It can be abused by malicious actors","T1003.001 - T1087.001","TA0006 - TA0007","N/A","Lapsus$ - Scattered Spider* - BlackBasta","Discovery","https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer","1","0","#productname","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","20594"
"*>Sysinternals PsList<*",".{0,1000}\>Sysinternals\sPsList\<.{0,1000}","greyware_tool_keyword","pslist","Microsoft sysinternal comandline tool to list running process abused by threat actors","T1057 - T1012 - T1106","TA0007","N/A","APT10 - APT15 - APT33 - APT34 - Sandworm - APT35 - CHRYSENE - menuPass - GhostEmperor - Magnallium - Elfin","Discovery","https://learn.microsoft.com/pt-br/sysinternals/downloads/pslist","1","0","#productname","N/A","3","9","N/A","N/A","N/A","N/A","20595"
"*>sysinternals sdelete<*",".{0,1000}\>sysinternals\ssdelete\<.{0,1000}","greyware_tool_keyword","sdelete","delete one or more files and/or directories, or to cleanse the free space on a logical disk - abused by attackers","T1485 - T1070.004","TA0005 - TA0040 ","N/A","APT29 - Sandworm - Cobalt Group - FIN5 - Silence - BOSS SPIDER","Defense Evasion","https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","20596"
"*>TDSS rootkit removing tool<*",".{0,1000}\>TDSS\srootkit\sremoving\stool\<.{0,1000}","greyware_tool_keyword","TDSKiller","TDSKiller detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Avaddon","Defense Evasion","https://www.majorgeeks.com/files/details/kaspersky_tdsskiller.html","1","0","#description","N/A","8","10","N/A","N/A","N/A","N/A","20599"
"*>TDSSKiller<*",".{0,1000}\>TDSSKiller\<.{0,1000}","greyware_tool_keyword","TDSKiller","TDSKiller detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Avaddon","Defense Evasion","https://www.majorgeeks.com/files/details/kaspersky_tdsskiller.html","1","0","#productname","N/A","8","10","N/A","N/A","N/A","N/A","20600"
"*>the openvpn project<*",".{0,1000}\>the\sopenvpn\sproject\<.{0,1000}","greyware_tool_keyword","OPENVPN","OpenVPN is a legitimate tool that might be used by an adversary to maintain persistence or exfiltrate data","T1071  - T1573 - T1133","TA0003 - TA0008 - TA0011","N/A","N/A","Defense Evasion","https://openvpn.net/","1","0","#VPN","N/A","6","8","N/A","N/A","N/A","N/A","20602"
"*>TightVNC Viewer<*",".{0,1000}\>TightVNC\sViewer\<.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20603"
"*>UltraVNC VNCViewer<*",".{0,1000}\>UltraVNC\sVNCViewer\<.{0,1000}","greyware_tool_keyword","vncviewer","VNCViewer is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","20608"
"*>Welcome new zrok user!<*",".{0,1000}\>Welcome\snew\szrok\suser!\<.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#content","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","20616"
"*>Welcome to zrok!<*",".{0,1000}\>Welcome\sto\szrok!\<.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#content","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","20618"
"*>WireGuard Relay<*",".{0,1000}\>WireGuard\sRelay\<.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","20622"
"*>WireGuard Tunnel<*",".{0,1000}\>WireGuard\sTunnel\<.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","20623"
"*>wireguard-installer<*",".{0,1000}\>wireguard\-installer\<.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","20624"
"*>zrok frontend health: ok<*",".{0,1000}\>zrok\sfrontend\shealth\:\sok\<.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","20626"
"*>zrok test endpoint<*",".{0,1000}\>zrok\stest\sendpoint\<.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","20627"
"*00:\.vnc\*",".{0,1000}00\:\\\.vnc\\.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","20635"
"*0005a6d6647dd4120f2365c330a0b4acbb345630c40621fb91b5947598503cb0*",".{0,1000}0005a6d6647dd4120f2365c330a0b4acbb345630c40621fb91b5947598503cb0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20641"
"*0008726b00bc9205dcd5681256ef79f185282892f3992614ff4264cb7b0d04fb*",".{0,1000}0008726b00bc9205dcd5681256ef79f185282892f3992614ff4264cb7b0d04fb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20642"
"*0040e6c313caa468a8706e3311c534f87d9f56f3353ab50bdc48c9f972f8fac0*",".{0,1000}0040e6c313caa468a8706e3311c534f87d9f56f3353ab50bdc48c9f972f8fac0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20651"
"*00440c4525e995e54ce65e9d0c85f7482136463c9109c61650687226aca149bc*",".{0,1000}00440c4525e995e54ce65e9d0c85f7482136463c9109c61650687226aca149bc.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","20653"
"*0059214c35241df34371e16ec368ef02023ca321cbdc8608c36ab75c4b14cab4*",".{0,1000}0059214c35241df34371e16ec368ef02023ca321cbdc8608c36ab75c4b14cab4.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","20656"
"*005f37654d164e5605ad7180a7af68d82da9b747e6fed34b71f6fda0883e6f74*",".{0,1000}005f37654d164e5605ad7180a7af68d82da9b747e6fed34b71f6fda0883e6f74.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","20659"
"*006d97f8510e34966ebd1901686cf407a57663ad42374e40c023c6611595d1e3*",".{0,1000}006d97f8510e34966ebd1901686cf407a57663ad42374e40c023c6611595d1e3.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","20664"
"*007249202d5840829342cc6597fbff75d446910027417b1d49e94c7485774c7a*",".{0,1000}007249202d5840829342cc6597fbff75d446910027417b1d49e94c7485774c7a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20665"
"*00833ecb01131c0c74ca39cfc0e0fe3549651df916dfc4d2c6d7aeda600784bc*",".{0,1000}00833ecb01131c0c74ca39cfc0e0fe3549651df916dfc4d2c6d7aeda600784bc.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","20668"
"*009878ba04d0708fd86cc333fcda1e4d9f6a908b95bf28484dcae293bd497201*",".{0,1000}009878ba04d0708fd86cc333fcda1e4d9f6a908b95bf28484dcae293bd497201.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","20674"
"*009c223ca93f5c176828097e0a0931547b79a1e893d77897daca58e82d87813f*",".{0,1000}009c223ca93f5c176828097e0a0931547b79a1e893d77897daca58e82d87813f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20675"
"*00b377900f7213590db683ce75b4d3ae6053633a5938148afeefd607d0e88319*",".{0,1000}00b377900f7213590db683ce75b4d3ae6053633a5938148afeefd607d0e88319.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","20682"
"*00B41CF0-7AE9-4542-9970-77B312412535*",".{0,1000}00B41CF0\-7AE9\-4542\-9970\-77B312412535.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#GUIDproject #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","20683"
"*00c526bdfae8fe448b1810c1c06b2827efa1158b7e324aa69c23a57a8b29f603*",".{0,1000}00c526bdfae8fe448b1810c1c06b2827efa1158b7e324aa69c23a57a8b29f603.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","20687"
"*00caf6dfcf353f66ed5c3937d8d12fcef79c27a845fea644c75ff9f3bfd27eec*",".{0,1000}00caf6dfcf353f66ed5c3937d8d12fcef79c27a845fea644c75ff9f3bfd27eec.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","20692"
"*00d223d61d1569d44bfe81805359f94c15c9549473762016605287c31733bae6*",".{0,1000}00d223d61d1569d44bfe81805359f94c15c9549473762016605287c31733bae6.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","20694"
"*00d485a13e0db43cacbb8a66316906b18356c8e0aed5821d7d26f077943f431e*",".{0,1000}00d485a13e0db43cacbb8a66316906b18356c8e0aed5821d7d26f077943f431e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20695"
"*00e3b8a6e650a206a6070be87c2c1d5387c21f9f6b80d18ee683c2c0f5fd2fe5*",".{0,1000}00e3b8a6e650a206a6070be87c2c1d5387c21f9f6b80d18ee683c2c0f5fd2fe5.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","20698"
"*00e40aa1125ab7a0c1ea059168555ac4ea15c2d08b7a3361feea0b285f2cf4fc*",".{0,1000}00e40aa1125ab7a0c1ea059168555ac4ea15c2d08b7a3361feea0b285f2cf4fc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20699"
"*00ea56c041ca5b97b56e70c48d26d77f71774c1c19611af9db6626baaa382404*",".{0,1000}00ea56c041ca5b97b56e70c48d26d77f71774c1c19611af9db6626baaa382404.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20702"
"*00f66ad0898ce930b1f58792baafbb71e19645ad86ef0f0827805d8fe366de91*",".{0,1000}00f66ad0898ce930b1f58792baafbb71e19645ad86ef0f0827805d8fe366de91.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","20705"
"*00ffd863c32645660a29db758db4ea89f7c3eb616b3488cceca55345d8a5d11d*",".{0,1000}00ffd863c32645660a29db758db4ea89f7c3eb616b3488cceca55345d8a5d11d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","20708"
"*0108697c36c88f6ae776f923064236f4e890f3c887a94e798222e5ba3c08c568*",".{0,1000}0108697c36c88f6ae776f923064236f4e890f3c887a94e798222e5ba3c08c568.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","20711"
"*012323674405ca9b97010e222bdd25204eda6b772a8e6e571f946ad35eeaf87b*",".{0,1000}012323674405ca9b97010e222bdd25204eda6b772a8e6e571f946ad35eeaf87b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20713"
"*013166fb62f933f2af2d9c1cc8207b66cb8e693814cdaa6d242e221be0a2fff2*",".{0,1000}013166fb62f933f2af2d9c1cc8207b66cb8e693814cdaa6d242e221be0a2fff2.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","20714"
"*0149c7275232b058c1da45542ec522561c8895a65ec6bc1422ee3c07a1276110*",".{0,1000}0149c7275232b058c1da45542ec522561c8895a65ec6bc1422ee3c07a1276110.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","20716"
"*014ff0ec700476b19f252a02a43ff70cfc91c29479bb0a59ac21e91d58b4f89c*",".{0,1000}014ff0ec700476b19f252a02a43ff70cfc91c29479bb0a59ac21e91d58b4f89c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20718"
"*01553e1a8ac9b5a158f2ff4861643892ac018aefe598c80fb09710c702b70d8c*",".{0,1000}01553e1a8ac9b5a158f2ff4861643892ac018aefe598c80fb09710c702b70d8c.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","20720"
"*015774ac49fa929ca39c0707aa8177e4605b7df9f53d8630fea1ef5155bb5328*",".{0,1000}015774ac49fa929ca39c0707aa8177e4605b7df9f53d8630fea1ef5155bb5328.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","#filehash","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","20721"
"*0164502183613e987753f77bf9a45bde5a08f9332cf2d119cbfbf284cae64a25*",".{0,1000}0164502183613e987753f77bf9a45bde5a08f9332cf2d119cbfbf284cae64a25.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","20724"
"*016d82ec6cf3550ac4dea3881c248a0d544f09144881557439aa6e4b0f134989*",".{0,1000}016d82ec6cf3550ac4dea3881c248a0d544f09144881557439aa6e4b0f134989.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","20726"
"*01713b6ae56ab0f1faf7834f29c22fb36c41bef9c6cf2b702dc3f617513c3be6*",".{0,1000}01713b6ae56ab0f1faf7834f29c22fb36c41bef9c6cf2b702dc3f617513c3be6.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","20727"
"*017439a15b04aafd322811f9812262e02f5f0bdf2aa252d46a06d7d118dd24f4*",".{0,1000}017439a15b04aafd322811f9812262e02f5f0bdf2aa252d46a06d7d118dd24f4.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","20729"
"*017d3fc6d2c17249a9bf202e115670ed440cdcc9efdb4e23b998cbb3b3dcde96*",".{0,1000}017d3fc6d2c17249a9bf202e115670ed440cdcc9efdb4e23b998cbb3b3dcde96.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20731"
"*0180d8d7b89b3eb0d6a64dad6278fab176a3a5de3507d78ebf242081bf8af491*",".{0,1000}0180d8d7b89b3eb0d6a64dad6278fab176a3a5de3507d78ebf242081bf8af491.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20732"
"*018350a14e058689eccc58449351dec1d7a63dae2aca0ddec64630e2cc6feb83*",".{0,1000}018350a14e058689eccc58449351dec1d7a63dae2aca0ddec64630e2cc6feb83.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20734"
"*0183a78b64841b968eac59c0c912ecb0c44ec0ccdd773e422c6529d4e0ea5ca3*",".{0,1000}0183a78b64841b968eac59c0c912ecb0c44ec0ccdd773e422c6529d4e0ea5ca3.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","20735"
"*01a2453132babc0a02bf8a02a5dce58e75a6c4fe9bddbcc5659141fff047a13f*",".{0,1000}01a2453132babc0a02bf8a02a5dce58e75a6c4fe9bddbcc5659141fff047a13f.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","20745"
"*01afaf85adb57c17d2d817c34134ffc1804db080b9493cc7e1a45e3288bf7536*",".{0,1000}01afaf85adb57c17d2d817c34134ffc1804db080b9493cc7e1a45e3288bf7536.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","20749"
"*01b403992457bd8e1bb0d9e3cc353d6196c975d4fe5674a43ee7c807ae669fbd*",".{0,1000}01b403992457bd8e1bb0d9e3cc353d6196c975d4fe5674a43ee7c807ae669fbd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20751"
"*01b54786c5362c33e97cfd3262d62077b0f8aa6205eebd560832e55796acf1b3*",".{0,1000}01b54786c5362c33e97cfd3262d62077b0f8aa6205eebd560832e55796acf1b3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20752"
"*01d500c870f17df9745b6973a23efd33c05fe74680bb6bc1a0b5b74681480996*",".{0,1000}01d500c870f17df9745b6973a23efd33c05fe74680bb6bc1a0b5b74681480996.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","20762"
"*01d64306425b2e5c7a8c53c9e696719a8704dc2b011248f52fd981d7a437c1e8*",".{0,1000}01d64306425b2e5c7a8c53c9e696719a8704dc2b011248f52fd981d7a437c1e8.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","20763"
"*01d64306425b2e5c7a8c53c9e696719a8704dc2b011248f52fd981d7a437c1e8*",".{0,1000}01d64306425b2e5c7a8c53c9e696719a8704dc2b011248f52fd981d7a437c1e8.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","20764"
"*01f7bb1226ad5d0c68b39ab60014b9e9f55ef85c56be7b0faed70d67bfbc13e5*",".{0,1000}01f7bb1226ad5d0c68b39ab60014b9e9f55ef85c56be7b0faed70d67bfbc13e5.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","20768"
"*02006756198c02904d534aa215a4382f39b9f182e6fed9d7c2bbb36f3e2c06f6*",".{0,1000}02006756198c02904d534aa215a4382f39b9f182e6fed9d7c2bbb36f3e2c06f6.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","20770"
"*02032f5eb062c4bd0631329f1d4b4841ae773dfa3b8c7f8fd60d35f256c86532*",".{0,1000}02032f5eb062c4bd0631329f1d4b4841ae773dfa3b8c7f8fd60d35f256c86532.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20773"
"*021040edb489ec8c913d032ed729568d01089ecf2bf2e0ac57c062be9a61eb13*",".{0,1000}021040edb489ec8c913d032ed729568d01089ecf2bf2e0ac57c062be9a61eb13.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20777"
"*02207a474093579fcf87ba000b9e42c762835e27505240ba263864e1825b81ef*",".{0,1000}02207a474093579fcf87ba000b9e42c762835e27505240ba263864e1825b81ef.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20781"
"*0237e84c1a958e0c3bd52228ed33aad0e847d5e72a679381ade503ce1dfddc8b*",".{0,1000}0237e84c1a958e0c3bd52228ed33aad0e847d5e72a679381ade503ce1dfddc8b.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","20787"
"*024db78c74b32524c54cc8617d1c7dbcd742b0d99bf44087ad85c2e913ca4156*",".{0,1000}024db78c74b32524c54cc8617d1c7dbcd742b0d99bf44087ad85c2e913ca4156.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","20793"
"*025bf967e37ce095f31bc45d886156d365a0e9dc7aa0e7f3bbc91bd1c9717145*",".{0,1000}025bf967e37ce095f31bc45d886156d365a0e9dc7aa0e7f3bbc91bd1c9717145.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","20800"
"*025c823bad7f5449606f1eebb3f486e723e6b41f3d809b59c0b4f2367ef14b41*",".{0,1000}025c823bad7f5449606f1eebb3f486e723e6b41f3d809b59c0b4f2367ef14b41.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","20802"
"*026fd2dd800e84250a19978fc4df8d1c2ff01b61cafdc0aeeb205efb9259fd73*",".{0,1000}026fd2dd800e84250a19978fc4df8d1c2ff01b61cafdc0aeeb205efb9259fd73.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","20809"
"*02737dd93d82d2cc1e46914a3650dde655c34e68b6f2038039bff29bb2ec382a*",".{0,1000}02737dd93d82d2cc1e46914a3650dde655c34e68b6f2038039bff29bb2ec382a.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","20810"
"*0276ec0ea830a61275437a98b81224b95712ecac5a7b9850bcbf2444ff46e47a*",".{0,1000}0276ec0ea830a61275437a98b81224b95712ecac5a7b9850bcbf2444ff46e47a.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","20812"
"*027b9322fa12d2eaa9805dba4502ae3f69f3327db869f573340377770a0f7189*",".{0,1000}027b9322fa12d2eaa9805dba4502ae3f69f3327db869f573340377770a0f7189.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20814"
"*027e4741b0ffea0c4a7b7d89fe584de5655ac140bc60994df35e0d19565f0817*",".{0,1000}027e4741b0ffea0c4a7b7d89fe584de5655ac140bc60994df35e0d19565f0817.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#filehash","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","20816"
"*02838437eb0acf23204585e8c21252b8bb9413dffbfcbfcd0ff9b05735a98ac1*",".{0,1000}02838437eb0acf23204585e8c21252b8bb9413dffbfcbfcd0ff9b05735a98ac1.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","20822"
"*029c12f3aba6b794b8ba2822246b8b7763e8427bc30bfbe761f8306fe70ebb7b*",".{0,1000}029c12f3aba6b794b8ba2822246b8b7763e8427bc30bfbe761f8306fe70ebb7b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20829"
"*02a4baaefa38ed6bed90fd59076be5eceab98f6d08a83aa3b459e160299389e2*",".{0,1000}02a4baaefa38ed6bed90fd59076be5eceab98f6d08a83aa3b459e160299389e2.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","20831"
"*02b26e392e2c9043de39d0c39595b587383170b211b2b86f3499227100192e41*",".{0,1000}02b26e392e2c9043de39d0c39595b587383170b211b2b86f3499227100192e41.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","20834"
"*02bacaa4ba2b64eb019f7b9da5861192bf0e85e4615a299035086decf9da7d06*",".{0,1000}02bacaa4ba2b64eb019f7b9da5861192bf0e85e4615a299035086decf9da7d06.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","20835"
"*02d65d123f0bf661831666e4a9b10b1bb854b7120455488b0e28a29541b7ad8a*",".{0,1000}02d65d123f0bf661831666e4a9b10b1bb854b7120455488b0e28a29541b7ad8a.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","20841"
"*02d693753ae4fec141914593c37a06d2c033ec94b2d137996d74600432491f8f*",".{0,1000}02d693753ae4fec141914593c37a06d2c033ec94b2d137996d74600432491f8f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20842"
"*02d7942d0d329dd9b3df2425926bbc8cb634e416b4482fdee73e5aa4e60e00da*",".{0,1000}02d7942d0d329dd9b3df2425926bbc8cb634e416b4482fdee73e5aa4e60e00da.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","20843"
"*02e2cdb9266754c45c205c199b3478e372c234d6a048a2719796bdb8d3ac2731*",".{0,1000}02e2cdb9266754c45c205c199b3478e372c234d6a048a2719796bdb8d3ac2731.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","20844"
"*02ebe0a81dac898bf7bfced875656ec1f05b4eeaf4ba704c8a2b6c88582026ab*",".{0,1000}02ebe0a81dac898bf7bfced875656ec1f05b4eeaf4ba704c8a2b6c88582026ab.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","20846"
"*0302bf02c300acfcfcacc660b0bc9fb2077c1fdddc70d07196c72ffce08fe57a*",".{0,1000}0302bf02c300acfcfcacc660b0bc9fb2077c1fdddc70d07196c72ffce08fe57a.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","20864"
"*030544b09aff990592772ae508a62396c5648a267a14e5f2fad08324c3d9eb9a*",".{0,1000}030544b09aff990592772ae508a62396c5648a267a14e5f2fad08324c3d9eb9a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","20865"
"*031058faff9335052b9be0437342442bc4c67d1fe9e8c179a78ba54b92f2480a*",".{0,1000}031058faff9335052b9be0437342442bc4c67d1fe9e8c179a78ba54b92f2480a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20869"
"*0314135de58db11f0c6f360113b3f76735e20a7b3cdb928f9acdb0a82ce927e0*",".{0,1000}0314135de58db11f0c6f360113b3f76735e20a7b3cdb928f9acdb0a82ce927e0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","20871"
"*031cf34eeafe09064a6b63bcf752093d742b89166e93924aa4dde13160f91301*",".{0,1000}031cf34eeafe09064a6b63bcf752093d742b89166e93924aa4dde13160f91301.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","20874"
"*033d38c476d5b4bb00e7f5e4dfad682081c3832853351fe12f4deb9ec8ea569d*",".{0,1000}033d38c476d5b4bb00e7f5e4dfad682081c3832853351fe12f4deb9ec8ea569d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20885"
"*035a602153cd10af0c370d9863749b006a2590a7c274bb1cb698016a98ccab3f*",".{0,1000}035a602153cd10af0c370d9863749b006a2590a7c274bb1cb698016a98ccab3f.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","20888"
"*035cf1744ffefef60ff711aeae4bcf39cd902e0a581b443553545f6b934f2a71*",".{0,1000}035cf1744ffefef60ff711aeae4bcf39cd902e0a581b443553545f6b934f2a71.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","20889"
"*036a9029e3b883ded8de9d9bdde3f63dd86d3403b7ed767b1efc3037c9d37bc4*",".{0,1000}036a9029e3b883ded8de9d9bdde3f63dd86d3403b7ed767b1efc3037c9d37bc4.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","#filehash","N/A","8","10","N/A","N/A","N/A","N/A","20893"
"*037be40510a193376a127023deb2fe312d265b5ebc78422879e9126c5d02f2b4*",".{0,1000}037be40510a193376a127023deb2fe312d265b5ebc78422879e9126c5d02f2b4.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#filehash","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","20899"
"*0380372a475147bed23ba4b24891c843de3d3391f2ee40469a994df38b427115*",".{0,1000}0380372a475147bed23ba4b24891c843de3d3391f2ee40469a994df38b427115.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","20904"
"*038e1bfdabf0b75e154beb4957e2ec7b7a99081f8210260b2860d77e27962196*",".{0,1000}038e1bfdabf0b75e154beb4957e2ec7b7a99081f8210260b2860d77e27962196.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20905"
"*039bd221eee059cf555d174e582b9135db9941d0d9fdab7aae1407dc928feded*",".{0,1000}039bd221eee059cf555d174e582b9135db9941d0d9fdab7aae1407dc928feded.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","20910"
"*03A09084-0576-45C5-97CA-B83B1A8688B8*",".{0,1000}03A09084\-0576\-45C5\-97CA\-B83B1A8688B8.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","#GUIDproject","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","20911"
"*03a3b39dd1b9bfb7421e4ba555ca9669b0e3ca7d993ce921d249493aee23b484*",".{0,1000}03a3b39dd1b9bfb7421e4ba555ca9669b0e3ca7d993ce921d249493aee23b484.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","20913"
"*03a9bbe3ff18369f9b538cca705413e15ba977c517bda1dee7c1a7808ce31854*",".{0,1000}03a9bbe3ff18369f9b538cca705413e15ba977c517bda1dee7c1a7808ce31854.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20915"
"*03ad3912baee1a45e768dac5632eb99edad9056046d3719221e6f0dc1f8e540c*",".{0,1000}03ad3912baee1a45e768dac5632eb99edad9056046d3719221e6f0dc1f8e540c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20916"
"*03adcafddad36073108832b0c7541b0f398c074c42693a0fa847f8d7f789cd7e*",".{0,1000}03adcafddad36073108832b0c7541b0f398c074c42693a0fa847f8d7f789cd7e.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","20917"
"*03b104accc26d5aec14088c253ea5a6bba3263ae00fc403737cabceecad9eae9*",".{0,1000}03b104accc26d5aec14088c253ea5a6bba3263ae00fc403737cabceecad9eae9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20918"
"*03b2d5858587fcf2c5d6f7cdc4a4401318ee63066f936e295f9e94e8c66f0a86*",".{0,1000}03b2d5858587fcf2c5d6f7cdc4a4401318ee63066f936e295f9e94e8c66f0a86.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","20919"
"*03b738de271f354a0aa9c1773c4561b736fc03991008778a50a352a54bfa111b*",".{0,1000}03b738de271f354a0aa9c1773c4561b736fc03991008778a50a352a54bfa111b.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","20920"
"*03cbb2a21105c9aae4fb499ad8fb4898d6c87c7d3a3071eae601bdae8bad19ab*",".{0,1000}03cbb2a21105c9aae4fb499ad8fb4898d6c87c7d3a3071eae601bdae8bad19ab.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","20928"
"*03d39664173b9baf2ae530b457510c4ee915e9060be46063511ed903d3afa265*",".{0,1000}03d39664173b9baf2ae530b457510c4ee915e9060be46063511ed903d3afa265.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","20929"
"*03d40eba61566209bd634bde4492e7adcc34e8cfa94a6e2e72e0136c21534d8b*",".{0,1000}03d40eba61566209bd634bde4492e7adcc34e8cfa94a6e2e72e0136c21534d8b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","20930"
"*03dae058d9b192aab4e119e620c40253f7693bfae095820ddd0313403d207d82*",".{0,1000}03dae058d9b192aab4e119e620c40253f7693bfae095820ddd0313403d207d82.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","20931"
"*03e55f4304347ccf6363e5770ac810b3eab5212f734dd9bfc6835eb9423b24d5*",".{0,1000}03e55f4304347ccf6363e5770ac810b3eab5212f734dd9bfc6835eb9423b24d5.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","20936"
"*03e927b93128d01f116dd86114a7b5ed52544bab99afd0261f3f739aa4c0543b*",".{0,1000}03e927b93128d01f116dd86114a7b5ed52544bab99afd0261f3f739aa4c0543b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20937"
"*03eec0acc40aaf248498e956528de90b8f7efc854ae8a0d0ccf5ed7377bd4e71*",".{0,1000}03eec0acc40aaf248498e956528de90b8f7efc854ae8a0d0ccf5ed7377bd4e71.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","20938"
"*03f1fdbd7837c1934ce54d05f2ec947c62a45e93e68b7cf7d612310e095a1626*",".{0,1000}03f1fdbd7837c1934ce54d05f2ec947c62a45e93e68b7cf7d612310e095a1626.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","20939"
"*03fce0574a2df7993efff8bf3d1e45250b08692081cff53dfd266745db772f27*",".{0,1000}03fce0574a2df7993efff8bf3d1e45250b08692081cff53dfd266745db772f27.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","20941"
"*0416febc1e9447269a9b414f0bbfe0172453fb5d03f0a756eca799060b1db6d5*",".{0,1000}0416febc1e9447269a9b414f0bbfe0172453fb5d03f0a756eca799060b1db6d5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","20947"
"*042fa197c0f91b27404c086eabfb62dad3ffaaad7101046f518abf58ae42ee1b*",".{0,1000}042fa197c0f91b27404c086eabfb62dad3ffaaad7101046f518abf58ae42ee1b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","20968"
"*043cd981e81f756123ea4501569ad8d1fbb8166d1046b349ca423aa6ddc0ce31*",".{0,1000}043cd981e81f756123ea4501569ad8d1fbb8166d1046b349ca423aa6ddc0ce31.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","20974"
"*0440615136eecfa56e9844e37679738622563c126c9cafb96433cec4ba11699a*",".{0,1000}0440615136eecfa56e9844e37679738622563c126c9cafb96433cec4ba11699a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","20976"
"*0440b6c1c17b58563c729fa133896199406f29356329ca5d048e4d9dcbf7d6fe*",".{0,1000}0440b6c1c17b58563c729fa133896199406f29356329ca5d048e4d9dcbf7d6fe.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","20977"
"*045ccab12ac435e6f5a85a15f8109d168193a8370c3a234befa0e960ba609ffa*",".{0,1000}045ccab12ac435e6f5a85a15f8109d168193a8370c3a234befa0e960ba609ffa.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","20980"
"*045e70715b2261bdbc9e14332b0062b81b71d71a83bde714df7e3caa2615efdc*",".{0,1000}045e70715b2261bdbc9e14332b0062b81b71d71a83bde714df7e3caa2615efdc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20981"
"*0472497b295c4466e58c2623f2f03281f4a8297696753dd18effe3a4d633e86e*",".{0,1000}0472497b295c4466e58c2623f2f03281f4a8297696753dd18effe3a4d633e86e.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","20989"
"*0476f68f4552ae460d72f0b6c2c9fd4b6fb8dfdbafdec62695f02996d7221f81*",".{0,1000}0476f68f4552ae460d72f0b6c2c9fd4b6fb8dfdbafdec62695f02996d7221f81.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","20991"
"*047ab1af44f368297bf21b302a2548a556ca4e6c6b721940954e88f43d1cfba5*",".{0,1000}047ab1af44f368297bf21b302a2548a556ca4e6c6b721940954e88f43d1cfba5.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","20992"
"*04844b7aee9a823f89337a62f63b36eef9f250d8b0b6ba151117de798e3d7454*",".{0,1000}04844b7aee9a823f89337a62f63b36eef9f250d8b0b6ba151117de798e3d7454.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","20993"
"*04965584331eefc46ddb5d667ce123b20a91ae7f275bcda944e16b6f8d17b0d0*",".{0,1000}04965584331eefc46ddb5d667ce123b20a91ae7f275bcda944e16b6f8d17b0d0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","20997"
"*04972d8a2dab86aca68eed06eaec968025915df802e31c0f4db8e8baad010a2b*",".{0,1000}04972d8a2dab86aca68eed06eaec968025915df802e31c0f4db8e8baad010a2b.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","20998"
"*04aeff8ca9ced185a7f1e860e046fcfbf47b5345d4480b3015937978fe2d2ecb*",".{0,1000}04aeff8ca9ced185a7f1e860e046fcfbf47b5345d4480b3015937978fe2d2ecb.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","21002"
"*04d9eaf4997d1407feca0324beedaca577c63fa900ef04e6a97de9e8e2391e34*",".{0,1000}04d9eaf4997d1407feca0324beedaca577c63fa900ef04e6a97de9e8e2391e34.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21010"
"*04e2517acc6b8adfdadf0b2891afa83592d8e62bd0477918dd57a74e6066a1c5*",".{0,1000}04e2517acc6b8adfdadf0b2891afa83592d8e62bd0477918dd57a74e6066a1c5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21014"
"*04eb8295af197da058cec5a2b78b8b7f6bcee7299cbadebf68dc6837968c5bb0*",".{0,1000}04eb8295af197da058cec5a2b78b8b7f6bcee7299cbadebf68dc6837968c5bb0.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","21018"
"*04fe985dcc18c3ab8dc4ecf5ebf61ed9dd4bafdcd0937c8d10235c98b2f4a9ae*",".{0,1000}04fe985dcc18c3ab8dc4ecf5ebf61ed9dd4bafdcd0937c8d10235c98b2f4a9ae.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","21021"
"*0512029520eaea2237833ed86b40aadb61ab98861da8c135dfc513524f74a4bc*",".{0,1000}0512029520eaea2237833ed86b40aadb61ab98861da8c135dfc513524f74a4bc.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21032"
"*0520c7e5daa571c831e5816bb1a65a558ebff4ce2e5f26b2a16efbe8c107d654*",".{0,1000}0520c7e5daa571c831e5816bb1a65a558ebff4ce2e5f26b2a16efbe8c107d654.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","21037"
"*0522e7c0979e1598e40817e5d7a4bc05fd7448115237bd883c91f954ce3817a2*",".{0,1000}0522e7c0979e1598e40817e5d7a4bc05fd7448115237bd883c91f954ce3817a2.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21038"
"*054cb9f42c4aca898ef078ddb7b138517c6f9f80225f9c7204f6ee00b9b93134*",".{0,1000}054cb9f42c4aca898ef078ddb7b138517c6f9f80225f9c7204f6ee00b9b93134.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21044"
"*0550e9375d01e30924e8e551ddab23e2422afdb978348b73e51f912cff544633*",".{0,1000}0550e9375d01e30924e8e551ddab23e2422afdb978348b73e51f912cff544633.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21046"
"*057519a7348a5e04eef59aafbeddcffe8f2027e76e141160a147292e24017d88*",".{0,1000}057519a7348a5e04eef59aafbeddcffe8f2027e76e141160a147292e24017d88.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21053"
"*0581143b11d99500ea1fd4b61775c395276fd3ec2a0352cf3b9050274ddd8068*",".{0,1000}0581143b11d99500ea1fd4b61775c395276fd3ec2a0352cf3b9050274ddd8068.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","21057"
"*05852ffa6c718d4d63489c966ba8dcc8109de75c7390a6ef5fc1c8f1644a7ab1*",".{0,1000}05852ffa6c718d4d63489c966ba8dcc8109de75c7390a6ef5fc1c8f1644a7ab1.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21060"
"*058711652c885c5765e5bcc0b693c6861d3bcca0305474cc9da635a04898c954*",".{0,1000}058711652c885c5765e5bcc0b693c6861d3bcca0305474cc9da635a04898c954.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21061"
"*059adfef5b44fa060df14ebdb557514592f2286f0baa8c2cdfbe88205fb0879f*",".{0,1000}059adfef5b44fa060df14ebdb557514592f2286f0baa8c2cdfbe88205fb0879f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21065"
"*05a360775b320890751946115dc6802fb3281817088c98696df97015abb5207a*",".{0,1000}05a360775b320890751946115dc6802fb3281817088c98696df97015abb5207a.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","21067"
"*05cea2ca577a0dc7a1b8e6393547442174c1035818791f2a4e784471ab9dfcf0*",".{0,1000}05cea2ca577a0dc7a1b8e6393547442174c1035818791f2a4e784471ab9dfcf0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21075"
"*05da3d393653e62a7513d229788b213cc18db0c48bd73872a3bba62c5df40f02*",".{0,1000}05da3d393653e62a7513d229788b213cc18db0c48bd73872a3bba62c5df40f02.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21077"
"*05da4e917b0c66df49df25e8e1139d57a8bfd6454ecd3e69ebb433fe0a52988c*",".{0,1000}05da4e917b0c66df49df25e8e1139d57a8bfd6454ecd3e69ebb433fe0a52988c.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","21078"
"*05e2ba6184dcebe6fa334c2a1d4534433e8ff9372636ff98eef96e414212903c*",".{0,1000}05e2ba6184dcebe6fa334c2a1d4534433e8ff9372636ff98eef96e414212903c.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21081"
"*060277ad974e12419d8e015237356e0111b649f276fafe93a312a2cff24f316a*",".{0,1000}060277ad974e12419d8e015237356e0111b649f276fafe93a312a2cff24f316a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21090"
"*060978f4ecf406020b835643e9995ce4e33be8bcdbfc17e82781c8858fb3f971*",".{0,1000}060978f4ecf406020b835643e9995ce4e33be8bcdbfc17e82781c8858fb3f971.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21092"
"*065886fd1e058334a56aae3730a9291f35cc144a858a0435d17773f85b3fb5c9*",".{0,1000}065886fd1e058334a56aae3730a9291f35cc144a858a0435d17773f85b3fb5c9.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","21104"
"*066ab67daf36067b99c2c0346d95f69372e5b38a0917396d2470713684e965f4*",".{0,1000}066ab67daf36067b99c2c0346d95f69372e5b38a0917396d2470713684e965f4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21108"
"*0676d3458ff6562c5b7fb3229fa9b9fa02e055ea773ce8ecbe45c4f01c43febb*",".{0,1000}0676d3458ff6562c5b7fb3229fa9b9fa02e055ea773ce8ecbe45c4f01c43febb.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21111"
"*0679e059dfca6cd022caf808ffe2709207377463a31ccddee1bcb75c161b341c*",".{0,1000}0679e059dfca6cd022caf808ffe2709207377463a31ccddee1bcb75c161b341c.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21112"
"*067fbc0cf0eee4afdc361e12bd03b266e80e85a726647e53709854ec142dd94e*",".{0,1000}067fbc0cf0eee4afdc361e12bd03b266e80e85a726647e53709854ec142dd94e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21113"
"*067fca2b141364d273b05e14a8f01d961d80d9599b8658a02a4f486510b9b89b*",".{0,1000}067fca2b141364d273b05e14a8f01d961d80d9599b8658a02a4f486510b9b89b.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","21114"
"*0683a8ba741829172c9ba381228cd6b896d8dc729d9cd6f4cf5598ad773d66d2*",".{0,1000}0683a8ba741829172c9ba381228cd6b896d8dc729d9cd6f4cf5598ad773d66d2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21115"
"*068793abf6b6c18bfcc9f22207b12de7f25d922960cd5b48e3547851216bc456*",".{0,1000}068793abf6b6c18bfcc9f22207b12de7f25d922960cd5b48e3547851216bc456.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","21116"
"*069a56ca99f366c294536ade1d99de76e68aac6450bdb5f8b59258295bb1ff22*",".{0,1000}069a56ca99f366c294536ade1d99de76e68aac6450bdb5f8b59258295bb1ff22.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21119"
"*06b5b646600b63a96135582d1f340d2c6bb47f8bfe344d6fe92126b5781b4f6d*",".{0,1000}06b5b646600b63a96135582d1f340d2c6bb47f8bfe344d6fe92126b5781b4f6d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21130"
"*06bae776acf6e1070847f4c14338b7b4d5cee8dc6653a0175a1e8b9415d5dc14*",".{0,1000}06bae776acf6e1070847f4c14338b7b4d5cee8dc6653a0175a1e8b9415d5dc14.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21132"
"*06bf3107ccb34b3c144d07ed52a0f39ae0f011d3af0cb951b2927ae2350c4631*",".{0,1000}06bf3107ccb34b3c144d07ed52a0f39ae0f011d3af0cb951b2927ae2350c4631.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21133"
"*06c6c311f542cc48cf6f40e6f7d7a8769d933841aa1a5a532fca7015d14017b3*",".{0,1000}06c6c311f542cc48cf6f40e6f7d7a8769d933841aa1a5a532fca7015d14017b3.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21136"
"*06cbd308062d112af438defe44814f026c704bc065728a3d96ddc89722d004c4*",".{0,1000}06cbd308062d112af438defe44814f026c704bc065728a3d96ddc89722d004c4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21140"
"*06ce61d12eac6b663eed3e8596e6b287cd005521e6d0fdc07d8c69fbfebad7b4*",".{0,1000}06ce61d12eac6b663eed3e8596e6b287cd005521e6d0fdc07d8c69fbfebad7b4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21141"
"*06d7ff9363468c6ef78fc7268a3f8369b4061843c592af879970712b70d50222*",".{0,1000}06d7ff9363468c6ef78fc7268a3f8369b4061843c592af879970712b70d50222.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21142"
"*06d8f708f9342d9a956f9b15d73aba12f586cadcc41d74612f300d7752c825a2*",".{0,1000}06d8f708f9342d9a956f9b15d73aba12f586cadcc41d74612f300d7752c825a2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21143"
"*06dfa5d139637adf641c5ce926f88aef127165d305af64e655ebaf069c7e3691*",".{0,1000}06dfa5d139637adf641c5ce926f88aef127165d305af64e655ebaf069c7e3691.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","21144"
"*06f41877ff251b061face147f668e9851b1a5d838f34d8dab4fda9b54029644d*",".{0,1000}06f41877ff251b061face147f668e9851b1a5d838f34d8dab4fda9b54029644d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21151"
"*0703f542c4dd1cdde9535cc7552b3bdb2a862904690d7e27f8c61a19f84fc4f1*",".{0,1000}0703f542c4dd1cdde9535cc7552b3bdb2a862904690d7e27f8c61a19f84fc4f1.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21154"
"*071b361f116e77b4ce5007e1964d0a68ff7a8817f43b52bf9941544398462e1c*",".{0,1000}071b361f116e77b4ce5007e1964d0a68ff7a8817f43b52bf9941544398462e1c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21160"
"*071c1ac9622484472732bfb85fdf11bf4a62d70d4f5d2aeed5a92e9e8be51346*",".{0,1000}071c1ac9622484472732bfb85fdf11bf4a62d70d4f5d2aeed5a92e9e8be51346.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","21161"
"*071c731ba00d290f45bb8c1b53bb18f27ea8ac9780e9fa30e66cb071ae743778*",".{0,1000}071c731ba00d290f45bb8c1b53bb18f27ea8ac9780e9fa30e66cb071ae743778.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","21162"
"*07295e2f53ed40f3a94be0a8a39ef52d7478b0477567fcf3ffdb6c62cd0ee525*",".{0,1000}07295e2f53ed40f3a94be0a8a39ef52d7478b0477567fcf3ffdb6c62cd0ee525.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21164"
"*072c59c3bc429c761425c680611cc35c189582d6837d4b2bd205c648722b51de*",".{0,1000}072c59c3bc429c761425c680611cc35c189582d6837d4b2bd205c648722b51de.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","21166"
"*07311a98f0eb27945a68e1013e666e2ceff69c9241398b7d572086baabb145ee*",".{0,1000}07311a98f0eb27945a68e1013e666e2ceff69c9241398b7d572086baabb145ee.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","21167"
"*073f9b935fa7e67e49cdd53823955c3ec8291fefcc39516f88ac57e2dd9131a1*",".{0,1000}073f9b935fa7e67e49cdd53823955c3ec8291fefcc39516f88ac57e2dd9131a1.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","21172"
"*0747e08b55fa97ea6d21026781e1f5d2eab2a0fedd42073fd17da0e451bfe1eb*",".{0,1000}0747e08b55fa97ea6d21026781e1f5d2eab2a0fedd42073fd17da0e451bfe1eb.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","21175"
"*074be5bde2acec1ea578d7c8e56463ff115851c9af70caeef002ae13c2cee1a3*",".{0,1000}074be5bde2acec1ea578d7c8e56463ff115851c9af70caeef002ae13c2cee1a3.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","21177"
"*075860a08ea0a48a076989f101341a2b20f62e493fc045e9b3f2c6b04fee7374*",".{0,1000}075860a08ea0a48a076989f101341a2b20f62e493fc045e9b3f2c6b04fee7374.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","21181"
"*0759be5242a162707b9738226af1a163a15fc6e0105dd88765a52e056ac136c4*",".{0,1000}0759be5242a162707b9738226af1a163a15fc6e0105dd88765a52e056ac136c4.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","21182"
"*076a40a96cbd1931e456facffc9f1f3bc863a5b4f9e2eb95749952e8c03400af*",".{0,1000}076a40a96cbd1931e456facffc9f1f3bc863a5b4f9e2eb95749952e8c03400af.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21185"
"*076d9ce5c8644dbeb313e2d90349ad33d3b718b2701899480573266b3f6f0e6a*",".{0,1000}076d9ce5c8644dbeb313e2d90349ad33d3b718b2701899480573266b3f6f0e6a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21186"
"*078df1ee57a842cc2395869797ece90a7a6d7158090a84f8b78f41a3072505f6*",".{0,1000}078df1ee57a842cc2395869797ece90a7a6d7158090a84f8b78f41a3072505f6.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","21193"
"*079ba7d752899ae9635cc444d27479b0cd314a39a282d114e9940a26fb9f55e7*",".{0,1000}079ba7d752899ae9635cc444d27479b0cd314a39a282d114e9940a26fb9f55e7.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","21196"
"*07a0651b2053508bab9370df884096effa653cb24cfd8c454c438b15971ece63*",".{0,1000}07a0651b2053508bab9370df884096effa653cb24cfd8c454c438b15971ece63.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21200"
"*07ae98d2c32434b5ae6382cf43dda0e42ece5e6788be97f07f6262e9b72cb3a8*",".{0,1000}07ae98d2c32434b5ae6382cf43dda0e42ece5e6788be97f07f6262e9b72cb3a8.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21203"
"*07b95428cfb9cb49c2447c2ff9fbc503225d5de7ff70c643f45399fc2f08c48c*",".{0,1000}07b95428cfb9cb49c2447c2ff9fbc503225d5de7ff70c643f45399fc2f08c48c.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","21204"
"*07c23d21a94d70113d949253478e13261c54d14d72023bb14d96a8da5f3e7722*",".{0,1000}07c23d21a94d70113d949253478e13261c54d14d72023bb14d96a8da5f3e7722.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21206"
"*07c29c4df1a2616348871ffd8ca04f3774243980bec8e37f093fe8c0b56cff9e*",".{0,1000}07c29c4df1a2616348871ffd8ca04f3774243980bec8e37f093fe8c0b56cff9e.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21207"
"*07c379cc290a52b11493d1edf234b842d2640963ba258b21b8cd16ad082d568e*",".{0,1000}07c379cc290a52b11493d1edf234b842d2640963ba258b21b8cd16ad082d568e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21208"
"*07c7b73d7f400fd26bb628f35d79690e3c027cd3619b11a2f68b1153b9bd2583*",".{0,1000}07c7b73d7f400fd26bb628f35d79690e3c027cd3619b11a2f68b1153b9bd2583.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21209"
"*07cb932052b68c612875bca687f2a223359c2df6aaf6356710253fcda2b0fb5a*",".{0,1000}07cb932052b68c612875bca687f2a223359c2df6aaf6356710253fcda2b0fb5a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21211"
"*07cc0dbf5aedfcbba76d61e72e346b2631868e6bd200efdbec214d85a75417f5*",".{0,1000}07cc0dbf5aedfcbba76d61e72e346b2631868e6bd200efdbec214d85a75417f5.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21212"
"*07e190870caede5e3034c7d127d516c1bbd53b0b1b194cc3965b9b7abd29d677*",".{0,1000}07e190870caede5e3034c7d127d516c1bbd53b0b1b194cc3965b9b7abd29d677.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21219"
"*07e837c2ad8be50c19a464a4db64a912acf2e5d5531fdbfe2c4ac5ac008c83ab*",".{0,1000}07e837c2ad8be50c19a464a4db64a912acf2e5d5531fdbfe2c4ac5ac008c83ab.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21222"
"*07f035eece5daa843a0b570b66d714e35f886e21a05446454743ed6e4729fc16*",".{0,1000}07f035eece5daa843a0b570b66d714e35f886e21a05446454743ed6e4729fc16.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","21225"
"*07f70bf5e1e41d3ad989824ccd3eb652dd4f30d151aab605c01a05b9db74a2df*",".{0,1000}07f70bf5e1e41d3ad989824ccd3eb652dd4f30d151aab605c01a05b9db74a2df.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21227"
"*07f77944b0bf8adafd778c2dd5a04e7bce814e5fb53de3163093c6205082d4b3*",".{0,1000}07f77944b0bf8adafd778c2dd5a04e7bce814e5fb53de3163093c6205082d4b3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21228"
"*0809a44b710a9ff83ae4ab0358fa49881955184ca2d8823b2a1713d2a5d3f741*",".{0,1000}0809a44b710a9ff83ae4ab0358fa49881955184ca2d8823b2a1713d2a5d3f741.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","21233"
"*081242ae9f1c5b9a54ab009aeb7a16872ad049a69c6e62741eab8f0e67649582*",".{0,1000}081242ae9f1c5b9a54ab009aeb7a16872ad049a69c6e62741eab8f0e67649582.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21239"
"*08140ddc8cd28056e9ff871e25afa4c2651115ec7829f32a7c398a1bf97c0b52*",".{0,1000}08140ddc8cd28056e9ff871e25afa4c2651115ec7829f32a7c398a1bf97c0b52.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","21240"
"*081bc7643ef925369e6a552549d998bdf92d15a9d0e1239a2502fadfe30dcd44*",".{0,1000}081bc7643ef925369e6a552549d998bdf92d15a9d0e1239a2502fadfe30dcd44.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","21244"
"*081e0f8ba995218e30ad3c0fa7a12493f17dcbbbac73fdae4391fddf8af2f918*",".{0,1000}081e0f8ba995218e30ad3c0fa7a12493f17dcbbbac73fdae4391fddf8af2f918.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21245"
"*0820eee2fc73291dffd3794511099582b2b5dc0e5e112fea75100e64834f95f4*",".{0,1000}0820eee2fc73291dffd3794511099582b2b5dc0e5e112fea75100e64834f95f4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21246"
"*0823b0c96929973ad48989eb8195d937af62902d98b15ab2d33a83b74d719e2f*",".{0,1000}0823b0c96929973ad48989eb8195d937af62902d98b15ab2d33a83b74d719e2f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21247"
"*082b4796f2b2fb7a81f9f00a8b2008713fba88eb8d80266c12a24a8ed3379101*",".{0,1000}082b4796f2b2fb7a81f9f00a8b2008713fba88eb8d80266c12a24a8ed3379101.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","21248"
"*08384f3f05ad85b2aa935dbd2e46a053cb0001b28bbe593dde2a8c4b822c2a7d*",".{0,1000}08384f3f05ad85b2aa935dbd2e46a053cb0001b28bbe593dde2a8c4b822c2a7d.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","#filehash","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","21252"
"*083d05fd31ebe56b9a6808a1013858db66e784140ab82e0c9c410bb337a7a12d*",".{0,1000}083d05fd31ebe56b9a6808a1013858db66e784140ab82e0c9c410bb337a7a12d.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#filehash","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","21255"
"*084a42ddb25d1cdec5b607e7ef814c6feb7e644fe4d7648b28c590c705d1abf1*",".{0,1000}084a42ddb25d1cdec5b607e7ef814c6feb7e644fe4d7648b28c590c705d1abf1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21259"
"*084d3c601a9f5d100ad3be26d94b643f2843fa64dcc5f2f2057c612bf7f9d4f1*",".{0,1000}084d3c601a9f5d100ad3be26d94b643f2843fa64dcc5f2f2057c612bf7f9d4f1.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21260"
"*084e97e9ebab79b4fe01d48f70c81cfbdc45d811265f3987eb7c322be34e39d0*",".{0,1000}084e97e9ebab79b4fe01d48f70c81cfbdc45d811265f3987eb7c322be34e39d0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21261"
"*084e9d9e599fdff366099956e1821219c2e0004974fc240a5033d66afed32d36*",".{0,1000}084e9d9e599fdff366099956e1821219c2e0004974fc240a5033d66afed32d36.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","21262"
"*08589a1a9ab1159cdd8a156c28bf19b64c0587bd9a415affd19a15ea86441d06*",".{0,1000}08589a1a9ab1159cdd8a156c28bf19b64c0587bd9a415affd19a15ea86441d06.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21264"
"*085cc263f0fad4f18b19f76c28dc70808249bef383f308ff823bfe28cd3a1de4*",".{0,1000}085cc263f0fad4f18b19f76c28dc70808249bef383f308ff823bfe28cd3a1de4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21265"
"*086848f2d4683ed2d581b584648d5c9c1bfe9ff61b85005c8a6477079f58b95d*",".{0,1000}086848f2d4683ed2d581b584648d5c9c1bfe9ff61b85005c8a6477079f58b95d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21267"
"*08780d6ee4b09412225b966f301ef86b8bc9cd4bb39c79a9ef9a0a30062a4ce7*",".{0,1000}08780d6ee4b09412225b966f301ef86b8bc9cd4bb39c79a9ef9a0a30062a4ce7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21271"
"*087a45762e1d7760cb0a52f74e797ece192cf338a1c090c198733bd5a6166bcc*",".{0,1000}087a45762e1d7760cb0a52f74e797ece192cf338a1c090c198733bd5a6166bcc.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21272"
"*087dae4b718907c400d19d3e497619042ad74036da714be2812ab423e0a86e84*",".{0,1000}087dae4b718907c400d19d3e497619042ad74036da714be2812ab423e0a86e84.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","21274"
"*08bb9b6592f50f08dcdd69a834028520f03e3186e530e69135f91ffc71d63e1a*",".{0,1000}08bb9b6592f50f08dcdd69a834028520f03e3186e530e69135f91ffc71d63e1a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21290"
"*08cd75e56a67161e9b16885816f04b2bf1fb5b03bc0677b0ccf3812781c1a2ec*",".{0,1000}08cd75e56a67161e9b16885816f04b2bf1fb5b03bc0677b0ccf3812781c1a2ec.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21296"
"*08dd1192aa3840bd9b1b5f0949f0377d27bca65f4e7dff37ec81daf4599795c3*",".{0,1000}08dd1192aa3840bd9b1b5f0949f0377d27bca65f4e7dff37ec81daf4599795c3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21300"
"*08ddaf402175aaeae32e29f98347d5e97b894f549e9c0c9fe1276fb7f2fb5db0*",".{0,1000}08ddaf402175aaeae32e29f98347d5e97b894f549e9c0c9fe1276fb7f2fb5db0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21301"
"*08eee3c5dfdc940f19deba942d5bd9a9e824cdfd1212db7eead5644f556f7a9e*",".{0,1000}08eee3c5dfdc940f19deba942d5bd9a9e824cdfd1212db7eead5644f556f7a9e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21305"
"*08ef26797923f93bb5a395f7d4e4bf9bddab731f0c38c29cdd843848f7b3bc89*",".{0,1000}08ef26797923f93bb5a395f7d4e4bf9bddab731f0c38c29cdd843848f7b3bc89.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21306"
"*08fac0b039b25bd7d18d79fd618ae5b75c49574102d2946db1fc2f275a19ff67*",".{0,1000}08fac0b039b25bd7d18d79fd618ae5b75c49574102d2946db1fc2f275a19ff67.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21309"
"*0900453b3118e8907fd19a1bb4b56d29c3f09b20d1eaccc773e888f80761d065*",".{0,1000}0900453b3118e8907fd19a1bb4b56d29c3f09b20d1eaccc773e888f80761d065.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21310"
"*090b4b082caa554812f341ae26ea6758b40338836122595d6283c60c39eb5a97*",".{0,1000}090b4b082caa554812f341ae26ea6758b40338836122595d6283c60c39eb5a97.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21316"
"*091518fa5ffd54b71b90eaefdf9d8d05fbf0da1b5585d39ec9e202bf9c448a47*",".{0,1000}091518fa5ffd54b71b90eaefdf9d8d05fbf0da1b5585d39ec9e202bf9c448a47.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21318"
"*0915925d325e078508375c4ffbd4570c392c13640977a05e19db330a75ab510a*",".{0,1000}0915925d325e078508375c4ffbd4570c392c13640977a05e19db330a75ab510a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21319"
"*09240b41bc7ac8c3ece03ee6262ea8b019cbb3cf191c35fb761d6888eadf5c4f*",".{0,1000}09240b41bc7ac8c3ece03ee6262ea8b019cbb3cf191c35fb761d6888eadf5c4f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21320"
"*0927710fe2ab1e73a1797de36da9ada6322b8ac8ce473fc2db3a8b70b3ce141b*",".{0,1000}0927710fe2ab1e73a1797de36da9ada6322b8ac8ce473fc2db3a8b70b3ce141b.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","21321"
"*09329200234dd56722e095ee5b0b3d31bf8d39f3bdacb4a473b9144a7e8e8b7d*",".{0,1000}09329200234dd56722e095ee5b0b3d31bf8d39f3bdacb4a473b9144a7e8e8b7d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21324"
"*094d1476331d6f693f1d546b53f1c1a42863e6cde014e2ed655f3cbe63e5ecde*",".{0,1000}094d1476331d6f693f1d546b53f1c1a42863e6cde014e2ed655f3cbe63e5ecde.{0,1000}","greyware_tool_keyword","Powertool","tool abused by threat actors to desactive Antivirus","T1562.001 - T1089 - T1562.009","TA0005","N/A","Play - Dispossessor","Defense Evasion","https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","21329"
"*0950dbcd22a110b50c7636f2ff7ca73ee120568d375d75539546c6590cd75ce9*",".{0,1000}0950dbcd22a110b50c7636f2ff7ca73ee120568d375d75539546c6590cd75ce9.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21331"
"*095b8583d9fb99dc593ffe604e5c40bd57e24b471e8b6cd84fd8cdbd81ae3d04*",".{0,1000}095b8583d9fb99dc593ffe604e5c40bd57e24b471e8b6cd84fd8cdbd81ae3d04.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21336"
"*095e73fc4b115afd77e39a9389ff1eff6bdbff7a*",".{0,1000}095e73fc4b115afd77e39a9389ff1eff6bdbff7a.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","21337"
"*096311de816ac0a5c886680f6e60f99ad60df58773f2dbece09fb35e48b5702c*",".{0,1000}096311de816ac0a5c886680f6e60f99ad60df58773f2dbece09fb35e48b5702c.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","21338"
"*0965055fd620c556b5e515b292178d9fc77d04b5739c593be7c08e8b32ea93ec*",".{0,1000}0965055fd620c556b5e515b292178d9fc77d04b5739c593be7c08e8b32ea93ec.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","21339"
"*09825c8818a296f345bd6296dc4ebbc4df00d11c10580ffc06dd485cb8451fab*",".{0,1000}09825c8818a296f345bd6296dc4ebbc4df00d11c10580ffc06dd485cb8451fab.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21348"
"*09a4130590a298593cd3685484703c60c9e4981ae795885e800ecf6c90d02f71*",".{0,1000}09a4130590a298593cd3685484703c60c9e4981ae795885e800ecf6c90d02f71.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21357"
"*09a433cb1c6cdbf2f851487e969a462ee015856af50e1e88e9298d9472040187*",".{0,1000}09a433cb1c6cdbf2f851487e969a462ee015856af50e1e88e9298d9472040187.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21358"
"*09b5f413ec7c75c4ad05a832f70512725f706be190b77a04bf459ba46bf4fb1a*",".{0,1000}09b5f413ec7c75c4ad05a832f70512725f706be190b77a04bf459ba46bf4fb1a.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","21363"
"*09c5de00c5304e6f2b2e3f031202fa6175748a451cb4e7d8c7c122ad2736f215*",".{0,1000}09c5de00c5304e6f2b2e3f031202fa6175748a451cb4e7d8c7c122ad2736f215.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21366"
"*09c97fef43a054ad611912d81971b8e58395bfda3d280ef8242c74fcec0c63ea*",".{0,1000}09c97fef43a054ad611912d81971b8e58395bfda3d280ef8242c74fcec0c63ea.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21367"
"*09cbf17e7d795725b162f94d0f3234c5782200c691a76fab4b3e026cd2e1d691*",".{0,1000}09cbf17e7d795725b162f94d0f3234c5782200c691a76fab4b3e026cd2e1d691.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21368"
"*09e0a6d142c1b6961d1b632542319dc33b97d66a6c625c7088cde89c62b4ed26*",".{0,1000}09e0a6d142c1b6961d1b632542319dc33b97d66a6c625c7088cde89c62b4ed26.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21372"
"*09e451ce640afddb9ba25ed619bf2b26b8d080dbf3d09a3ac22f4d365d7832d3*",".{0,1000}09e451ce640afddb9ba25ed619bf2b26b8d080dbf3d09a3ac22f4d365d7832d3.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21374"
"*09f843b9740312ad9a4d084ed99c85cb589da4b78f434d141a03ded8cf052553*",".{0,1000}09f843b9740312ad9a4d084ed99c85cb589da4b78f434d141a03ded8cf052553.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","21379"
"*0a08cac081d32713c5aaa00b04424dcdf2ffcaa7b58620eebc9ee17b5d25ebbf*",".{0,1000}0a08cac081d32713c5aaa00b04424dcdf2ffcaa7b58620eebc9ee17b5d25ebbf.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","21382"
"*0a15c94da1d3260464b1fb81195631f9c336471090aba0989424c75a02d4d91a*",".{0,1000}0a15c94da1d3260464b1fb81195631f9c336471090aba0989424c75a02d4d91a.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21387"
"*0a348d00ff8925287a5fb696c5dd5e4f66c4d8fad6f2a19597acd9dc856f15c5*",".{0,1000}0a348d00ff8925287a5fb696c5dd5e4f66c4d8fad6f2a19597acd9dc856f15c5.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21396"
"*0a4958c4b72f0ec7aac3a9601675737d1ae3bdf80063e2997a99d5b3ffd45295*",".{0,1000}0a4958c4b72f0ec7aac3a9601675737d1ae3bdf80063e2997a99d5b3ffd45295.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21398"
"*0a4d45de276a41b9c54290e68e9456d2f755914b8e30109b329383717daff59a*",".{0,1000}0a4d45de276a41b9c54290e68e9456d2f755914b8e30109b329383717daff59a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21399"
"*0a539ea3eb8e7708241c05a746cf459f027e1bb4ab54e870bbcbe63e3f7a6de9*",".{0,1000}0a539ea3eb8e7708241c05a746cf459f027e1bb4ab54e870bbcbe63e3f7a6de9.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","21400"
"*0a6890a6e321fa795e960c77d09bebf620dba250274fb16fa59f1694cb2109bf*",".{0,1000}0a6890a6e321fa795e960c77d09bebf620dba250274fb16fa59f1694cb2109bf.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21406"
"*0a7a6426d5e23cad778a82f4a7b0697350b2e4d7adb5ac55db63356406f399fc*",".{0,1000}0a7a6426d5e23cad778a82f4a7b0697350b2e4d7adb5ac55db63356406f399fc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21410"
"*0a80748ee061b0dc3fef0ecf95abcdcf6554fb09e2f3675fa8f48c43d5582dfa*",".{0,1000}0a80748ee061b0dc3fef0ecf95abcdcf6554fb09e2f3675fa8f48c43d5582dfa.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21413"
"*0a80ed2036c5a15822118f892272d819010c0f6b0856d8c4360bb1f8c5039c46*",".{0,1000}0a80ed2036c5a15822118f892272d819010c0f6b0856d8c4360bb1f8c5039c46.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21414"
"*0a8ce786d48460aa1d4a75624c19262482df822fc36906461d602bb9451b2d3a*",".{0,1000}0a8ce786d48460aa1d4a75624c19262482df822fc36906461d602bb9451b2d3a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21415"
"*0ac137ea9061aea6b6e8e5fc228b1082e14d3e29cafe6103f542ac4ffd728843*",".{0,1000}0ac137ea9061aea6b6e8e5fc228b1082e14d3e29cafe6103f542ac4ffd728843.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21423"
"*0ac18d8f1ea7306f3d76df0d034de4b2ae839027e88a86073f4745cfa181af2c*",".{0,1000}0ac18d8f1ea7306f3d76df0d034de4b2ae839027e88a86073f4745cfa181af2c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21424"
"*0ad89df3db2ab0dbbfe6e7e0f943d7c57154119d1f8c3be80b7254780ab7c5ac*",".{0,1000}0ad89df3db2ab0dbbfe6e7e0f943d7c57154119d1f8c3be80b7254780ab7c5ac.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21432"
"*0aef9a7896fe8bcad991aec5afc995529bd676169494759b4c5b0d4867431da0*",".{0,1000}0aef9a7896fe8bcad991aec5afc995529bd676169494759b4c5b0d4867431da0.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","21440"
"*0af3ca934eb27efcb04923f478a90528eddc5ad8ffc4c0b183d83896383eaffe*",".{0,1000}0af3ca934eb27efcb04923f478a90528eddc5ad8ffc4c0b183d83896383eaffe.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21443"
"*0b0977a047ea3397c83d19f0edeef003c98021a2f64b03503f67a7189aeab4bf*",".{0,1000}0b0977a047ea3397c83d19f0edeef003c98021a2f64b03503f67a7189aeab4bf.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","#filehash","N/A","9","10","N/A","N/A","N/A","N/A","21445"
"*0b1359c7b13b51d57bc917ca161f659550137e223ae0e317c3b4911fdfe59c7e*",".{0,1000}0b1359c7b13b51d57bc917ca161f659550137e223ae0e317c3b4911fdfe59c7e.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","21447"
"*0b200be5c6584356e7edc5d18f1ea00f7e467295b50fd5437bf119c99792bfc7*",".{0,1000}0b200be5c6584356e7edc5d18f1ea00f7e467295b50fd5437bf119c99792bfc7.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","21450"
"*0b2bc7f3b6b1117924d30ce00aba145b572893f69289c1e8da24ab545ffc16eb*",".{0,1000}0b2bc7f3b6b1117924d30ce00aba145b572893f69289c1e8da24ab545ffc16eb.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21451"
"*0b3128b7117e4575cd58267525750053b8ad2abbff38d586faa4e2b72c7a31db*",".{0,1000}0b3128b7117e4575cd58267525750053b8ad2abbff38d586faa4e2b72c7a31db.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","21453"
"*0b44e69ab4b77120146dc0e8373afc0fdd09889eea1e8bea172ff97a0213730d*",".{0,1000}0b44e69ab4b77120146dc0e8373afc0fdd09889eea1e8bea172ff97a0213730d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21458"
"*0b65b97063a6a2342da20ec4779b189bad3753dc596f7e79e72021fa17e20bab*",".{0,1000}0b65b97063a6a2342da20ec4779b189bad3753dc596f7e79e72021fa17e20bab.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21465"
"*0b6e3bb9babf35f1580de0b32ba27a13e5187dfd5a66c6694e2e4713c49c0532*",".{0,1000}0b6e3bb9babf35f1580de0b32ba27a13e5187dfd5a66c6694e2e4713c49c0532.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21469"
"*0b6ea556073812f430482992e60bffc80ca1134bd83b05a0575f577498833c86*",".{0,1000}0b6ea556073812f430482992e60bffc80ca1134bd83b05a0575f577498833c86.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21470"
"*0b7ff7dec2fdc2d87ef6837cbc2fdde8753da066959c78a99d1c508d1037b926*",".{0,1000}0b7ff7dec2fdc2d87ef6837cbc2fdde8753da066959c78a99d1c508d1037b926.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21475"
"*0b860218a265d58208a132a83dcf04780635337c722caa05cbbd281b32749a91*",".{0,1000}0b860218a265d58208a132a83dcf04780635337c722caa05cbbd281b32749a91.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21476"
"*0b8c64aa6263b5ad20087692b6f1d2ae26875a1f3015aa7c8bb1f401baa59ec7*",".{0,1000}0b8c64aa6263b5ad20087692b6f1d2ae26875a1f3015aa7c8bb1f401baa59ec7.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21477"
"*0b8f89e4fc750945542db27755503efb9f7bc315991393be3841a5946cc1f1c9*",".{0,1000}0b8f89e4fc750945542db27755503efb9f7bc315991393be3841a5946cc1f1c9.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","21479"
"*0b917a040f43b5b120a3288f76e857203cc52f51c2f78c997d4d0c2da3d0c0c5*",".{0,1000}0b917a040f43b5b120a3288f76e857203cc52f51c2f78c997d4d0c2da3d0c0c5.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","21481"
"*0b938c1c8389829602f511b4d8ebbe8f6d2ae6fb4e5a88540b1699c922a63610*",".{0,1000}0b938c1c8389829602f511b4d8ebbe8f6d2ae6fb4e5a88540b1699c922a63610.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21483"
"*0ba22bd4f6df92dbc7692a669d8663300d99d7a74275903d3054c8a9fb4c6522*",".{0,1000}0ba22bd4f6df92dbc7692a669d8663300d99d7a74275903d3054c8a9fb4c6522.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21484"
"*0baadab16b2bd3ed7d10d966255c362e0710beaf24ef777f63a27e41e0983079*",".{0,1000}0baadab16b2bd3ed7d10d966255c362e0710beaf24ef777f63a27e41e0983079.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21487"
"*0bad6f375d4fbe97b07720bf4d81767cd51fdd09acec6ee64399fd902704599b*",".{0,1000}0bad6f375d4fbe97b07720bf4d81767cd51fdd09acec6ee64399fd902704599b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21488"
"*0bbef44b2adaf9275ffdcc5d8a7bb65a31208c3909bde623487caf83680f19c9*",".{0,1000}0bbef44b2adaf9275ffdcc5d8a7bb65a31208c3909bde623487caf83680f19c9.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","21493"
"*0bcf557bb9fdac75b80c93f575ff2810e7c7c30b9fbf895f424c046d43c7cc68*",".{0,1000}0bcf557bb9fdac75b80c93f575ff2810e7c7c30b9fbf895f424c046d43c7cc68.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21498"
"*0be41303879df031d5f222dad7db73011d7b3753a39840380211767037a8a310*",".{0,1000}0be41303879df031d5f222dad7db73011d7b3753a39840380211767037a8a310.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21504"
"*0bec24bf1d313b22de9c879bf3803256f945be419f23db4e58fdb73c3f15ec31*",".{0,1000}0bec24bf1d313b22de9c879bf3803256f945be419f23db4e58fdb73c3f15ec31.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21505"
"*0bec3d7403f9a089a30003eb12d000cfac25e12e826055d87dd111f3e7bb8559*",".{0,1000}0bec3d7403f9a089a30003eb12d000cfac25e12e826055d87dd111f3e7bb8559.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21506"
"*0bf96f473385bbeb64faad3caec3ad721187b328f2228820e49838e187da0e22*",".{0,1000}0bf96f473385bbeb64faad3caec3ad721187b328f2228820e49838e187da0e22.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21510"
"*0bin - encrypted pastebin*",".{0,1000}0bin\s\-\sencrypted\spastebin.{0,1000}","greyware_tool_keyword","0bin.net","Accessing a paste on 0bin.net","T1213 - T1190","TA0001 - TA0009 - TA0010","N/A","N/A","Collection","https://0bin.net","1","0","#PastebinLike","N/A","5","10","N/A","N/A","N/A","N/A","21511"
"*0c197d94ca78db1fa029238f944f822c1b90b6f976c569cfd31eb438b16acba2*",".{0,1000}0c197d94ca78db1fa029238f944f822c1b90b6f976c569cfd31eb438b16acba2.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21515"
"*0c19de7f525b4f40bf35347c9834564e48cdfdf1b64972d0aef9e548d29960dd*",".{0,1000}0c19de7f525b4f40bf35347c9834564e48cdfdf1b64972d0aef9e548d29960dd.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21516"
"*0c1ce0a85821e71d41b86deb8b16f43fe5150c376b3eb8de93979ead13bd57f6*",".{0,1000}0c1ce0a85821e71d41b86deb8b16f43fe5150c376b3eb8de93979ead13bd57f6.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21519"
"*0c209fa7735b7a129d52fe5defb41289d878233480d2660803045811ba40a62f*",".{0,1000}0c209fa7735b7a129d52fe5defb41289d878233480d2660803045811ba40a62f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21520"
"*0c20cf6d65d5dfc9f36005813dc82517043fd635cbb571aa1c1039d3cd5161ec*",".{0,1000}0c20cf6d65d5dfc9f36005813dc82517043fd635cbb571aa1c1039d3cd5161ec.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","21521"
"*0c2294231827539891a70bd5b7657c7d1d87f53d13f2c609a32f49ca54440797*",".{0,1000}0c2294231827539891a70bd5b7657c7d1d87f53d13f2c609a32f49ca54440797.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","21522"
"*0c4413aa7e74903ba6c00cd78d60bb9a153d5775949a90d2c794ec00cef7fbd8*",".{0,1000}0c4413aa7e74903ba6c00cd78d60bb9a153d5775949a90d2c794ec00cef7fbd8.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21533"
"*0c6710b58b9054fd232c624dae29020bc765c962ae095a3eb53a0981379689b8*",".{0,1000}0c6710b58b9054fd232c624dae29020bc765c962ae095a3eb53a0981379689b8.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","21541"
"*0c6765d8b03582b3f474770d4bedd235792a896d079c541b75d1757807daae1c*",".{0,1000}0c6765d8b03582b3f474770d4bedd235792a896d079c541b75d1757807daae1c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21542"
"*0c74d8fb887691e04e865e3b6bc32e8af47c3e54a9922ffdbed38c8323e281c9*",".{0,1000}0c74d8fb887691e04e865e3b6bc32e8af47c3e54a9922ffdbed38c8323e281c9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21544"
"*0c7d97d7909d08d4423b444bd4e475eb863dc9c57bbe002c770cb15e915aa8c1*",".{0,1000}0c7d97d7909d08d4423b444bd4e475eb863dc9c57bbe002c770cb15e915aa8c1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21548"
"*0c8170f2892a5479618553897c042024ab2058af5e4255a46c0ba63deb1727d0*",".{0,1000}0c8170f2892a5479618553897c042024ab2058af5e4255a46c0ba63deb1727d0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21551"
"*0c9f95a64d12580994ffbdd1ba90e8e020a97056d06615c3e6ced6001a7beea4*",".{0,1000}0c9f95a64d12580994ffbdd1ba90e8e020a97056d06615c3e6ced6001a7beea4.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","21562"
"*0cba4351414f3da3355bc9ab73052e0d36d6f18e513047650dad956fb6344285*",".{0,1000}0cba4351414f3da3355bc9ab73052e0d36d6f18e513047650dad956fb6344285.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","21570"
"*0cbf3ed058d43997b5b034e7c60de64b16ef94a3578358eaf0b4b4a9e6777446*",".{0,1000}0cbf3ed058d43997b5b034e7c60de64b16ef94a3578358eaf0b4b4a9e6777446.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21571"
"*0cbf79a249738f27da092c9cfd1d97fc2a533ee1f15553f4ad3d9606145fea30*",".{0,1000}0cbf79a249738f27da092c9cfd1d97fc2a533ee1f15553f4ad3d9606145fea30.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21572"
"*0ccc051693da612b7c4eed265598d3c8878019cb21e6ec9e3869f94b93e6ca80*",".{0,1000}0ccc051693da612b7c4eed265598d3c8878019cb21e6ec9e3869f94b93e6ca80.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21575"
"*0ccd8d079be2eda18c896a8776b982a0a9e2d7b59e3764a150dd22bf54b9cf55*",".{0,1000}0ccd8d079be2eda18c896a8776b982a0a9e2d7b59e3764a150dd22bf54b9cf55.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21576"
"*0cd33dcfe9a38441eda2c60675f05ab3c3875b1e54608583d50d0835c567a30e*",".{0,1000}0cd33dcfe9a38441eda2c60675f05ab3c3875b1e54608583d50d0835c567a30e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21578"
"*0cd720bb196cf0e2025f393effe11cb888cf4a069add5b0ffa7cbf73635d1de3*",".{0,1000}0cd720bb196cf0e2025f393effe11cb888cf4a069add5b0ffa7cbf73635d1de3.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21580"
"*0cdca1cfe564a433a8c32d514a25dc86d35c29a28511878834e825f4a333c29d*",".{0,1000}0cdca1cfe564a433a8c32d514a25dc86d35c29a28511878834e825f4a333c29d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21582"
"*0ce4d8b829709b17c098e5405ddfb62e1c7fb4d7a7abcc58424f97a75d86419e*",".{0,1000}0ce4d8b829709b17c098e5405ddfb62e1c7fb4d7a7abcc58424f97a75d86419e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21583"
"*0ce68a99407f300b71cebe379dfa81096726595934a8dcd45360f84dc6c08163*",".{0,1000}0ce68a99407f300b71cebe379dfa81096726595934a8dcd45360f84dc6c08163.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21584"
"*0cf697c88404b180d6d6ff2e7d2c27b2fcb9536da6dbdf15ad4d320af7e8f17c*",".{0,1000}0cf697c88404b180d6d6ff2e7d2c27b2fcb9536da6dbdf15ad4d320af7e8f17c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21586"
"*0cfa716d39fc90ed0c4db1bd68f1b4b791f26e5fab4003ae9b816d1f7d68d208*",".{0,1000}0cfa716d39fc90ed0c4db1bd68f1b4b791f26e5fab4003ae9b816d1f7d68d208.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","21591"
"*0cfb5b4de55c4affbc5df2d949015300f554d0eca7bb925a79db14997d5c18e2*",".{0,1000}0cfb5b4de55c4affbc5df2d949015300f554d0eca7bb925a79db14997d5c18e2.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21593"
"*0cfc3c9a964253eea12a9d5705ee0ca0967605483f1dca3c6ef28aed5fdc5b30*",".{0,1000}0cfc3c9a964253eea12a9d5705ee0ca0967605483f1dca3c6ef28aed5fdc5b30.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","21594"
"*0d04bf172b67dd122712b067dbd1e53f958c4ef8c54490d907ca86c7e666b7ec*",".{0,1000}0d04bf172b67dd122712b067dbd1e53f958c4ef8c54490d907ca86c7e666b7ec.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21596"
"*0d0522c91a58990fb696342ab2b03ef6ae1585cc0e37d358d36edcc567dfdab6*",".{0,1000}0d0522c91a58990fb696342ab2b03ef6ae1585cc0e37d358d36edcc567dfdab6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21597"
"*0d05bed47cc1579a068f83123a502c59d447b20a5318c1d70ffb7a0b638a7aff*",".{0,1000}0d05bed47cc1579a068f83123a502c59d447b20a5318c1d70ffb7a0b638a7aff.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","21598"
"*0d05e3ebd2490c026e1b8f6780d901eedde65562af02acf3bf80d729a2aae52b*",".{0,1000}0d05e3ebd2490c026e1b8f6780d901eedde65562af02acf3bf80d729a2aae52b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21599"
"*0d0811072bcce0b852fe3b5da38b12fdbc8e91a419df88c0ff6b09ba0fcb4ca4*",".{0,1000}0d0811072bcce0b852fe3b5da38b12fdbc8e91a419df88c0ff6b09ba0fcb4ca4.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","21600"
"*0d29aadf342a6962c930d7291fc266bd4bb87756c3b96bc4a8d8589de59f22eb*",".{0,1000}0d29aadf342a6962c930d7291fc266bd4bb87756c3b96bc4a8d8589de59f22eb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21610"
"*0d2d07010e3ad3219d37b9a10a04abf50bd84c6c429b96aab5aad70f31c42efe*",".{0,1000}0d2d07010e3ad3219d37b9a10a04abf50bd84c6c429b96aab5aad70f31c42efe.{0,1000}","greyware_tool_keyword","RpcView","RpcView is a free tool to explore and decompile Microsoft RPC interfaces","T1082 - T1016 - T1046 - T1622","TA0007 - TA0008","N/A","Dispossessor","Discovery","https://github.com/silverf0x/RpcView","1","0","#filehash","N/A","6","10","965","255","2023-09-24T19:58:04Z","2017-03-14T19:14:45Z","21611"
"*0d34f8d272ad4e604c2798ad670d2a2b06d397cc38fa3d84382a16d014c43925*",".{0,1000}0d34f8d272ad4e604c2798ad670d2a2b06d397cc38fa3d84382a16d014c43925.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21617"
"*0d7bafd96f7400a85372e15cfbb0e3d190701604903734e9546635720bbb56be*",".{0,1000}0d7bafd96f7400a85372e15cfbb0e3d190701604903734e9546635720bbb56be.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21629"
"*0d7f56e583575888e68ce8c945fbd4c05842dceb352ddc7e8beeb86fe0d36861*",".{0,1000}0d7f56e583575888e68ce8c945fbd4c05842dceb352ddc7e8beeb86fe0d36861.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","21630"
"*0d8bf8b7460681f7906096a9d37eedecc5a1d1d3ad17652e68f0c6de104c2412*",".{0,1000}0d8bf8b7460681f7906096a9d37eedecc5a1d1d3ad17652e68f0c6de104c2412.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21632"
"*0d8f28ea01d3866ad7ee4abbdc5bdfd83d41702dcf029584ef30cb0055be8538*",".{0,1000}0d8f28ea01d3866ad7ee4abbdc5bdfd83d41702dcf029584ef30cb0055be8538.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","#filehash","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","21636"
"*0d92df6cbf264c19eeae098f67a24215e131e63c981116732be537600856f9c1*",".{0,1000}0d92df6cbf264c19eeae098f67a24215e131e63c981116732be537600856f9c1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21638"
"*0db350f810a9f99c15d47e7c8d5588443952e00c0a49f88a6ffa776250b03a08*",".{0,1000}0db350f810a9f99c15d47e7c8d5588443952e00c0a49f88a6ffa776250b03a08.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","21645"
"*0DBF152DEAF0B981A8A938D53F769DB8*",".{0,1000}0DBF152DEAF0B981A8A938D53F769DB8.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage - compromised certificate - https://anydesk.com/en/changelog/windows","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","#certificate","compromised certificate","8","8","N/A","N/A","N/A","N/A","21652"
"*0dc142c2d3aeb026b3e4c48a625a914cce46ff7746ecf4b0f14e5eec3943e2ac*",".{0,1000}0dc142c2d3aeb026b3e4c48a625a914cce46ff7746ecf4b0f14e5eec3943e2ac.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","21654"
"*0dc1e16be2a13ae30176a34a2b31a93c3bfd49d1382477f096e3a91ba98826ba*",".{0,1000}0dc1e16be2a13ae30176a34a2b31a93c3bfd49d1382477f096e3a91ba98826ba.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21655"
"*0de968ffd4a6c60413cac739dccb1b162f8f93f3db754728fde8738e52706fa4*",".{0,1000}0de968ffd4a6c60413cac739dccb1b162f8f93f3db754728fde8738e52706fa4.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","21666"
"*0dfc977e19f814b462af81a7d493d16dcbd8c55ac584eb75da6654a9bb885050*",".{0,1000}0dfc977e19f814b462af81a7d493d16dcbd8c55ac584eb75da6654a9bb885050.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21674"
"*0e086b861b0e4276718da0db900f80377403e367ca03a3a62f7c44ff909556f6*",".{0,1000}0e086b861b0e4276718da0db900f80377403e367ca03a3a62f7c44ff909556f6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21676"
"*0e0eb55f19ba1ca1758d6a10250d53ba6518180eca89545a90f5cce81a3729b0*",".{0,1000}0e0eb55f19ba1ca1758d6a10250d53ba6518180eca89545a90f5cce81a3729b0.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","21678"
"*0e0f4b20b92d63623bd0abfc7a233a26a66834efb8a36d67c9dd14fdd973822d*",".{0,1000}0e0f4b20b92d63623bd0abfc7a233a26a66834efb8a36d67c9dd14fdd973822d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21679"
"*0e110e91b09baca32b4fd9e0a972162f36f2e6e7c58bf4ee142bcda7c3411c93*",".{0,1000}0e110e91b09baca32b4fd9e0a972162f36f2e6e7c58bf4ee142bcda7c3411c93.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","21680"
"*0e13e574f88a370641aa5e135c7923e8c93d0f6c4c9b29eb31de632316122bb0*",".{0,1000}0e13e574f88a370641aa5e135c7923e8c93d0f6c4c9b29eb31de632316122bb0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21681"
"*0e21c6d9e3ae30e6970c8e72c062ea7f1802b02312bd30724c4be3ecda95e52f*",".{0,1000}0e21c6d9e3ae30e6970c8e72c062ea7f1802b02312bd30724c4be3ecda95e52f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21683"
"*0e5bf235710c87db0a36bee78ea089763fb9c36f185bb091a4a6531dc593b9c5*",".{0,1000}0e5bf235710c87db0a36bee78ea089763fb9c36f185bb091a4a6531dc593b9c5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21701"
"*0E5D043A-CAA1-40C7-A616-773F347FA43F*",".{0,1000}0E5D043A\-CAA1\-40C7\-A616\-773F347FA43F.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#GUIDproject","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","21702"
"*0e683610f7369c674cebc1ecf8d6e030f0433226887b902e74fe1e174c23a6a7*",".{0,1000}0e683610f7369c674cebc1ecf8d6e030f0433226887b902e74fe1e174c23a6a7.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","21706"
"*0e6ac7f5a2adec8973bcb337c1f12f28931b76f3e3d45b14d63acf1e3bf07a31*",".{0,1000}0e6ac7f5a2adec8973bcb337c1f12f28931b76f3e3d45b14d63acf1e3bf07a31.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","21707"
"*0e6c4d76115e7b8e50833dfa1e3c7dc6424b6c0ad9e18eea7045fea15bdf0218*",".{0,1000}0e6c4d76115e7b8e50833dfa1e3c7dc6424b6c0ad9e18eea7045fea15bdf0218.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21708"
"*0e7eb9d663478b8e6567d14c86a08b41e179a6ff7af69f44d343a05aa5082c23*",".{0,1000}0e7eb9d663478b8e6567d14c86a08b41e179a6ff7af69f44d343a05aa5082c23.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","21713"
"*0e8ddd8fb30e6bddc6204052e06957a39a85536f5cb89e1c813d9eff3d3977cf*",".{0,1000}0e8ddd8fb30e6bddc6204052e06957a39a85536f5cb89e1c813d9eff3d3977cf.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21716"
"*0e8f1915a1e2b1b2d37b11e831e49fb5f5fc2a14eea086f7ea5a1e4112095728*",".{0,1000}0e8f1915a1e2b1b2d37b11e831e49fb5f5fc2a14eea086f7ea5a1e4112095728.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21719"
"*0e95898310ad782ee54b42098c6b43b7c3e3b58a44e7f841d6533e441f011164*",".{0,1000}0e95898310ad782ee54b42098c6b43b7c3e3b58a44e7f841d6533e441f011164.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21721"
"*0e9acc45b0cca73003b640425e8722b9806c2871f4f8c8fcd043e097fccb70c6*",".{0,1000}0e9acc45b0cca73003b640425e8722b9806c2871f4f8c8fcd043e097fccb70c6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21722"
"*0ea531910d6893607e435bc0bc6746b10d2f61a1da0f2d59e67854f2ff2d4e15*",".{0,1000}0ea531910d6893607e435bc0bc6746b10d2f61a1da0f2d59e67854f2ff2d4e15.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","21724"
"*0eaa8e2763861316fdb41ba45636dbb78c1593714a0ed480573ff7efc5b34b7a*",".{0,1000}0eaa8e2763861316fdb41ba45636dbb78c1593714a0ed480573ff7efc5b34b7a.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","21726"
"*0ebaf56b7fe452a53e760b44bfa69331bb6b03dda5b538b69a5b8642e12a8b41*",".{0,1000}0ebaf56b7fe452a53e760b44bfa69331bb6b03dda5b538b69a5b8642e12a8b41.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21728"
"*0ec73349570f7d8546b9ddfd6b0b409cd622abc133be641bb2a414a2d2b9a21e*",".{0,1000}0ec73349570f7d8546b9ddfd6b0b409cd622abc133be641bb2a414a2d2b9a21e.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","21731"
"*0ed16e6b3d19d4e2c709a9fe09445939bc184499c020eebc07eee27becffb6d9*",".{0,1000}0ed16e6b3d19d4e2c709a9fe09445939bc184499c020eebc07eee27becffb6d9.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21733"
"*0ed1b55766d583abf21381c9af62cc7cd3f311f22f0773dfe77d8e49b14c2e67*",".{0,1000}0ed1b55766d583abf21381c9af62cc7cd3f311f22f0773dfe77d8e49b14c2e67.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21734"
"*0ed2b004423a9c389f8a3bb107677d8cf79cb2f35e3eab6ef87e205dda44934e*",".{0,1000}0ed2b004423a9c389f8a3bb107677d8cf79cb2f35e3eab6ef87e205dda44934e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21735"
"*0efb7bcf56f438180692206231d7119baf1696a927a64097ff0e4fdeb2d7b68a*",".{0,1000}0efb7bcf56f438180692206231d7119baf1696a927a64097ff0e4fdeb2d7b68a.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","21746"
"*0f03b1686c53f818f1688e4f39c2856c1407446db1a13d1791e500ce90db5dbe*",".{0,1000}0f03b1686c53f818f1688e4f39c2856c1407446db1a13d1791e500ce90db5dbe.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","21750"
"*0f0c16e48d436603eff91f1a31043abb24df99f91a26ff8e73577d45b1152de5*",".{0,1000}0f0c16e48d436603eff91f1a31043abb24df99f91a26ff8e73577d45b1152de5.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","21753"
"*0f191947663cea1863ae366c895dead2e7a769acfd60bc22121a1d4866b821f9*",".{0,1000}0f191947663cea1863ae366c895dead2e7a769acfd60bc22121a1d4866b821f9.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21754"
"*0f1ccf4c5e7eada818bafad12e911a4d122a8329f7287ea0e4903ee1398e72f9*",".{0,1000}0f1ccf4c5e7eada818bafad12e911a4d122a8329f7287ea0e4903ee1398e72f9.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","21755"
"*0f29be687222d2931d67956a4f7bb2bea4427c8529f86dda4125fa936d380430*",".{0,1000}0f29be687222d2931d67956a4f7bb2bea4427c8529f86dda4125fa936d380430.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21757"
"*0f37caadfbf7eb1c8d7462487deec3080ca824c06ab1cef3a17ee803f80e0b96*",".{0,1000}0f37caadfbf7eb1c8d7462487deec3080ca824c06ab1cef3a17ee803f80e0b96.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","21761"
"*0f3a3f091d06f67f44077711477c0908a957f161d178d9ad8942fee864ed7a29*",".{0,1000}0f3a3f091d06f67f44077711477c0908a957f161d178d9ad8942fee864ed7a29.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","21762"
"*0f49299cf3e23fa2b1c5f0f1869a8982cdde2613742508d81a901a4e52ef37fa*",".{0,1000}0f49299cf3e23fa2b1c5f0f1869a8982cdde2613742508d81a901a4e52ef37fa.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21764"
"*0f4a2777e75f93aae097b180bc701ebd3d646bc0870e35c57a6b1ff26e93c16d*",".{0,1000}0f4a2777e75f93aae097b180bc701ebd3d646bc0870e35c57a6b1ff26e93c16d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21765"
"*0f5947f5dbd2543c49853451d6d0deb64b04796e4c61327a1b5aa1c295b2a861*",".{0,1000}0f5947f5dbd2543c49853451d6d0deb64b04796e4c61327a1b5aa1c295b2a861.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","21770"
"*0f5c329fa1e4abd3d1d2fbbd493d0dcf419bc33e1aa809ed55500481ed2ebe65*",".{0,1000}0f5c329fa1e4abd3d1d2fbbd493d0dcf419bc33e1aa809ed55500481ed2ebe65.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","21771"
"*0f620bc9e35e86b8a8ba5ce522f2ff3093f825b8d96057b7c54e52f9241002c7*",".{0,1000}0f620bc9e35e86b8a8ba5ce522f2ff3093f825b8d96057b7c54e52f9241002c7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21773"
"*0f7acf26d92d39a2e3965ee91bf60e7c331844a1d7e81078ede526cf0459eccd*",".{0,1000}0f7acf26d92d39a2e3965ee91bf60e7c331844a1d7e81078ede526cf0459eccd.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21781"
"*0f7e030eec92ad940dbdafa3806a0140d7589219d7de05301e8cf622e63683df*",".{0,1000}0f7e030eec92ad940dbdafa3806a0140d7589219d7de05301e8cf622e63683df.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21783"
"*0f81061930562b42e7e7a4d62075cf9a72fd34e174a819cf04f115ee238abb10*",".{0,1000}0f81061930562b42e7e7a4d62075cf9a72fd34e174a819cf04f115ee238abb10.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21784"
"*0f99b8c3d94d5252864d53bdba47a9f8ec6c710dbbcaf1070b4467822773d14a*",".{0,1000}0f99b8c3d94d5252864d53bdba47a9f8ec6c710dbbcaf1070b4467822773d14a.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","21792"
"*0f9b9069dc8cd735cf928fd5ddb184602fadd5bd033a52cb089102eed6ad11fe*",".{0,1000}0f9b9069dc8cd735cf928fd5ddb184602fadd5bd033a52cb089102eed6ad11fe.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21794"
"*0faad61745a8c559756165ec4bf749c7ee334b815b750dbdc671af2283805739*",".{0,1000}0faad61745a8c559756165ec4bf749c7ee334b815b750dbdc671af2283805739.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","21799"
"*0fbabd9468d07f89402193268bb3c1bfcc9c216f389e66cbc6eb75f3ef2a6dd9*",".{0,1000}0fbabd9468d07f89402193268bb3c1bfcc9c216f389e66cbc6eb75f3ef2a6dd9.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21801"
"*0fbcaa65ada37326741259d2ebc96d52e61d38cd6c28823194f2ffb4bf906ebe*",".{0,1000}0fbcaa65ada37326741259d2ebc96d52e61d38cd6c28823194f2ffb4bf906ebe.{0,1000}","greyware_tool_keyword","MozillaCookiesView","nirsoft utility that displays the details of all cookies stored inside the cookies file (cookies.txt or cookies.sqlite) - abused by threat actors","T1070 - T1552.001 - T1125 - T1005","TA0009 - TA0005","N/A","MuddyWater","Credential Access","https://www.nirsoft.net/utils/mzcv.html","1","0","#filehash","N/A","7","10","N/A","N/A","N/A","N/A","21802"
"*0fc75aed0d84a67a75a937e4543fe2c324dc2e4422ea8d0431ec63ac15cbde16*",".{0,1000}0fc75aed0d84a67a75a937e4543fe2c324dc2e4422ea8d0431ec63ac15cbde16.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21803"
"*0fc8c8a3c45bf30f1f09ae9c74e8986c367958d81ba2001c23ee536ca0227fbe*",".{0,1000}0fc8c8a3c45bf30f1f09ae9c74e8986c367958d81ba2001c23ee536ca0227fbe.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","21805"
"*0fd011fb817fa36fe8735e3d97df523970d9be4f56f0848840f737b63ba37fbf*",".{0,1000}0fd011fb817fa36fe8735e3d97df523970d9be4f56f0848840f737b63ba37fbf.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21810"
"*0fd4612b5f3adcd0d1a9afbcda38955ed3ce0e4eff1a7afdec9953700926c29e*",".{0,1000}0fd4612b5f3adcd0d1a9afbcda38955ed3ce0e4eff1a7afdec9953700926c29e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21813"
"*0fdf8c16ffc44fe0006ac5e07721c17a7995c0bcdb4309d3d66697a8f153b402*",".{0,1000}0fdf8c16ffc44fe0006ac5e07721c17a7995c0bcdb4309d3d66697a8f153b402.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21817"
"*0fe131b5d680b328dd8c3286d6c300b0bd606373d3a2de0e6ebec613528bf65d*",".{0,1000}0fe131b5d680b328dd8c3286d6c300b0bd606373d3a2de0e6ebec613528bf65d.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","21819"
"*0fe453cd91e364eeb456c71a42ab778a4271aa7791ef40be4e5de05452acf5b6*",".{0,1000}0fe453cd91e364eeb456c71a42ab778a4271aa7791ef40be4e5de05452acf5b6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21820"
"*0fe72859862cb5963a34b413d7b73fe370cb77f72ca673146ce56c21bae25be1*",".{0,1000}0fe72859862cb5963a34b413d7b73fe370cb77f72ca673146ce56c21bae25be1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21821"
"*0ffa09304c7f2966f94a1acc5848c0adfa1cdf70525ec51f52722af4624572c3*",".{0,1000}0ffa09304c7f2966f94a1acc5848c0adfa1cdf70525ec51f52722af4624572c3.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21824"
"*0tZG9uYXRlLWxldmVsP*",".{0,1000}0tZG9uYXRlLWxldmVsP.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","21825"
"*10168a998e30a4f0d0d175f1aa2d5a533df3d69cf206f04f7d2686afdbe0949f*",".{0,1000}10168a998e30a4f0d0d175f1aa2d5a533df3d69cf206f04f7d2686afdbe0949f.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","21875"
"*102c6bc06ee275f6d3fb46d3d48e71b92abf2b7451e682749cbcae61e4791e05*",".{0,1000}102c6bc06ee275f6d3fb46d3d48e71b92abf2b7451e682749cbcae61e4791e05.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21883"
"*10562b3a636cb93258959e76fa52708108f65e58287e909f4c041839df5863bd*",".{0,1000}10562b3a636cb93258959e76fa52708108f65e58287e909f4c041839df5863bd.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","21887"
"*105f91daac5c39d8c5b89bb267423d7597733bb48492ff97d2d2099a48853184*",".{0,1000}105f91daac5c39d8c5b89bb267423d7597733bb48492ff97d2d2099a48853184.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21889"
"*10667fa9b2ff274ad3ad30e8747278bf55a1ff2b47db7fe43216e5f77c15ed3d*",".{0,1000}10667fa9b2ff274ad3ad30e8747278bf55a1ff2b47db7fe43216e5f77c15ed3d.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","21890"
"*106be837e5aca74895a290d85bbcf90f95e4613f41de7d28f9fc834d8f34afad*",".{0,1000}106be837e5aca74895a290d85bbcf90f95e4613f41de7d28f9fc834d8f34afad.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","21891"
"*1078cdf24990c103ac9a35c7081bfdf4ea6d0d62d6c9b1a5624a6ab9c6fcb07b*",".{0,1000}1078cdf24990c103ac9a35c7081bfdf4ea6d0d62d6c9b1a5624a6ab9c6fcb07b.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","21895"
"*1079079045b66cde89827c0129aff180ad2d67fda71415164a2a3e98f37c40e7*",".{0,1000}1079079045b66cde89827c0129aff180ad2d67fda71415164a2a3e98f37c40e7.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","21896"
"*107fd4550d60e934e88f65b15a00c8eca224f279ed593288d5ad9743ef7f35a4*",".{0,1000}107fd4550d60e934e88f65b15a00c8eca224f279ed593288d5ad9743ef7f35a4.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","21898"
"*1084631215170fc83b2de13f156a3b0e2ea02f2a0955fc94d3c6c5015391922c*",".{0,1000}1084631215170fc83b2de13f156a3b0e2ea02f2a0955fc94d3c6c5015391922c.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21902"
"*10a63c922b6d9bec0f3b7a8d755a01b815d81556eb93f2526db0b5a36c597d6e*",".{0,1000}10a63c922b6d9bec0f3b7a8d755a01b815d81556eb93f2526db0b5a36c597d6e.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","21906"
"*10b33c026f0c5ae6c12196b492174463be574733e66c68e952e30512739659a8*",".{0,1000}10b33c026f0c5ae6c12196b492174463be574733e66c68e952e30512739659a8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21908"
"*10b3f5491e54c82b421980e848542f8f589ad6635f83fb2d89d9996cb37ac9c7*",".{0,1000}10b3f5491e54c82b421980e848542f8f589ad6635f83fb2d89d9996cb37ac9c7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21910"
"*10c668ffc2f613fc32e20b2ecb7fcf7f2fe26e7cbfdd8882daa3387819a1f83b*",".{0,1000}10c668ffc2f613fc32e20b2ecb7fcf7f2fe26e7cbfdd8882daa3387819a1f83b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21913"
"*10d4bd7d47330656a50ba2557cd66ed93ea8a0010ef366f34b1a5e20e159297b*",".{0,1000}10d4bd7d47330656a50ba2557cd66ed93ea8a0010ef366f34b1a5e20e159297b.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","21917"
"*110ec720cf51d05c3a07ee73534f4c949644920a4760f1ceb8fc09e80172aaf0*",".{0,1000}110ec720cf51d05c3a07ee73534f4c949644920a4760f1ceb8fc09e80172aaf0.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","21941"
"*1130109b30396301e05aba1303f6c5d27d6e35e033905469f45fb1102cab5c4f*",".{0,1000}1130109b30396301e05aba1303f6c5d27d6e35e033905469f45fb1102cab5c4f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21950"
"*11371b2437f1da7425cc3a902c748eb52b799251c1100560fa96544f05a2ba02*",".{0,1000}11371b2437f1da7425cc3a902c748eb52b799251c1100560fa96544f05a2ba02.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21953"
"*113d243a2931e1b1b610181229a9e52d3ebd47fde7b5c2f286b8d54aed09efba*",".{0,1000}113d243a2931e1b1b610181229a9e52d3ebd47fde7b5c2f286b8d54aed09efba.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","21956"
"*113f78974c687c8bc7ba3ae62843a9fdb1d767c85fbbda7779e7199b5a560100*",".{0,1000}113f78974c687c8bc7ba3ae62843a9fdb1d767c85fbbda7779e7199b5a560100.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","21957"
"*115426ae1c906030d369a2d7f37ccdbc059869f709add60b6a8177a8100e7b61*",".{0,1000}115426ae1c906030d369a2d7f37ccdbc059869f709add60b6a8177a8100e7b61.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","21963"
"*116fae615a600632bd007ea8608b2c814c55a02324f9b8cdd75e63e2b71d53ba*",".{0,1000}116fae615a600632bd007ea8608b2c814c55a02324f9b8cdd75e63e2b71d53ba.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","21968"
"*117b99441024607d6043e274c7fcbed64d07ad87347d17dd0a717bdc1c59716b*",".{0,1000}117b99441024607d6043e274c7fcbed64d07ad87347d17dd0a717bdc1c59716b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21970"
"*117f100788386f0206029be0e673750057f28fa0b3a36f5c56e12398e68b999d*",".{0,1000}117f100788386f0206029be0e673750057f28fa0b3a36f5c56e12398e68b999d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21971"
"*11a7c6e09cebb1a12cf18f43562ead367a7f527fbdea3a075422e48ecabd9e31*",".{0,1000}11a7c6e09cebb1a12cf18f43562ead367a7f527fbdea3a075422e48ecabd9e31.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","21981"
"*11b9976846f11e0d163abe45ab025ef7b26ce86a94dda613bfd8e4b51eb63bb6*",".{0,1000}11b9976846f11e0d163abe45ab025ef7b26ce86a94dda613bfd8e4b51eb63bb6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21985"
"*11bf38a2bdb74cf7c4a2309e0b7ae8da28b7821899dae8fd3cf3cca8b2894798*",".{0,1000}11bf38a2bdb74cf7c4a2309e0b7ae8da28b7821899dae8fd3cf3cca8b2894798.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","21986"
"*11c11bef98644223da8b9e1242b046e58a04a844b6c6a6fb88b7818f296ecdb3*",".{0,1000}11c11bef98644223da8b9e1242b046e58a04a844b6c6a6fb88b7818f296ecdb3.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","21987"
"*11d6ee35ec73058dae73d31d9cd17fe79661090abeb034ec6e13e3c69a4e7088*",".{0,1000}11d6ee35ec73058dae73d31d9cd17fe79661090abeb034ec6e13e3c69a4e7088.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","21993"
"*11f2af35bdaa799a38a180a1b73083d68843cf731ecea118a33597a14289589e*",".{0,1000}11f2af35bdaa799a38a180a1b73083d68843cf731ecea118a33597a14289589e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","21999"
"*11f4b926e60a9000a88173e03113b7ddc3e483d0b49eef4ecd3643fc374d9e02*",".{0,1000}11f4b926e60a9000a88173e03113b7ddc3e483d0b49eef4ecd3643fc374d9e02.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22000"
"*11f6bee5589f447de6fa74890630deb8fc33cae47fdf31907b705a05a27e39b5*",".{0,1000}11f6bee5589f447de6fa74890630deb8fc33cae47fdf31907b705a05a27e39b5.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","22003"
"*120dca6c0da5706f7868b653f74eedac4e218b3d155a1963d66302d9eb363511*",".{0,1000}120dca6c0da5706f7868b653f74eedac4e218b3d155a1963d66302d9eb363511.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22009"
"*120fdd11d2b0a7c94663024af9b13e8c0b557f9c0e1efbc1cb85fa2122552c7c*",".{0,1000}120fdd11d2b0a7c94663024af9b13e8c0b557f9c0e1efbc1cb85fa2122552c7c.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22012"
"*121559209213c1de5bccd241092888985985c6992122e59d1ef053b89d5b9c99*",".{0,1000}121559209213c1de5bccd241092888985985c6992122e59d1ef053b89d5b9c99.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","22014"
"*1219aed961e396fb1be1c2a86218cc72de87bcc4461f22f9d87cd1fccf7fc30c*",".{0,1000}1219aed961e396fb1be1c2a86218cc72de87bcc4461f22f9d87cd1fccf7fc30c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22015"
"*1222d5ac68ab90dfcb14e3c2e2258d695de12b27d3aadbbd94aa85a3a85d4701*",".{0,1000}1222d5ac68ab90dfcb14e3c2e2258d695de12b27d3aadbbd94aa85a3a85d4701.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22019"
"*1232372059db3ecf28cc2609a36b7f20cef2dfe0618770e3ebaa9488bc7fc2de*",".{0,1000}1232372059db3ecf28cc2609a36b7f20cef2dfe0618770e3ebaa9488bc7fc2de.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","#filehash","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","22022"
"*12324526e79390f63e86cb9b7cebd7029d8da32fc2f73f2486517d0b451da60f*",".{0,1000}12324526e79390f63e86cb9b7cebd7029d8da32fc2f73f2486517d0b451da60f.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","22023"
"*124438413ba085530b9a0ec928dbcec411a401e0127940bd8d439072e054e2d2*",".{0,1000}124438413ba085530b9a0ec928dbcec411a401e0127940bd8d439072e054e2d2.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22025"
"*125344e96627208ed84121e1d5244eb4f4b58b6606a51aa0c39282866da8cf5d*",".{0,1000}125344e96627208ed84121e1d5244eb4f4b58b6606a51aa0c39282866da8cf5d.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22029"
"*125f87d334addd8ec7dacaf2a321a9f1c9a8b31c8a673d2d02808162cd67f997*",".{0,1000}125f87d334addd8ec7dacaf2a321a9f1c9a8b31c8a673d2d02808162cd67f997.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22036"
"*127ec181a70d665e539d93b8e4a014ce099faf64f0eb790a85158cd5a1349bfd*",".{0,1000}127ec181a70d665e539d93b8e4a014ce099faf64f0eb790a85158cd5a1349bfd.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","22061"
"*128C450F-C8B3-403A-9D0C-E5AD6B7F566F*",".{0,1000}128C450F\-C8B3\-403A\-9D0C\-E5AD6B7F566F.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","#GUIDproject","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","22065"
"*128s3proxy.key""*",".{0,1000}128s3proxy\.key\"".{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","22067"
"*1296cb071a8524b29efc2c955fe2bffb4eaf545823e4dad698fb70344fc48074*",".{0,1000}1296cb071a8524b29efc2c955fe2bffb4eaf545823e4dad698fb70344fc48074.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","22070"
"*129d330d0ea1eb53e6959402edab063c51f751e01ae6cc4fd393f1a3b935707e*",".{0,1000}129d330d0ea1eb53e6959402edab063c51f751e01ae6cc4fd393f1a3b935707e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22072"
"*12c0c757025ddf299749414fd1bd94b49efe4d38993216cd3b315bffb66618ff*",".{0,1000}12c0c757025ddf299749414fd1bd94b49efe4d38993216cd3b315bffb66618ff.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22078"
"*12d51bd60e658ef48f066fb5c872382fe0ad60a7665985e25895651c78019d2d*",".{0,1000}12d51bd60e658ef48f066fb5c872382fe0ad60a7665985e25895651c78019d2d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22082"
"*12d9cf76e82ea590777ee552a9ff96a10b6304df20b141bb2dc7bdf054be8402*",".{0,1000}12d9cf76e82ea590777ee552a9ff96a10b6304df20b141bb2dc7bdf054be8402.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","22084"
"*12dfd415b34bf14102ed74b792e72b38339a504327a72b598369983da3703b54*",".{0,1000}12dfd415b34bf14102ed74b792e72b38339a504327a72b598369983da3703b54.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22090"
"*1305c913ac3684d02ce2bade0a23a2115c1ec03c9447d1562bb6cd9fa2573412*",".{0,1000}1305c913ac3684d02ce2bade0a23a2115c1ec03c9447d1562bb6cd9fa2573412.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22098"
"*1306f44ac242dd1382032f05a8f2ebf813cb71e0d8224e56455fbdb8cee02d81*",".{0,1000}1306f44ac242dd1382032f05a8f2ebf813cb71e0d8224e56455fbdb8cee02d81.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22099"
"*13102618f84a2efa07a90733d9bae72e48b897c29f4df4b38bdacebb99517e52*",".{0,1000}13102618f84a2efa07a90733d9bae72e48b897c29f4df4b38bdacebb99517e52.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22102"
"*13141ae2c7cfeea1ffe619f76b569d4c52204298daf5b986ffd4693534581b1e*",".{0,1000}13141ae2c7cfeea1ffe619f76b569d4c52204298daf5b986ffd4693534581b1e.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","22106"
"*1320fcd96e4908f3c2ee0e86b30b5c6da22a755a29c3dd4392027b00e4ef66c7*",".{0,1000}1320fcd96e4908f3c2ee0e86b30b5c6da22a755a29c3dd4392027b00e4ef66c7.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22110"
"*1350cbc251898cdd6fc09f6ac24ff69b68ddb95ea71379dee9f598a62b484430*",".{0,1000}1350cbc251898cdd6fc09f6ac24ff69b68ddb95ea71379dee9f598a62b484430.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","22122"
"*1350db767085df3a6e2a907be36a0940d16c25f8c6ac8bd64ff745de479a184b*",".{0,1000}1350db767085df3a6e2a907be36a0940d16c25f8c6ac8bd64ff745de479a184b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22123"
"*1359a52268613c5ffa6bef0a7030aad1cf409dba348b6b4fa3ab8d9a97d275ac*",".{0,1000}1359a52268613c5ffa6bef0a7030aad1cf409dba348b6b4fa3ab8d9a97d275ac.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22125"
"*135a4a0965cb58eafb07941f2013a82282c44c28fea9595587778e969d9ed035*",".{0,1000}135a4a0965cb58eafb07941f2013a82282c44c28fea9595587778e969d9ed035.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22126"
"*136759cb34240eab13e8251300ad1ebcf5e3d3f9c1f4fdd0ad01e71747f81431*",".{0,1000}136759cb34240eab13e8251300ad1ebcf5e3d3f9c1f4fdd0ad01e71747f81431.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","22129"
"*136cc6be28c798b2493875f498b5956a876c24cdbd028773aa9194c8bd846442*",".{0,1000}136cc6be28c798b2493875f498b5956a876c24cdbd028773aa9194c8bd846442.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22132"
"*13715a317d2d54c63f13951e7542a9d1809c8c2f9932a207cabeb26814f6817d*",".{0,1000}13715a317d2d54c63f13951e7542a9d1809c8c2f9932a207cabeb26814f6817d.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","22133"
"*137fc29ed639a8b44b3056598d1c85505650b5ad3a4a4e392b084ee7345e58b7*",".{0,1000}137fc29ed639a8b44b3056598d1c85505650b5ad3a4a4e392b084ee7345e58b7.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22137"
"*138277b4b2fb7da83f007207bec5df288dbc57ebff80d99c4a2d57eccc950bb9*",".{0,1000}138277b4b2fb7da83f007207bec5df288dbc57ebff80d99c4a2d57eccc950bb9.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22139"
"*1385144a41372d190eaf788b27372cc2bb258776722138c8ab3f1936e3bf051b*",".{0,1000}1385144a41372d190eaf788b27372cc2bb258776722138c8ab3f1936e3bf051b.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22140"
"*1386e1efbcc9585fdc22c8a1f453b7da8b0f97b1a0e339cef1d26753bc368096*",".{0,1000}1386e1efbcc9585fdc22c8a1f453b7da8b0f97b1a0e339cef1d26753bc368096.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22141"
"*1394d11f5a08542c3c47154553889be9562e080169c621f94be73318bdbe7a91*",".{0,1000}1394d11f5a08542c3c47154553889be9562e080169c621f94be73318bdbe7a91.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22144"
"*13ac5e018ec166c098c2d67635068ad1b18247aaf02a8537532f52b4fda2dd29*",".{0,1000}13ac5e018ec166c098c2d67635068ad1b18247aaf02a8537532f52b4fda2dd29.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22149"
"*13b6443f4e1f03bc7c37fe9d260435886ad80ee292c0a3b5b9cdeb763576e31b*",".{0,1000}13b6443f4e1f03bc7c37fe9d260435886ad80ee292c0a3b5b9cdeb763576e31b.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","#filehash","N/A","9","10","N/A","N/A","N/A","N/A","22151"
"*13b8b9d0846722d6f86e90e60e618a4cd73351eeae67908652df3186c13c55d4*",".{0,1000}13b8b9d0846722d6f86e90e60e618a4cd73351eeae67908652df3186c13c55d4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22152"
"*13dc14feae0ebb2947f49a047754133869fcefe72931f156232d109bc7fc9e03*",".{0,1000}13dc14feae0ebb2947f49a047754133869fcefe72931f156232d109bc7fc9e03.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","22163"
"*13de4e11ab51c7e630cb81920676b8e794c9ae2baa4b423101868a76a30aa169*",".{0,1000}13de4e11ab51c7e630cb81920676b8e794c9ae2baa4b423101868a76a30aa169.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22164"
"*13e4fcf1d335db1bc87cc27d18d7eb8dabff3d7dae643313873c3cf667684241*",".{0,1000}13e4fcf1d335db1bc87cc27d18d7eb8dabff3d7dae643313873c3cf667684241.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22166"
"*13f227bc915c43961e1f3831f155c6934e7d5a65434af3b29bf494b1d5d276b7*",".{0,1000}13f227bc915c43961e1f3831f155c6934e7d5a65434af3b29bf494b1d5d276b7.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22170"
"*13ffdd811a70e1474270b90a0368534c97e2eb01b5039f4e53d2ca942c34be10*",".{0,1000}13ffdd811a70e1474270b90a0368534c97e2eb01b5039f4e53d2ca942c34be10.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22173"
"*140fc748db03438c09c3fe5def7e4ef2b273462d567a851addc97728fc8a2fcd*",".{0,1000}140fc748db03438c09c3fe5def7e4ef2b273462d567a851addc97728fc8a2fcd.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22176"
"*1411f74ca4f05e63963448b9d0c972e16cbf98ba81864e1c04de0492ebd0c6fa*",".{0,1000}1411f74ca4f05e63963448b9d0c972e16cbf98ba81864e1c04de0492ebd0c6fa.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22177"
"*1429e62855ce5572b735fe0460ffa6a8f26d56199a8e166152252c7bd659d275*",".{0,1000}1429e62855ce5572b735fe0460ffa6a8f26d56199a8e166152252c7bd659d275.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","#filehash","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","22181"
"*1433542e6c771cd59c491558e482ebbc7d40bbaf86190379bb4236067b21d805*",".{0,1000}1433542e6c771cd59c491558e482ebbc7d40bbaf86190379bb4236067b21d805.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","22185"
"*14586f0477d31640096bf4749480b78c6a6c3afde3527bcc64e9d5f70d9e93ac*",".{0,1000}14586f0477d31640096bf4749480b78c6a6c3afde3527bcc64e9d5f70d9e93ac.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","#filehash","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","22191"
"*145a01e3fe92a42233064c7592d0df8580867712707192325f483208852869cf*",".{0,1000}145a01e3fe92a42233064c7592d0df8580867712707192325f483208852869cf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22192"
"*146a734ad8082ac508f0a82c7655f3bfe205f5f19f6c57cbd46ad24ef5b24404*",".{0,1000}146a734ad8082ac508f0a82c7655f3bfe205f5f19f6c57cbd46ad24ef5b24404.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","22196"
"*147175a6ba1a48e6516ea2d7250b137d42d959d2b45d1f08ae9511a3259d8b6f*",".{0,1000}147175a6ba1a48e6516ea2d7250b137d42d959d2b45d1f08ae9511a3259d8b6f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22199"
"*147ab64f6c235bdd044d2d50c1867778ff961c4e7d9041683dd6ee4f7641121b*",".{0,1000}147ab64f6c235bdd044d2d50c1867778ff961c4e7d9041683dd6ee4f7641121b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22202"
"*1489daf3d466bd60c6b175e66bb567396b95e269bedaa42c4516392c49028f06*",".{0,1000}1489daf3d466bd60c6b175e66bb567396b95e269bedaa42c4516392c49028f06.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","22204"
"*149ca8b9b2f375a73adf0ae4739f7ab0c83477202c5875ef7f3e2716a087d2ee*",".{0,1000}149ca8b9b2f375a73adf0ae4739f7ab0c83477202c5875ef7f3e2716a087d2ee.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22208"
"*14a8b1ff0297c5f7c06c6ab36a257140c2f3d33e8c15a28e790d5039a29c00a7*",".{0,1000}14a8b1ff0297c5f7c06c6ab36a257140c2f3d33e8c15a28e790d5039a29c00a7.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","#filehash","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","22212"
"*14ac418b893997f60d07f0b2ce81ac979ec6ba849664de462cef5c6c720e93f3*",".{0,1000}14ac418b893997f60d07f0b2ce81ac979ec6ba849664de462cef5c6c720e93f3.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","22213"
"*14b0160138b97e9183e570c542a566bcb68d815dc92761a9d31679a51626433f*",".{0,1000}14b0160138b97e9183e570c542a566bcb68d815dc92761a9d31679a51626433f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22214"
"*14c0b30920226f407724fd3461be0d1988d7df86c453b3bc982fdbec16ac91ab*",".{0,1000}14c0b30920226f407724fd3461be0d1988d7df86c453b3bc982fdbec16ac91ab.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22216"
"*14c15801f53f57f5fa279950adace42b8b8bed4c4f2d790d1e73bb71659a9de9*",".{0,1000}14c15801f53f57f5fa279950adace42b8b8bed4c4f2d790d1e73bb71659a9de9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22217"
"*14c37cbee05947b2c67fe8064c132652b363c8b0d72fa401ddaf93efdc9538e3*",".{0,1000}14c37cbee05947b2c67fe8064c132652b363c8b0d72fa401ddaf93efdc9538e3.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22218"
"*14CA405B-8BAC-48AB-9FBA-8FB5DF88FD0D*",".{0,1000}14CA405B\-8BAC\-48AB\-9FBA\-8FB5DF88FD0D.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","#GUIDproject","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","22220"
"*14cb4039e1416fce558039dc2548cf185ae6e695479440d711992b238da6ef14*",".{0,1000}14cb4039e1416fce558039dc2548cf185ae6e695479440d711992b238da6ef14.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","22222"
"*14d18d34c262664246cc1eb46dfe1159fce9b5d0b14d6ba013f08d1d55a6eeb6*",".{0,1000}14d18d34c262664246cc1eb46dfe1159fce9b5d0b14d6ba013f08d1d55a6eeb6.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","22225"
"*14d29e0f977fb74a925c9c2cab1ef3ed34eb6b35345b0af1645a64f6b85040f8*",".{0,1000}14d29e0f977fb74a925c9c2cab1ef3ed34eb6b35345b0af1645a64f6b85040f8.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","22226"
"*14e2341ca927541a8d4bc545766f9bb8e1f7b79c15f1ea83836572e82b658c13*",".{0,1000}14e2341ca927541a8d4bc545766f9bb8e1f7b79c15f1ea83836572e82b658c13.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22229"
"*14e7065f629b384425308287023f0bd181c464ea522109846c2d7db26ad29608*",".{0,1000}14e7065f629b384425308287023f0bd181c464ea522109846c2d7db26ad29608.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22231"
"*14ebe6f781314c1d68eecca437483e92b621ca69f8859a652d73a94dd0a93018*",".{0,1000}14ebe6f781314c1d68eecca437483e92b621ca69f8859a652d73a94dd0a93018.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22233"
"*14f0840dbabc554d43cf3021e04f7b11c7285bd85ee13dfb9d59c0a942bcd515*",".{0,1000}14f0840dbabc554d43cf3021e04f7b11c7285bd85ee13dfb9d59c0a942bcd515.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","22235"
"*14f965c710f3a4a5d830c723f26867420e1c60acab48678eb82c9a3b68ea1554*",".{0,1000}14f965c710f3a4a5d830c723f26867420e1c60acab48678eb82c9a3b68ea1554.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","22237"
"*1508bf7cb951181238f77370466220239404cd475472081c8059eb3d74e668cb*",".{0,1000}1508bf7cb951181238f77370466220239404cd475472081c8059eb3d74e668cb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22242"
"*151e41e5d547de46a4557bef41a35790951a7926646c7d35d1ed1ef7f9961964*",".{0,1000}151e41e5d547de46a4557bef41a35790951a7926646c7d35d1ed1ef7f9961964.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22244"
"*15229ecd98cf8496d02e8a4918a27099d2e8202e559e5d2e3e92b4cdc4bcc5ec*",".{0,1000}15229ecd98cf8496d02e8a4918a27099d2e8202e559e5d2e3e92b4cdc4bcc5ec.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22245"
"*1526e61423a885f9c11c2479c287caddebaed466e4b08fccd9d1ac13b7be775e*",".{0,1000}1526e61423a885f9c11c2479c287caddebaed466e4b08fccd9d1ac13b7be775e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22246"
"*15285219ad07eaa012de59c3001b67f65fd7382d913fde559219ab1f180d6fcc*",".{0,1000}15285219ad07eaa012de59c3001b67f65fd7382d913fde559219ab1f180d6fcc.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","22249"
"*1555e71932fad726781cc977ee8cc22fa7eab9d515255c81c1a711668dde5e6d*",".{0,1000}1555e71932fad726781cc977ee8cc22fa7eab9d515255c81c1a711668dde5e6d.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","22252"
"*1556d7d7fe7f2342854a24b05c3eca7e593d7e22021c559118c3fde32950bfd0*",".{0,1000}1556d7d7fe7f2342854a24b05c3eca7e593d7e22021c559118c3fde32950bfd0.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","22253"
"*1578e1c16807f4f9c02cf9d284cf774ad4725b55f114dae0778a2f29ff9e2c47*",".{0,1000}1578e1c16807f4f9c02cf9d284cf774ad4725b55f114dae0778a2f29ff9e2c47.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","22260"
"*157f7d3b048d686f719fdbfe50ee4bc9676d6443211d13cdf0a49b108f1fd6eb*",".{0,1000}157f7d3b048d686f719fdbfe50ee4bc9676d6443211d13cdf0a49b108f1fd6eb.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22261"
"*1580dc09833da345f0ae3c8c3fc9da782628f8f6abf06062f9ce0af13e04c27a*",".{0,1000}1580dc09833da345f0ae3c8c3fc9da782628f8f6abf06062f9ce0af13e04c27a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22262"
"*159.69.126.209*",".{0,1000}159\.69\.126\.209.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","1","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","22267"
"*1596547091d637278d0801f6ac2a625fa18bce9e74a5b3233b3ffb62357f3af0*",".{0,1000}1596547091d637278d0801f6ac2a625fa18bce9e74a5b3233b3ffb62357f3af0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22269"
"*15b24f9b6d402b8f55a96f9deea8cc387513c040030428d9c32dbfb1013d912f*",".{0,1000}15b24f9b6d402b8f55a96f9deea8cc387513c040030428d9c32dbfb1013d912f.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22275"
"*15bf47f400527b9a4a31edaa121e6111ea6a1dffe68eb83800c6f73074f298bf*",".{0,1000}15bf47f400527b9a4a31edaa121e6111ea6a1dffe68eb83800c6f73074f298bf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22281"
"*15c549c4a529d14185633144bd53bffa7d79d84916756cefa267071bf6871cfe*",".{0,1000}15c549c4a529d14185633144bd53bffa7d79d84916756cefa267071bf6871cfe.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22282"
"*15da50bc2201c1b3a8a7ffd4dbbdac655f2419a8ed47e1aad32ee4308c32d76e*",".{0,1000}15da50bc2201c1b3a8a7ffd4dbbdac655f2419a8ed47e1aad32ee4308c32d76e.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","22287"
"*15f45c7dbae6b09ca503e3c029527d8895f2c8f36501de4975e9c1e1016982f9*",".{0,1000}15f45c7dbae6b09ca503e3c029527d8895f2c8f36501de4975e9c1e1016982f9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22289"
"*15faf5fb4dcfb25de4ee1d4cf02beee84b1ff88950d9ba53e56e545c6a3dbfc0*",".{0,1000}15faf5fb4dcfb25de4ee1d4cf02beee84b1ff88950d9ba53e56e545c6a3dbfc0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22290"
"*16089612f48695d4bb779fc1eb56596d264a54443ba461e8b9c4df9afa7cbcab*",".{0,1000}16089612f48695d4bb779fc1eb56596d264a54443ba461e8b9c4df9afa7cbcab.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","22293"
"*160fbd38f7e626afc5f99a239776423629bd4b1e6cb9891c7ecf1a08acae06a4*",".{0,1000}160fbd38f7e626afc5f99a239776423629bd4b1e6cb9891c7ecf1a08acae06a4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22295"
"*1616dd35a9d247654567642b4202a7b4ad4601b434d3da85671a1558fffbd4b2*",".{0,1000}1616dd35a9d247654567642b4202a7b4ad4601b434d3da85671a1558fffbd4b2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22299"
"*1622c597292ef12023346c95182323df859bce8d97582a00b0f96c7740abf5dd*",".{0,1000}1622c597292ef12023346c95182323df859bce8d97582a00b0f96c7740abf5dd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22304"
"*162b04e6c89653b10bd38def513051067393d9080afd777210b0ce44f1a7d9fe*",".{0,1000}162b04e6c89653b10bd38def513051067393d9080afd777210b0ce44f1a7d9fe.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","#filehash","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","22305"
"*162f3ad5ad6b7cc9790807ff92eed85d08bd4b2702f5a2e88237c86e7773bc29*",".{0,1000}162f3ad5ad6b7cc9790807ff92eed85d08bd4b2702f5a2e88237c86e7773bc29.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22307"
"*1636a30b0c9e7c1a9411d30696df2a2a62666ae30f8cdf14a0f71d3715c897c0*",".{0,1000}1636a30b0c9e7c1a9411d30696df2a2a62666ae30f8cdf14a0f71d3715c897c0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22314"
"*1640fb593deccf72c27363463e6001a1ced831f423b00c8687555115f9365bec*",".{0,1000}1640fb593deccf72c27363463e6001a1ced831f423b00c8687555115f9365bec.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","0","#filehash #filehostingservice","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","22317"
"*164336ad99e7c933c7f9ae24ce118361292a50cc3508bb0a108860b97e17bc87*",".{0,1000}164336ad99e7c933c7f9ae24ce118361292a50cc3508bb0a108860b97e17bc87.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22319"
"*1643e037fc61ff8a14184176044145d17ce1ef2bbf9fc7c2e0d1679853d9ec74*",".{0,1000}1643e037fc61ff8a14184176044145d17ce1ef2bbf9fc7c2e0d1679853d9ec74.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22320"
"*1645bf0391156a98ed8cd08cf74a3b53620e85028c332913f8a6b688c20ee1b9*",".{0,1000}1645bf0391156a98ed8cd08cf74a3b53620e85028c332913f8a6b688c20ee1b9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22322"
"*16591b2964f18f43e233be8bc1ba3eaf8aad5bc8ea2fb55aab8d01e990da01b6*",".{0,1000}16591b2964f18f43e233be8bc1ba3eaf8aad5bc8ea2fb55aab8d01e990da01b6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22326"
"*1665a0292194daca49b91f61498f048d3099193c562c81f60eb311aabec54313*",".{0,1000}1665a0292194daca49b91f61498f048d3099193c562c81f60eb311aabec54313.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22331"
"*16689e0739ff392f0240dea50b9f48b720bfac3a26a42adf52729321ee5d1f9c*",".{0,1000}16689e0739ff392f0240dea50b9f48b720bfac3a26a42adf52729321ee5d1f9c.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22332"
"*167a5fd6a1435ef23452aabcc251924144c04fb75cba9d178d3b4eec0a0b89d6*",".{0,1000}167a5fd6a1435ef23452aabcc251924144c04fb75cba9d178d3b4eec0a0b89d6.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22336"
"*167d72cbaa49b8c6c54d57ab44ad9e907f4bf9551460574f4231a9dd956c4c32*",".{0,1000}167d72cbaa49b8c6c54d57ab44ad9e907f4bf9551460574f4231a9dd956c4c32.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","22338"
"*16813fc81e4ffa28723f54b0d63838e77da5c8e12c13ae73ec949870c440ecfa*",".{0,1000}16813fc81e4ffa28723f54b0d63838e77da5c8e12c13ae73ec949870c440ecfa.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22339"
"*16935a0807abc635a6ad76b85b95fe703beaf188e5d3f27404b9e699e87c4f07*",".{0,1000}16935a0807abc635a6ad76b85b95fe703beaf188e5d3f27404b9e699e87c4f07.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22342"
"*169fa5bf73c73e2785691de174d40209dfa479430539acbce08eaf24a4cbb0c0*",".{0,1000}169fa5bf73c73e2785691de174d40209dfa479430539acbce08eaf24a4cbb0c0.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","22344"
"*16ab17e1d91f55e133cea7ca0fcc38d0105b48e05975d86db76b556057e8ca8b*",".{0,1000}16ab17e1d91f55e133cea7ca0fcc38d0105b48e05975d86db76b556057e8ca8b.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","22346"
"*16b3e4ecfb6de838ec64b266e762f83e330fd29c1db5aeae46c12d5261cf2544*",".{0,1000}16b3e4ecfb6de838ec64b266e762f83e330fd29c1db5aeae46c12d5261cf2544.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22348"
"*16bf64d6996f1f1764831eb66fd3c74c038e7a76ad25f9f9d6944c216da74c2c*",".{0,1000}16bf64d6996f1f1764831eb66fd3c74c038e7a76ad25f9f9d6944c216da74c2c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22352"
"*16cee34ed7af7175f622197c764fd0c69399bc6dc8b7d891ac76266d077c5415*",".{0,1000}16cee34ed7af7175f622197c764fd0c69399bc6dc8b7d891ac76266d077c5415.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22354"
"*16da15648dd1bc0da44d0d6afd435c1a664cfaf9b7bc4ef7eecdd796727e40df*",".{0,1000}16da15648dd1bc0da44d0d6afd435c1a664cfaf9b7bc4ef7eecdd796727e40df.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22357"
"*16e9fc516f02b513ef7cc51bd1966cd1aad0f625d6f1763645b85f05fd50b840*",".{0,1000}16e9fc516f02b513ef7cc51bd1966cd1aad0f625d6f1763645b85f05fd50b840.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","22362"
"*16eb3559cff7a2c2f02aef28b81c8677dc1d2c87dbbf81d5dadbec5c84eb3f3c*",".{0,1000}16eb3559cff7a2c2f02aef28b81c8677dc1d2c87dbbf81d5dadbec5c84eb3f3c.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","22363"
"*1719136d3545bf0539b4e9c323e90e2389749d7f1eee98803bae39fa318af4f5*",".{0,1000}1719136d3545bf0539b4e9c323e90e2389749d7f1eee98803bae39fa318af4f5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22375"
"*17419f33715f3074f54f71fdaf6e732a28da9961b7143de67e7d91dd6e885191*",".{0,1000}17419f33715f3074f54f71fdaf6e732a28da9961b7143de67e7d91dd6e885191.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22386"
"*174335ec26c20b8351100b7073eefe8d641049df628d4e10aa33cc24018a5836*",".{0,1000}174335ec26c20b8351100b7073eefe8d641049df628d4e10aa33cc24018a5836.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22387"
"*175c54eb22bc4eeb089586244b2863d53e14fbe8be999be5574901aa0a726744*",".{0,1000}175c54eb22bc4eeb089586244b2863d53e14fbe8be999be5574901aa0a726744.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","22393"
"*176cc43f9796b4b47ad831a03ef5093fbe954caa2a088e136941aea93e0f6a70*",".{0,1000}176cc43f9796b4b47ad831a03ef5093fbe954caa2a088e136941aea93e0f6a70.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22396"
"*1770fedc0630c7c0602f9adaa1ef853a44cd8a889bfd0786b7cdc8aa05f61db6*",".{0,1000}1770fedc0630c7c0602f9adaa1ef853a44cd8a889bfd0786b7cdc8aa05f61db6.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","22398"
"*178f4b8888441e6970682416279fb99a5ffb2844136440becd66a8c62091e435*",".{0,1000}178f4b8888441e6970682416279fb99a5ffb2844136440becd66a8c62091e435.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","22403"
"*1792c809507a1b92737bd04b12cabaf28b36e7fc08ae524704317679ddb62844*",".{0,1000}1792c809507a1b92737bd04b12cabaf28b36e7fc08ae524704317679ddb62844.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","22405"
"*1797c1fffe28c7234cc822eccdc773487499bd62c19bd999095d5eb11aa18b58*",".{0,1000}1797c1fffe28c7234cc822eccdc773487499bd62c19bd999095d5eb11aa18b58.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22407"
"*17a9356024d2fa2ae8f327fc5babc10eb859e0c433e768cd03a50dd9c7880601*",".{0,1000}17a9356024d2fa2ae8f327fc5babc10eb859e0c433e768cd03a50dd9c7880601.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","#filehash","N/A","10","1","N/A","N/A","N/A","N/A","22412"
"*17c6bc3e9a1d4086f3079f9bc140362f1278b8364777020b9ddddecf5fa7da94*",".{0,1000}17c6bc3e9a1d4086f3079f9bc140362f1278b8364777020b9ddddecf5fa7da94.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","22418"
"*17db2b8cf5cb903ef0b04dc10dfa5f24fd9ce7ec75674219f322b15d706935eb*",".{0,1000}17db2b8cf5cb903ef0b04dc10dfa5f24fd9ce7ec75674219f322b15d706935eb.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","22421"
"*17eaa4e99dafe4b0cd9d250dccb2d2edb1c204922a58da7322926eb4cc2d6a70*",".{0,1000}17eaa4e99dafe4b0cd9d250dccb2d2edb1c204922a58da7322926eb4cc2d6a70.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","22422"
"*17fa4fd9db3006f9aa649b0160770ebb9e9b8a599f6fb5afce83a16a7cb41bdd*",".{0,1000}17fa4fd9db3006f9aa649b0160770ebb9e9b8a599f6fb5afce83a16a7cb41bdd.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","22425"
"*17fd691675f7b9dcfe22195f729177613116448c4b5173e5f035bb4a3f67a361*",".{0,1000}17fd691675f7b9dcfe22195f729177613116448c4b5173e5f035bb4a3f67a361.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","22429"
"*1815747d94340ba15a0443856675aa23d778c743a9cb8478b0025a40ab5add68*",".{0,1000}1815747d94340ba15a0443856675aa23d778c743a9cb8478b0025a40ab5add68.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22433"
"*182d8cd3ed748f2fd1e1d5195eb56e6b4c12cd27241f47ccb965cd657bcf4c07*",".{0,1000}182d8cd3ed748f2fd1e1d5195eb56e6b4c12cd27241f47ccb965cd657bcf4c07.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","22439"
"*1837335417e0bfa4c1caf7ce94047e1ba8020983c246b25679dc5efced9dae75*",".{0,1000}1837335417e0bfa4c1caf7ce94047e1ba8020983c246b25679dc5efced9dae75.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22443"
"*183ee0c672409cdd8b421f31e2b81753a4713bee962e1edf97f1455cda97173d*",".{0,1000}183ee0c672409cdd8b421f31e2b81753a4713bee962e1edf97f1455cda97173d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22445"
"*1844a00b5e416fcbb18be60e8519a594ebfb773a930bd1c819397fd22b2616f0*",".{0,1000}1844a00b5e416fcbb18be60e8519a594ebfb773a930bd1c819397fd22b2616f0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22447"
"*184669dc9168ac60ebc0afc08ca54473d9e6de933b731cb914f5d4ad836516c4*",".{0,1000}184669dc9168ac60ebc0afc08ca54473d9e6de933b731cb914f5d4ad836516c4.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22448"
"*1847da329255b121b83e0da08c255017c9fcf05bf0bc99fea3714430e5d383eb*",".{0,1000}1847da329255b121b83e0da08c255017c9fcf05bf0bc99fea3714430e5d383eb.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22449"
"*184bc09abc6f6936a05c6ee49fdba98c5a289373ae70afdba2daa758d630593b*",".{0,1000}184bc09abc6f6936a05c6ee49fdba98c5a289373ae70afdba2daa758d630593b.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22450"
"*1853adeeee45b385f71719b52c95f1c84c040d70296157d2ee52bd040aff39cd*",".{0,1000}1853adeeee45b385f71719b52c95f1c84c040d70296157d2ee52bd040aff39cd.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","22453"
"*18602b36b09077e090abf0f5f4d846f05ca70e62471ff3d67fdb0bccaa387a9d*",".{0,1000}18602b36b09077e090abf0f5f4d846f05ca70e62471ff3d67fdb0bccaa387a9d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22456"
"*18740144d6c91dea850c695590973733ababc0634ca18073d2faec296f572b07*",".{0,1000}18740144d6c91dea850c695590973733ababc0634ca18073d2faec296f572b07.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22460"
"*189b30810273723068cc1de34f0898f999fb1e8e912140e78119f588de4c613b*",".{0,1000}189b30810273723068cc1de34f0898f999fb1e8e912140e78119f588de4c613b.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22469"
"*189d2b311c47271dd6c1bed36d8531cdf20e2f21aff699d1fe6d8e29020bde63*",".{0,1000}189d2b311c47271dd6c1bed36d8531cdf20e2f21aff699d1fe6d8e29020bde63.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22470"
"*18a056d9fa89813c9e19f150cfab07ab374681ae253f4f7ce9953d4cad79bd2c*",".{0,1000}18a056d9fa89813c9e19f150cfab07ab374681ae253f4f7ce9953d4cad79bd2c.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22472"
"*18ac281a3d3d2df65755abadf75bbb551cf62d5613f5821ad0e08c9088978f93*",".{0,1000}18ac281a3d3d2df65755abadf75bbb551cf62d5613f5821ad0e08c9088978f93.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22475"
"*18aced79e1431c887174daad2c6076afbd67034fd5ef72042260feffce27a274*",".{0,1000}18aced79e1431c887174daad2c6076afbd67034fd5ef72042260feffce27a274.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22476"
"*18b6a345f7d4fb9250b8d751a99f58a0a2daace02a1f7a4e7bb567237e681335*",".{0,1000}18b6a345f7d4fb9250b8d751a99f58a0a2daace02a1f7a4e7bb567237e681335.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22477"
"*18c7944f13fe80a024cb1fdce6a2621dcd2ab11f639773d42902aec34085b51e*",".{0,1000}18c7944f13fe80a024cb1fdce6a2621dcd2ab11f639773d42902aec34085b51e.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","22483"
"*18d131bb7a04a65222cfb35ce549326e9debb5379d04e68d3d75e2d4ae24eb7d*",".{0,1000}18d131bb7a04a65222cfb35ce549326e9debb5379d04e68d3d75e2d4ae24eb7d.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22486"
"*18d40326c20c254f298564a899eb72419e418bdb7e3273e14efb17ebe0b68d12*",".{0,1000}18d40326c20c254f298564a899eb72419e418bdb7e3273e14efb17ebe0b68d12.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22487"
"*18db38d87241a38cb3b44b1b2e320009fa5e129804a7970c71ea4399fc4dec27*",".{0,1000}18db38d87241a38cb3b44b1b2e320009fa5e129804a7970c71ea4399fc4dec27.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22489"
"*18ee2a78c352eeceb07d55ba572955af64b14282914fe77edf632baf4ce0f967*",".{0,1000}18ee2a78c352eeceb07d55ba572955af64b14282914fe77edf632baf4ce0f967.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22493"
"*1912f7bb54e7c5ca2f93c0302a8bb55df6bd4ed8489d92619cfbbe970bb0bd7f*",".{0,1000}1912f7bb54e7c5ca2f93c0302a8bb55df6bd4ed8489d92619cfbbe970bb0bd7f.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","22500"
"*191768fc581508bcc3426c4ed5d227ff4b075d6d1d5309d220d144486d8490d1*",".{0,1000}191768fc581508bcc3426c4ed5d227ff4b075d6d1d5309d220d144486d8490d1.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22503"
"*193051af6c427627482ae2318feff8615ce834f3c00cb61d7a12e71bfabc60f3*",".{0,1000}193051af6c427627482ae2318feff8615ce834f3c00cb61d7a12e71bfabc60f3.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22511"
"*1930f4934eb50f2aca7341a4fd5cb7053c39a76fd38d185551d2b3a60283bfdf*",".{0,1000}1930f4934eb50f2aca7341a4fd5cb7053c39a76fd38d185551d2b3a60283bfdf.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22512"
"*193edf6cc11c84106a634bd990feda1d50c24bb99e405f1eff6bf74b965dcadd*",".{0,1000}193edf6cc11c84106a634bd990feda1d50c24bb99e405f1eff6bf74b965dcadd.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22517"
"*194364fff5762c071f04644fe223f1fb97be80fc4289d2b20855bd5e943641a2*",".{0,1000}194364fff5762c071f04644fe223f1fb97be80fc4289d2b20855bd5e943641a2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22518"
"*19529823b5d0e8b0c2a4cf5e67b825254efbd7568b7d6b204a220e684e3787d7*",".{0,1000}19529823b5d0e8b0c2a4cf5e67b825254efbd7568b7d6b204a220e684e3787d7.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","22519"
"*196d1f2b496f00ed154b1ea8884ee7e5938504750c79d9d3e345d47db5499980*",".{0,1000}196d1f2b496f00ed154b1ea8884ee7e5938504750c79d9d3e345d47db5499980.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","22528"
"*197893f2048f9925f1e6ed4e292ac9e7fc5923fa06cb27f994d26572e8015263*",".{0,1000}197893f2048f9925f1e6ed4e292ac9e7fc5923fa06cb27f994d26572e8015263.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22532"
"*19b77a9c4b75bd82b5ed2b13f6119b5f5dd8fadbec880b1c9897f25c3beb8a71*",".{0,1000}19b77a9c4b75bd82b5ed2b13f6119b5f5dd8fadbec880b1c9897f25c3beb8a71.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22546"
"*19c515af1a70491e5a451f62fdfe41573face748e6d6ccd7cd61732fd1a076d5*",".{0,1000}19c515af1a70491e5a451f62fdfe41573face748e6d6ccd7cd61732fd1a076d5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22549"
"*19ca9f2b318ea2efbe9f2b213c2edd68de54c7ed35dc3f291146c67374d8c57d*",".{0,1000}19ca9f2b318ea2efbe9f2b213c2edd68de54c7ed35dc3f291146c67374d8c57d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22552"
"*19cc16baa9f9a85123f627bc2ca7eff0f5d901a4674ea96b4ebb21df2183c8b5*",".{0,1000}19cc16baa9f9a85123f627bc2ca7eff0f5d901a4674ea96b4ebb21df2183c8b5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22553"
"*19cf7f92ad4a5f458e6569830e2ff805e3fa50723e67fff5ef430fac4a40b62e*",".{0,1000}19cf7f92ad4a5f458e6569830e2ff805e3fa50723e67fff5ef430fac4a40b62e.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","22555"
"*19d9a81e3487b8a0624b927ca9a0703a716a383d41d61a22d4a1e20777713923*",".{0,1000}19d9a81e3487b8a0624b927ca9a0703a716a383d41d61a22d4a1e20777713923.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","22558"
"*19e5eb368d5b82d650a5ab168f4041dc2f2e526569349319c8d0adcde091a7d5*",".{0,1000}19e5eb368d5b82d650a5ab168f4041dc2f2e526569349319c8d0adcde091a7d5.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22561"
"*19e6eaa89377d7e40661f4fa52f6275db06e9785a23413ca7abb7dc64538e82c*",".{0,1000}19e6eaa89377d7e40661f4fa52f6275db06e9785a23413ca7abb7dc64538e82c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22562"
"*19e8ff4b933c50b4eabdd8dd6bddea9f34ab1d4b1155d3e885ef49ff480a6912*",".{0,1000}19e8ff4b933c50b4eabdd8dd6bddea9f34ab1d4b1155d3e885ef49ff480a6912.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","22564"
"*19ee368d7680478dc89a246dbf3e57a05242a239a68d40ec6529208425fbf485*",".{0,1000}19ee368d7680478dc89a246dbf3e57a05242a239a68d40ec6529208425fbf485.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","22565"
"*19eea7bdd183eb616b037a97eeee302a9afabdb0a8f5a4bec515214c19348327*",".{0,1000}19eea7bdd183eb616b037a97eeee302a9afabdb0a8f5a4bec515214c19348327.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22566"
"*1a061f3b3048646be65595bc0bd0cff4a9afabac65be1c84ae9e03f577c8aef5*",".{0,1000}1a061f3b3048646be65595bc0bd0cff4a9afabac65be1c84ae9e03f577c8aef5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22570"
"*1a092bc669e1aa4ffc86ef47e50b48aaa7fb330d39169225dc22e1ac98af691a*",".{0,1000}1a092bc669e1aa4ffc86ef47e50b48aaa7fb330d39169225dc22e1ac98af691a.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#filehash #linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","22571"
"*1a1a3b080393b721ba5f38597305be2dbac3b654b43dfac3ebe4630b4e6406c3*",".{0,1000}1a1a3b080393b721ba5f38597305be2dbac3b654b43dfac3ebe4630b4e6406c3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22574"
"*1a1a729fe607c59dae787bc5322efcf8cc5a9e87623c6d10e2a08531829bb9fb*",".{0,1000}1a1a729fe607c59dae787bc5322efcf8cc5a9e87623c6d10e2a08531829bb9fb.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22575"
"*1a1b2883ad2c55fe3a1d4544bc1401e92a0b98148d85f6e5fdaa54154ba5a2e8*",".{0,1000}1a1b2883ad2c55fe3a1d4544bc1401e92a0b98148d85f6e5fdaa54154ba5a2e8.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","22576"
"*1a1d59b366b35108f0681a69a77a8d67cae6d6111c589703526964e0243cf62f*",".{0,1000}1a1d59b366b35108f0681a69a77a8d67cae6d6111c589703526964e0243cf62f.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22579"
"*1a306749771fda249ef439dcb9d82b1a54a72e56d1693853fdceba17f8542759*",".{0,1000}1a306749771fda249ef439dcb9d82b1a54a72e56d1693853fdceba17f8542759.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22582"
"*1a338c455c8cf9b8499c16e26cfa7e4b34109cf441045a6d006a8d9aa8d852bb*",".{0,1000}1a338c455c8cf9b8499c16e26cfa7e4b34109cf441045a6d006a8d9aa8d852bb.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","22583"
"*1a367846c52078e39113a1ff7d1d5615637a06c19a63215570e4d058c3faf329*",".{0,1000}1a367846c52078e39113a1ff7d1d5615637a06c19a63215570e4d058c3faf329.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22584"
"*1a3e926a0edaf65790c39af7e83d4884d39f99b7e95a176b4feb5bc89f051d48*",".{0,1000}1a3e926a0edaf65790c39af7e83d4884d39f99b7e95a176b4feb5bc89f051d48.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22587"
"*1a451fd4ea04c5e764361e14cf2458ed4c3880659d0aa664c9dbc5ab74d7b44e*",".{0,1000}1a451fd4ea04c5e764361e14cf2458ed4c3880659d0aa664c9dbc5ab74d7b44e.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22588"
"*1a5142e3dab3f5562a6263bdda31dc4986e9457fc3a8ce0c61c339040d2f175f*",".{0,1000}1a5142e3dab3f5562a6263bdda31dc4986e9457fc3a8ce0c61c339040d2f175f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22591"
"*1a527c78ae25fa3e393d70fbfcea5b928ca96a689d8e82477f1b0db0cfc51e76*",".{0,1000}1a527c78ae25fa3e393d70fbfcea5b928ca96a689d8e82477f1b0db0cfc51e76.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22594"
"*1a535e15b11923cd368d6b39e1a308b67d7ed2be686d7968aa50e5c3630ea11a*",".{0,1000}1a535e15b11923cd368d6b39e1a308b67d7ed2be686d7968aa50e5c3630ea11a.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#filehash","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","22595"
"*1a56d77d702056356afad246655a1974c5df127163542753f0fcede98a250045*",".{0,1000}1a56d77d702056356afad246655a1974c5df127163542753f0fcede98a250045.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22598"
"*1a5c1d2a3b17aa381c318b3f3919f7cfc4cd430c3a2c3053ba055fb4ccf38c97*",".{0,1000}1a5c1d2a3b17aa381c318b3f3919f7cfc4cd430c3a2c3053ba055fb4ccf38c97.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22601"
"*1a67be9a8bb43e9654b8c888ba700d5c737041952022544dbada4e4032b4d0ac*",".{0,1000}1a67be9a8bb43e9654b8c888ba700d5c737041952022544dbada4e4032b4d0ac.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22603"
"*1a7124d26b8e5b879fd245cd8c0d0eae962a3aa7e897d7cecf23c38528a3f58c*",".{0,1000}1a7124d26b8e5b879fd245cd8c0d0eae962a3aa7e897d7cecf23c38528a3f58c.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22605"
"*1a863b55ce99ee16151b756a7e9a26ac2b8d86e7bfa69ff99a6c0883ea25a6a6*",".{0,1000}1a863b55ce99ee16151b756a7e9a26ac2b8d86e7bfa69ff99a6c0883ea25a6a6.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","22609"
"*1a8d2c5bfe3a0367068cdf890b025258e5614c3fef308985c001500902692817*",".{0,1000}1a8d2c5bfe3a0367068cdf890b025258e5614c3fef308985c001500902692817.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22612"
"*1a9fb59e84b29362e747cf4191c4100ccfa6c52fd766eedb831a4169923976eb*",".{0,1000}1a9fb59e84b29362e747cf4191c4100ccfa6c52fd766eedb831a4169923976eb.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22615"
"*1aa48436b6193acff1c9fe26e1456f35d5891aa90be2f203f5d59b77fa82df5a*",".{0,1000}1aa48436b6193acff1c9fe26e1456f35d5891aa90be2f203f5d59b77fa82df5a.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22617"
"*1abd5cde54ace5237b1921db031fa2bf01ff61af1025384dd82042b047b3f94f*",".{0,1000}1abd5cde54ace5237b1921db031fa2bf01ff61af1025384dd82042b047b3f94f.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","22625"
"*1ac730e020f0925a3695bd5712803d52c981d31af54413b609fd9878a7ee0ed7*",".{0,1000}1ac730e020f0925a3695bd5712803d52c981d31af54413b609fd9878a7ee0ed7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22628"
"*1aca05451d4f7ecde7301845969dbc9fe7e1ebfde9eb725dfc66df3892f2f8db*",".{0,1000}1aca05451d4f7ecde7301845969dbc9fe7e1ebfde9eb725dfc66df3892f2f8db.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22629"
"*1acf3b83f3433c08fb6f8293709c72a72fbb60ba1514c13cfbe6509b4116afb1*",".{0,1000}1acf3b83f3433c08fb6f8293709c72a72fbb60ba1514c13cfbe6509b4116afb1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22632"
"*1ad8a76a9f966da5f7a319c49a6db071a60ebaa24d69e6d86d53d6f2bcaf11ed*",".{0,1000}1ad8a76a9f966da5f7a319c49a6db071a60ebaa24d69e6d86d53d6f2bcaf11ed.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22635"
"*1aea638f681b471f2bbe8714673b0c2fdd7f590b33cda162020e601f961dd4d0*",".{0,1000}1aea638f681b471f2bbe8714673b0c2fdd7f590b33cda162020e601f961dd4d0.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22640"
"*1af017efc1e96bfb6cb5e3a1224b503a3a8da4b0333bd8f2fd3bc6022a24f7a8*",".{0,1000}1af017efc1e96bfb6cb5e3a1224b503a3a8da4b0333bd8f2fd3bc6022a24f7a8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22644"
"*1af3ab6f5bffc4a367818ed64b823d9b54e63710a3566635e29f01478a680110*",".{0,1000}1af3ab6f5bffc4a367818ed64b823d9b54e63710a3566635e29f01478a680110.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","22646"
"*1af99ff0796b156af3e46c20926f5aa5bd30e82821d7def568eae8a62ed44819*",".{0,1000}1af99ff0796b156af3e46c20926f5aa5bd30e82821d7def568eae8a62ed44819.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","22649"
"*1b14c2ba7ba16b131c65a8e61bddef8db25bec2d641ff138b9a84a522581aff7*",".{0,1000}1b14c2ba7ba16b131c65a8e61bddef8db25bec2d641ff138b9a84a522581aff7.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","22654"
"*1b38c8d5050c47dd6902d8da4b230d832e144d56f2a49affac2185f854223fe1*",".{0,1000}1b38c8d5050c47dd6902d8da4b230d832e144d56f2a49affac2185f854223fe1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22665"
"*1b3c61129cf7b45ad41a6b297f4425b9e700cf6302c8969232c7587ae7e727d9*",".{0,1000}1b3c61129cf7b45ad41a6b297f4425b9e700cf6302c8969232c7587ae7e727d9.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22667"
"*1b3e09c31048ec7f2ef06166eb47dcdf0e563ca07b6dcc1318fa6f7db3feb458*",".{0,1000}1b3e09c31048ec7f2ef06166eb47dcdf0e563ca07b6dcc1318fa6f7db3feb458.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","22670"
"*1b41fb4be93b92548f9e5419fae45b76592a5b6ab0c5d42930f6824686225f3c*",".{0,1000}1b41fb4be93b92548f9e5419fae45b76592a5b6ab0c5d42930f6824686225f3c.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","22671"
"*1b501cd229b855a0d7c4fe904c512ea453a3c1b225f55f03a4577e91cc434aaf*",".{0,1000}1b501cd229b855a0d7c4fe904c512ea453a3c1b225f55f03a4577e91cc434aaf.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22676"
"*1b60f0c6902fde29c56d8ef1df0be1b1ba81320c08aeeae8aa34b2f3698c5cae*",".{0,1000}1b60f0c6902fde29c56d8ef1df0be1b1ba81320c08aeeae8aa34b2f3698c5cae.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22683"
"*1b6c1c7541fe63d8b93d2ecdd39fa84fbabe464ad75fc822ccdea8b8bb0e3e56*",".{0,1000}1b6c1c7541fe63d8b93d2ecdd39fa84fbabe464ad75fc822ccdea8b8bb0e3e56.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","22686"
"*1b746db0162248f56dd364a85ff35482f0c8dba3b45f42ed769f8592f0061af3*",".{0,1000}1b746db0162248f56dd364a85ff35482f0c8dba3b45f42ed769f8592f0061af3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22688"
"*1b89a1c5e9ef0bf0c91232fad88f31a6a27936407bff9e312a61ce5aab2bdac4*",".{0,1000}1b89a1c5e9ef0bf0c91232fad88f31a6a27936407bff9e312a61ce5aab2bdac4.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22694"
"*1ba101f6b07b3194b481dfad27f70bfa23e86a822b49e8c6b3138e57f13614c7*",".{0,1000}1ba101f6b07b3194b481dfad27f70bfa23e86a822b49e8c6b3138e57f13614c7.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22698"
"*1ba52a6f7c12d32fd2a9d21503bcbed51533a07f24c6aa94f82b7d58eb87841d*",".{0,1000}1ba52a6f7c12d32fd2a9d21503bcbed51533a07f24c6aa94f82b7d58eb87841d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22701"
"*1bcbac2e969778df504fbe04dd5bfb1e337c141869efdca9c3974e8c97296e18*",".{0,1000}1bcbac2e969778df504fbe04dd5bfb1e337c141869efdca9c3974e8c97296e18.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22712"
"*1bcdf25876c01658756741f64fe06654583e539aa3139bdf55ef1324137e148e*",".{0,1000}1bcdf25876c01658756741f64fe06654583e539aa3139bdf55ef1324137e148e.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","22713"
"*1befd6f9e0bec802dc6a4e2a33a85c967bbe3eb6126c1c4d0182f55aba1166a6*",".{0,1000}1befd6f9e0bec802dc6a4e2a33a85c967bbe3eb6126c1c4d0182f55aba1166a6.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","22718"
"*1bff328616d4205bf3182c51e6267cee29b03e9cda22671cf0f2c153a4e39d0d*",".{0,1000}1bff328616d4205bf3182c51e6267cee29b03e9cda22671cf0f2c153a4e39d0d.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22722"
"*1c0511142beb4a6036d9e1915787354e97716a0c72f9aa4c7158ed39fa1542b7*",".{0,1000}1c0511142beb4a6036d9e1915787354e97716a0c72f9aa4c7158ed39fa1542b7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22726"
"*1c07a12c276062d9c70006a6e7377b7297d510ce78d52f9e62e3848ad585a822*",".{0,1000}1c07a12c276062d9c70006a6e7377b7297d510ce78d52f9e62e3848ad585a822.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22727"
"*1c28a3ecf4991146bccfd39ec97c8c060286596c44caedb598feaaf607b277cd*",".{0,1000}1c28a3ecf4991146bccfd39ec97c8c060286596c44caedb598feaaf607b277cd.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22732"
"*1c2d7d9badc2cf5a7c99d5435b40eecf5a7d579e3fa5f92f3ac27cf34068a827*",".{0,1000}1c2d7d9badc2cf5a7c99d5435b40eecf5a7d579e3fa5f92f3ac27cf34068a827.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","22735"
"*1c3116773feaf7723c98e6ec8c57dffadb45ed4dd6781133befb612fe40d5e96*",".{0,1000}1c3116773feaf7723c98e6ec8c57dffadb45ed4dd6781133befb612fe40d5e96.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22737"
"*1c4cd487862b68af1e3319e7f37e3b37db822b41e580528653c16264e5d44c40*",".{0,1000}1c4cd487862b68af1e3319e7f37e3b37db822b41e580528653c16264e5d44c40.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22740"
"*1c6329a23d57e7b38b7ae061f609c4efcc75144cde1061ef3bcd2d2264b42dd9*",".{0,1000}1c6329a23d57e7b38b7ae061f609c4efcc75144cde1061ef3bcd2d2264b42dd9.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22748"
"*1c722fc7d3e234e27029f791232f8f19460b02226f80d391ab8f2102b5f76c29*",".{0,1000}1c722fc7d3e234e27029f791232f8f19460b02226f80d391ab8f2102b5f76c29.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22750"
"*1c76ba5931eda89deb05158b1abbac7f740a594509f3620c52fa66287a5e7a6e*",".{0,1000}1c76ba5931eda89deb05158b1abbac7f740a594509f3620c52fa66287a5e7a6e.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","22752"
"*1c7b04e5a15afed07071240ef6dfda584aede9f24e333463b6e00cdaa3886fc5*",".{0,1000}1c7b04e5a15afed07071240ef6dfda584aede9f24e333463b6e00cdaa3886fc5.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","22754"
"*1c8697533f19519535ac3679b54beb9632476b3f13adf0d58708b6c4db55e310*",".{0,1000}1c8697533f19519535ac3679b54beb9632476b3f13adf0d58708b6c4db55e310.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","22760"
"*1c89af499e9d81c3ee2af8fa74a88414c22657c3df439f4d812e803bff5671cd*",".{0,1000}1c89af499e9d81c3ee2af8fa74a88414c22657c3df439f4d812e803bff5671cd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22762"
"*1c90f970cc49e643c0c108f63e6d3a7696b2f28da91a42fc0fb234562f48e3ce*",".{0,1000}1c90f970cc49e643c0c108f63e6d3a7696b2f28da91a42fc0fb234562f48e3ce.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22764"
"*1ca8187c73c3c75ace29675193659f9d6ddff3e5ddf2131f49f156844ca7d778*",".{0,1000}1ca8187c73c3c75ace29675193659f9d6ddff3e5ddf2131f49f156844ca7d778.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22766"
"*1caf54aea406542836d678b35daef36f7dab5c6b271cc9333bf9132fb9a11b5a*",".{0,1000}1caf54aea406542836d678b35daef36f7dab5c6b271cc9333bf9132fb9a11b5a.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","22769"
"*1cc0257d93b4d1c0b3c923c923c2997f222d271591addbdd2da0da019dbb5fe579*",".{0,1000}1cc0257d93b4d1c0b3c923c923c2997f222d271591addbdd2da0da019dbb5fe579.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","0","#filehash","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","22775"
"*1cc170b0e7ab93a5624909c533cd70df630e60c199ad394b050658d19807537b*",".{0,1000}1cc170b0e7ab93a5624909c533cd70df630e60c199ad394b050658d19807537b.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","22776"
"*1cc321e6be0a4b96e5661f3872f746da0873215758d5948bc7590779ac659a3f*",".{0,1000}1cc321e6be0a4b96e5661f3872f746da0873215758d5948bc7590779ac659a3f.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","22777"
"*1CC6E8A9-1875-430C-B2BB-F227ACD711B1*",".{0,1000}1CC6E8A9\-1875\-430C\-B2BB\-F227ACD711B1.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#GUIDproject","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","22780"
"*1cc8655fa99f06e787871a9f8b5ceec283c856fa341a5b38824a0ca89420b0fe*",".{0,1000}1cc8655fa99f06e787871a9f8b5ceec283c856fa341a5b38824a0ca89420b0fe.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22781"
"*1ccedb3262e89f8d841a6c6b3ea5e8c5ef8fb42779168e5cc47ba1674be930f1*",".{0,1000}1ccedb3262e89f8d841a6c6b3ea5e8c5ef8fb42779168e5cc47ba1674be930f1.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","22784"
"*1cd2acf92f240f2672bc390bdd1a0138eb0790732dca5c9f7e0d88f980ccc476*",".{0,1000}1cd2acf92f240f2672bc390bdd1a0138eb0790732dca5c9f7e0d88f980ccc476.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","22786"
"*1cda556f00b20f5b575ba40f83d8a007a8fa3308ef502c62fb7510989c3b7b10*",".{0,1000}1cda556f00b20f5b575ba40f83d8a007a8fa3308ef502c62fb7510989c3b7b10.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22787"
"*1d023cdd6aa17ec552878b1d36e3ce4fb32dc5b9563042a35452b0800c9da124*",".{0,1000}1d023cdd6aa17ec552878b1d36e3ce4fb32dc5b9563042a35452b0800c9da124.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","22794"
"*1d1fc4833ed95176f590d34e7d43176a20d0ba1aea6791c291808bc95d190f29*",".{0,1000}1d1fc4833ed95176f590d34e7d43176a20d0ba1aea6791c291808bc95d190f29.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22799"
"*1d289b4fb2f8766a1a1e7f8bab7472322f721c1c2f7ecf676f0c9dadfc7f66b3*",".{0,1000}1d289b4fb2f8766a1a1e7f8bab7472322f721c1c2f7ecf676f0c9dadfc7f66b3.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22802"
"*1d347f8bda31bc7dfce658a6b17459f32b7f8d2b76708d30bc5ee7cd3e9eab5b*",".{0,1000}1d347f8bda31bc7dfce658a6b17459f32b7f8d2b76708d30bc5ee7cd3e9eab5b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22807"
"*1d55ef3e801a86435e2146f3409669fd31cb572500f3da333109f017181114c5*",".{0,1000}1d55ef3e801a86435e2146f3409669fd31cb572500f3da333109f017181114c5.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22817"
"*1d57d63ec9e3ec8fb3b527132e6603c81d8bdea62141c25c29e7d9e24b026e9f*",".{0,1000}1d57d63ec9e3ec8fb3b527132e6603c81d8bdea62141c25c29e7d9e24b026e9f.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","22818"
"*1d5b17f54911bc22816b0d72b32c258b259eb912d9d0484fdc949a315f5a5d42*",".{0,1000}1d5b17f54911bc22816b0d72b32c258b259eb912d9d0484fdc949a315f5a5d42.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22819"
"*1d6101c42021d29583532660865649b7e609b0862e3bd0b164ec794b2953a2f0*",".{0,1000}1d6101c42021d29583532660865649b7e609b0862e3bd0b164ec794b2953a2f0.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22820"
"*1d716a8d9312001b2e35f0e9081e4efd60c0204e5bc9ce5728a82d02218ba849*",".{0,1000}1d716a8d9312001b2e35f0e9081e4efd60c0204e5bc9ce5728a82d02218ba849.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","22825"
"*1d72abe57369b5731e21252804dea61820c6e2a2ba89d0ce0f39d1253314ba3c*",".{0,1000}1d72abe57369b5731e21252804dea61820c6e2a2ba89d0ce0f39d1253314ba3c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22826"
"*1d7c4f0e2045835904ee9c994212605d67aef12c7899d8d203039100dc038db7*",".{0,1000}1d7c4f0e2045835904ee9c994212605d67aef12c7899d8d203039100dc038db7.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22829"
"*1d7e79f1d90d5cd47d64478cc1b3cb0bcf3fa5ff3da30367825ce1fc9f209214*",".{0,1000}1d7e79f1d90d5cd47d64478cc1b3cb0bcf3fa5ff3da30367825ce1fc9f209214.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22830"
"*1d83e3da93ce0ef31a742f8f3ed6b77fc29566f7e3b4f7b240f2adf7c40a2036*",".{0,1000}1d83e3da93ce0ef31a742f8f3ed6b77fc29566f7e3b4f7b240f2adf7c40a2036.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22831"
"*1d8e435a1cd0df78492aabd0dc9da9ae977ef0364c53b9253a06796d72f030e7*",".{0,1000}1d8e435a1cd0df78492aabd0dc9da9ae977ef0364c53b9253a06796d72f030e7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22835"
"*1d975d20bfb5aae07aed840f2af54cafc9281b0f3d4310287413cae69e3b983a*",".{0,1000}1d975d20bfb5aae07aed840f2af54cafc9281b0f3d4310287413cae69e3b983a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22837"
"*1d9e35fcbf660435ec27cf36a00e87d80928f36e8edb2d7728abaa00585dac08*",".{0,1000}1d9e35fcbf660435ec27cf36a00e87d80928f36e8edb2d7728abaa00585dac08.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","22840"
"*1da052796a987601ac6085ccbe6957104e3d56656be4b4cfcfbef4796ba8217b*",".{0,1000}1da052796a987601ac6085ccbe6957104e3d56656be4b4cfcfbef4796ba8217b.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","22841"
"*1da8555f3513b39d821fc95a6a76ed4cd1b56ffcb30fc13c0eda59576ba5ebc4*",".{0,1000}1da8555f3513b39d821fc95a6a76ed4cd1b56ffcb30fc13c0eda59576ba5ebc4.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","22845"
"*1dc896f509482e7b6892dcd0e4f83cf5417be5f7a9edd1da5afc810f49ebeb6c*",".{0,1000}1dc896f509482e7b6892dcd0e4f83cf5417be5f7a9edd1da5afc810f49ebeb6c.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","22849"
"*1dce9f399e4ac4a1deebc00de3dc11e880a5299ab933df9a4b9d7ce3aeffb20d*",".{0,1000}1dce9f399e4ac4a1deebc00de3dc11e880a5299ab933df9a4b9d7ce3aeffb20d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22851"
"*1de7b243066345a7d95e5e61837e54cf91b687f5e064419d11ce6b48534d9a66*",".{0,1000}1de7b243066345a7d95e5e61837e54cf91b687f5e064419d11ce6b48534d9a66.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22857"
"*1df13a2ce963c124cb494c745e67d8bf8abb87b94a9b640e5143b16138cb5d2d*",".{0,1000}1df13a2ce963c124cb494c745e67d8bf8abb87b94a9b640e5143b16138cb5d2d.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22860"
"*1df2598fa2ca5e42fc9e4d4d0cf1e67ed61ab2b9ff29b9da372cee03d817ad2b*",".{0,1000}1df2598fa2ca5e42fc9e4d4d0cf1e67ed61ab2b9ff29b9da372cee03d817ad2b.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","22861"
"*1df9cc0aac82013ab4387860bc1059df19f585868fdcc73f1a7bae3b5cc5c78b*",".{0,1000}1df9cc0aac82013ab4387860bc1059df19f585868fdcc73f1a7bae3b5cc5c78b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22866"
"*1e0e0d1e7388beaa2a892c057759fdfe6a4fe915f9518c73068761f8d6d7619d*",".{0,1000}1e0e0d1e7388beaa2a892c057759fdfe6a4fe915f9518c73068761f8d6d7619d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22874"
"*1e4339c6d4ebe8badb742b42ff9a336c9cbf4fca5d735dfdea67b7a9c598a297*",".{0,1000}1e4339c6d4ebe8badb742b42ff9a336c9cbf4fca5d735dfdea67b7a9c598a297.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22884"
"*1e55e2b5357bce9f5fa54d2a12801dfba6c70262a6ddceae4b227a014db0aa92*",".{0,1000}1e55e2b5357bce9f5fa54d2a12801dfba6c70262a6ddceae4b227a014db0aa92.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","22892"
"*1e5aad914ec6f6fdbb0c0c340ab0e2c336922fba3e556b007d8d5002a6c478ca*",".{0,1000}1e5aad914ec6f6fdbb0c0c340ab0e2c336922fba3e556b007d8d5002a6c478ca.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","22893"
"*1e5b997597bacce1d971b83416c2f8c9cde0cbd294e6b11d91a3939f9c6356a9*",".{0,1000}1e5b997597bacce1d971b83416c2f8c9cde0cbd294e6b11d91a3939f9c6356a9.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22894"
"*1e65d6a9229388b032dc9691eb041c922e133a1a6f35b9665dfd0457273da334*",".{0,1000}1e65d6a9229388b032dc9691eb041c922e133a1a6f35b9665dfd0457273da334.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22897"
"*1e68cb8928288f31a3f1b7fc867f79f56912c289f93a3dffd962fea895fb8f12*",".{0,1000}1e68cb8928288f31a3f1b7fc867f79f56912c289f93a3dffd962fea895fb8f12.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","22899"
"*1e6f9b25d6e296f2f63dac75b8abd30cc6f0a85cd7bea0579d081fea67085082*",".{0,1000}1e6f9b25d6e296f2f63dac75b8abd30cc6f0a85cd7bea0579d081fea67085082.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22901"
"*1e8312b30e0290161f6304f3fe76b7bf1cd111038b09e423f3d30ce1e77a7bdc*",".{0,1000}1e8312b30e0290161f6304f3fe76b7bf1cd111038b09e423f3d30ce1e77a7bdc.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","22906"
"*1e8dc49b24079e1f1b78fe64f54e0c222be67d45bbd2a6e5f13e06ca10d75004*",".{0,1000}1e8dc49b24079e1f1b78fe64f54e0c222be67d45bbd2a6e5f13e06ca10d75004.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22911"
"*1e8df455b02c3384eec7ea1f9c6c42927442634440738af4c68fc4f8c1941ede*",".{0,1000}1e8df455b02c3384eec7ea1f9c6c42927442634440738af4c68fc4f8c1941ede.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","22912"
"*1e938fb7b547413a088c96ada20ab163fe27f12d2124aa1cb652f68ec0448970*",".{0,1000}1e938fb7b547413a088c96ada20ab163fe27f12d2124aa1cb652f68ec0448970.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22916"
"*1e93b311f27b676be80419ae9ada6e3e599fb38e204bf27ecd14320e1b4dc1c3*",".{0,1000}1e93b311f27b676be80419ae9ada6e3e599fb38e204bf27ecd14320e1b4dc1c3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22917"
"*1e974e0245f99c767e45bfc1568a8451a044beb70b8c4cdf4845467395943856*",".{0,1000}1e974e0245f99c767e45bfc1568a8451a044beb70b8c4cdf4845467395943856.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22919"
"*1e9aca80c4f4e263c72a83d4333a9dac0e24b24e1fe11a8dc1d9b38d77883705*",".{0,1000}1e9aca80c4f4e263c72a83d4333a9dac0e24b24e1fe11a8dc1d9b38d77883705.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22920"
"*1e9b04a795d2cf5d7c71b576c13f35873413e1c8031019e951ba65e39655be58*",".{0,1000}1e9b04a795d2cf5d7c71b576c13f35873413e1c8031019e951ba65e39655be58.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22921"
"*1eab0f66e1cf84017ad8aac6358d7bd50fef62477281b9492ccf772be20caf3c*",".{0,1000}1eab0f66e1cf84017ad8aac6358d7bd50fef62477281b9492ccf772be20caf3c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22924"
"*1ec5de34fbde95ee1b1237a78d01bd39925007ca1d9e128fa470ec090c176de9*",".{0,1000}1ec5de34fbde95ee1b1237a78d01bd39925007ca1d9e128fa470ec090c176de9.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22928"
"*1ed2f132aaeb3c4d7422ff41944a9e8fecfbf0efcd2cdd58356dc80181a9745e*",".{0,1000}1ed2f132aaeb3c4d7422ff41944a9e8fecfbf0efcd2cdd58356dc80181a9745e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22937"
"*1ed7632518a86fa468f5823d6da4826d1787845cc0969a46da110c98139a3db4*",".{0,1000}1ed7632518a86fa468f5823d6da4826d1787845cc0969a46da110c98139a3db4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22939"
"*1ede16af1fa680690f056d759d16a26bf527bd18d75cdd2d88c830b2a4afd980*",".{0,1000}1ede16af1fa680690f056d759d16a26bf527bd18d75cdd2d88c830b2a4afd980.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22940"
"*1ede16b360710fe5f9471474979f8cca5ad6e2005bd0088c3d54a3272677fb4d*",".{0,1000}1ede16b360710fe5f9471474979f8cca5ad6e2005bd0088c3d54a3272677fb4d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22941"
"*1f0ebec30ded3a9df5a8e2195bbc891c339a092c8ac0f07233c8478c1182242f*",".{0,1000}1f0ebec30ded3a9df5a8e2195bbc891c339a092c8ac0f07233c8478c1182242f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","22956"
"*1f14b24c5bf0a3ddc9af6394eab7245bd6af7f4c20322cd4177ef24e5e86bed0*",".{0,1000}1f14b24c5bf0a3ddc9af6394eab7245bd6af7f4c20322cd4177ef24e5e86bed0.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","22958"
"*1f180d755994e8a501463d1255c019376b13720e9b970f3da5d08007335726c0*",".{0,1000}1f180d755994e8a501463d1255c019376b13720e9b970f3da5d08007335726c0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22960"
"*1f1eefdf6a9ade3923edcd716c56941f2755848a4bd97167aaa1ceebfed95194*",".{0,1000}1f1eefdf6a9ade3923edcd716c56941f2755848a4bd97167aaa1ceebfed95194.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","22962"
"*1f2cf255b1a6d9fafad11a2d27bc9471f1e883c59a02504794e2846c7f955976*",".{0,1000}1f2cf255b1a6d9fafad11a2d27bc9471f1e883c59a02504794e2846c7f955976.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","22968"
"*1f4453ac0f49d134dfa05b10ea4e3aa159c7fad7f8639a707c0678c04309d54b*",".{0,1000}1f4453ac0f49d134dfa05b10ea4e3aa159c7fad7f8639a707c0678c04309d54b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22975"
"*1f51e236e7e1fbeb8cf38462e17da4d1921aeef093e2990538a4eb1d35554076*",".{0,1000}1f51e236e7e1fbeb8cf38462e17da4d1921aeef093e2990538a4eb1d35554076.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#filehash","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","22979"
"*1f615397bacd86a29514e0cc9981af1e76ba261c6634367508a7fd88bc088724*",".{0,1000}1f615397bacd86a29514e0cc9981af1e76ba261c6634367508a7fd88bc088724.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22982"
"*1f6b524a6a041b1fd96e570530c629756a886033ce50cd336b7eab1cea955019*",".{0,1000}1f6b524a6a041b1fd96e570530c629756a886033ce50cd336b7eab1cea955019.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22984"
"*1f88f58c10b8f936cf8058e5effdef6a88ece05393f3c3df2a1247c3d6e651c0*",".{0,1000}1f88f58c10b8f936cf8058e5effdef6a88ece05393f3c3df2a1247c3d6e651c0.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","22993"
"*1f9d03503d8756311b7904e99aee3460f1ace427aad88f6dcba6a97a9c5a8171*",".{0,1000}1f9d03503d8756311b7904e99aee3460f1ace427aad88f6dcba6a97a9c5a8171.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","22995"
"*1fa94229b3c6f5c9a7eb56af8e57e2e47b654770934976115dd918d50487a1e1*",".{0,1000}1fa94229b3c6f5c9a7eb56af8e57e2e47b654770934976115dd918d50487a1e1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22996"
"*1fb29637f484c581618b37fd321d3664fe52602d5c9bfef9d2c3acee8a5afdae*",".{0,1000}1fb29637f484c581618b37fd321d3664fe52602d5c9bfef9d2c3acee8a5afdae.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","22999"
"*1fb74dc72e792566b0caf2c596b7d6e655caaa678b8cc0c1f6975427d64746e0*",".{0,1000}1fb74dc72e792566b0caf2c596b7d6e655caaa678b8cc0c1f6975427d64746e0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23000"
"*1fd13e23e6e0959dc50d24207282f3873937f2e97c5f20205cef84d58dacc676*",".{0,1000}1fd13e23e6e0959dc50d24207282f3873937f2e97c5f20205cef84d58dacc676.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","23007"
"*1fd8e5fb9a446742894cec59f3007244ed3ea77b2f7401b6fc42333dc0a0ed51*",".{0,1000}1fd8e5fb9a446742894cec59f3007244ed3ea77b2f7401b6fc42333dc0a0ed51.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","23009"
"*1fde906bc848a16734929e3d27c2223ab4e5be688b497cdcd8a0c4849931769b*",".{0,1000}1fde906bc848a16734929e3d27c2223ab4e5be688b497cdcd8a0c4849931769b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23011"
"*1fe3604bdf69ff5a881a77258a10583a3fea5958aaab958ee4c22080635f64ba*",".{0,1000}1fe3604bdf69ff5a881a77258a10583a3fea5958aaab958ee4c22080635f64ba.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","23012"
"*1fe64b366408022e4d61c1e37f64e268f7e72f4d351425df36c35fb1cfc534fd*",".{0,1000}1fe64b366408022e4d61c1e37f64e268f7e72f4d351425df36c35fb1cfc534fd.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23013"
"*1ff7731d1b7af7110f27796e0fecb551cb5067030aa7d87e333d46f3f57f4214*",".{0,1000}1ff7731d1b7af7110f27796e0fecb551cb5067030aa7d87e333d46f3f57f4214.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","23018"
"*200244a2c1bc9e186f875c23d0b78c9ab59a88052f4f4132e5c28a70fdc356b6*",".{0,1000}200244a2c1bc9e186f875c23d0b78c9ab59a88052f4f4132e5c28a70fdc356b6.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23033"
"*201281dccb6437ae62550434e78ff9cae3c2c19b7af8e9e55a3d1e89e32342d4*",".{0,1000}201281dccb6437ae62550434e78ff9cae3c2c19b7af8e9e55a3d1e89e32342d4.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","23036"
"*20354177c2ba7a7695f6a97a645b22834ee4e0a530717e9b787886d4f61fc291*",".{0,1000}20354177c2ba7a7695f6a97a645b22834ee4e0a530717e9b787886d4f61fc291.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23046"
"*2043a9ceaa7f2eeb1bb77a9fb932bb484c848d167680ee34fccbf1684a7147ab*",".{0,1000}2043a9ceaa7f2eeb1bb77a9fb932bb484c848d167680ee34fccbf1684a7147ab.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23052"
"*204eefc73b55ea27b172fcedba0c3ee0615548663fd095839ba2e153c8664e76*",".{0,1000}204eefc73b55ea27b172fcedba0c3ee0615548663fd095839ba2e153c8664e76.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23054"
"*20562bf31696728f41152473ae781c24d7a6809ad34c57fc4f8219ddc0d98f47*",".{0,1000}20562bf31696728f41152473ae781c24d7a6809ad34c57fc4f8219ddc0d98f47.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","23056"
"*205d67361d76c5f674393f0762515f32f005487d640751fb0cb67f81fa298ff4*",".{0,1000}205d67361d76c5f674393f0762515f32f005487d640751fb0cb67f81fa298ff4.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23064"
"*206d0059cc04cdb49bff03b5d3658749b511257cc235b2944dc74b82a0b31a2f*",".{0,1000}206d0059cc04cdb49bff03b5d3658749b511257cc235b2944dc74b82a0b31a2f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23068"
"*207fea03708f1ba8c8e61f30170d799495736726d1853d7d4150a5ffffa14013*",".{0,1000}207fea03708f1ba8c8e61f30170d799495736726d1853d7d4150a5ffffa14013.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","23073"
"*20878974725227ec21e88d6e91c9ed2615981faa9ab9ee9821268008fd0cb1c7*",".{0,1000}20878974725227ec21e88d6e91c9ed2615981faa9ab9ee9821268008fd0cb1c7.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","23077"
"*20a8ce365cfc6c0fd2dd88d2e68eaeaff42970f3e1ff34bb6ff8b6d6ebeaa58f*",".{0,1000}20a8ce365cfc6c0fd2dd88d2e68eaeaff42970f3e1ff34bb6ff8b6d6ebeaa58f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23081"
"*20b1918318148e410159d729ffcc373932073e2a68e993cc4440fc7df214471d*",".{0,1000}20b1918318148e410159d729ffcc373932073e2a68e993cc4440fc7df214471d.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","23082"
"*20c52dac0196b6cad71bcb9f4796ca4db198465e5366345347f64acdcb5ede7a*",".{0,1000}20c52dac0196b6cad71bcb9f4796ca4db198465e5366345347f64acdcb5ede7a.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","23086"
"*20c963d0749b58afccdb7d45ff36451015689bec1c035ee7bf809c7ee5b6b483*",".{0,1000}20c963d0749b58afccdb7d45ff36451015689bec1c035ee7bf809c7ee5b6b483.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","23087"
"*20cd35745fdb39b8ced14a6351b96ddd0c5eb248b7fb5a4ef7a3b6a7ea9bdb9b*",".{0,1000}20cd35745fdb39b8ced14a6351b96ddd0c5eb248b7fb5a4ef7a3b6a7ea9bdb9b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23089"
"*20d323af78ca61c911fc9558d3621307e6a5beaaa635346bce8b5a6211c6a8f3*",".{0,1000}20d323af78ca61c911fc9558d3621307e6a5beaaa635346bce8b5a6211c6a8f3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23091"
"*20d41f5fcfa4f3d61c533a9e21a019f0bca0bd8012a6528ccdf2621749a122ab*",".{0,1000}20d41f5fcfa4f3d61c533a9e21a019f0bca0bd8012a6528ccdf2621749a122ab.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","23092"
"*20d91064fbae6a009aa552a11389523f977c8bf49c1bfbd2ce5f7e33609beb08*",".{0,1000}20d91064fbae6a009aa552a11389523f977c8bf49c1bfbd2ce5f7e33609beb08.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23093"
"*20e6ac956f7f2b27eff59e66b04765a87cfdc9c1b2e30c5411a4a93b070813af*",".{0,1000}20e6ac956f7f2b27eff59e66b04765a87cfdc9c1b2e30c5411a4a93b070813af.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23096"
"*2104df5140488fec740f2f225439d14e11343dc6865f7220cb407d83b0089068*",".{0,1000}2104df5140488fec740f2f225439d14e11343dc6865f7220cb407d83b0089068.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23103"
"*213021164bd91cb9caa8ea2ea283ff353349778d7e6e3c456a83224c11e55e3e*",".{0,1000}213021164bd91cb9caa8ea2ea283ff353349778d7e6e3c456a83224c11e55e3e.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","23111"
"*2133a91f7cc4d3d456727a8004db0268c2dc8cc373886124e89d8bd743a18843*",".{0,1000}2133a91f7cc4d3d456727a8004db0268c2dc8cc373886124e89d8bd743a18843.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23112"
"*213ace4b0c02f038549af071ee3e0033da7e88cd8f809d257b4c9b2dc81b9f4d*",".{0,1000}213ace4b0c02f038549af071ee3e0033da7e88cd8f809d257b4c9b2dc81b9f4d.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","23114"
"*21420350ef2f6884e9ef0d21c1ef82867f992e2b809b4ceb8292a8ab8dd02d3a*",".{0,1000}21420350ef2f6884e9ef0d21c1ef82867f992e2b809b4ceb8292a8ab8dd02d3a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23115"
"*2145cc53cfb47b26f038302b3e3a9125da9bc728f365abb4ba59dc463ab4f579*",".{0,1000}2145cc53cfb47b26f038302b3e3a9125da9bc728f365abb4ba59dc463ab4f579.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23116"
"*2146c1335034e53171750fd914adf88e77bb5d9b2a98c61632474a97ae5b016f*",".{0,1000}2146c1335034e53171750fd914adf88e77bb5d9b2a98c61632474a97ae5b016f.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","23118"
"*214801dc012036d847beecbb5c2a03f64bfc50d601f79da86a4a783fc0323273*",".{0,1000}214801dc012036d847beecbb5c2a03f64bfc50d601f79da86a4a783fc0323273.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23119"
"*214f97a55b8eb353dca363203a6616eed9a47d5f7faf21ff77664df8f9a4523d*",".{0,1000}214f97a55b8eb353dca363203a6616eed9a47d5f7faf21ff77664df8f9a4523d.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23122"
"*2155ea2c225272a6f78b2aa4547bb587c40b007586e73b41b31c59edba64f8fe*",".{0,1000}2155ea2c225272a6f78b2aa4547bb587c40b007586e73b41b31c59edba64f8fe.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23126"
"*2166a2076b45e113e1a90de8fe376491186847680eeea1f1c83a5743607ead26*",".{0,1000}2166a2076b45e113e1a90de8fe376491186847680eeea1f1c83a5743607ead26.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23134"
"*216ed12522652f3e745cb0e8313bc1fe245de0ab6b8cb5846d385858d59ba6b2*",".{0,1000}216ed12522652f3e745cb0e8313bc1fe245de0ab6b8cb5846d385858d59ba6b2.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23136"
"*2183b543d0a5fa662cb4413e8ad030499e3852b8466142a7040cd7fe0f4ef2b8*",".{0,1000}2183b543d0a5fa662cb4413e8ad030499e3852b8466142a7040cd7fe0f4ef2b8.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23138"
"*21af6d82b768b2311a249442c6777766b23a8d2f237a1905bdcf5457dea65182*",".{0,1000}21af6d82b768b2311a249442c6777766b23a8d2f237a1905bdcf5457dea65182.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23144"
"*21b32cdaf6e4c74a88a0b6c3c377a3d40a23f73c0313625fa63ba4a6542616fe*",".{0,1000}21b32cdaf6e4c74a88a0b6c3c377a3d40a23f73c0313625fa63ba4a6542616fe.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23145"
"*21d0ed799e2d277a941a92a68b69a1ad4cdfe058fbdc6cb6141fff2c81421c57*",".{0,1000}21d0ed799e2d277a941a92a68b69a1ad4cdfe058fbdc6cb6141fff2c81421c57.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23155"
"*21d614435d3d6e1e26ed3a4654232d1c1350a846cff9f620dc9e76944fd516b3*",".{0,1000}21d614435d3d6e1e26ed3a4654232d1c1350a846cff9f620dc9e76944fd516b3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23156"
"*21ea0b982bc934dbe8fd26234feee56d1093961de376f41dc82b59adf19c1505*",".{0,1000}21ea0b982bc934dbe8fd26234feee56d1093961de376f41dc82b59adf19c1505.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23160"
"*21f3a4015365376e1ba970afadcdf7ac5a13ba78feea2ed22f18de63872f2daa*",".{0,1000}21f3a4015365376e1ba970afadcdf7ac5a13ba78feea2ed22f18de63872f2daa.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","23163"
"*21fc8fb357996e9e95c04088f5fdc06cf2862bb7cb074e0f2919e9ed015ee884*",".{0,1000}21fc8fb357996e9e95c04088f5fdc06cf2862bb7cb074e0f2919e9ed015ee884.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23167"
"*220583e20edd98369dbe929d215a387ceea937b0e0637f62558506b2a6c603a2*",".{0,1000}220583e20edd98369dbe929d215a387ceea937b0e0637f62558506b2a6c603a2.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23176"
"*221696c07ae07e3e5892f0538003c1ff036a5a1a89e6a2260fe435695214e3b0*",".{0,1000}221696c07ae07e3e5892f0538003c1ff036a5a1a89e6a2260fe435695214e3b0.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","23184"
"*2222ef48b3f9102265ef7d27e496ad40a1bd1eaba8093bc5e696b48402c52441*",".{0,1000}2222ef48b3f9102265ef7d27e496ad40a1bd1eaba8093bc5e696b48402c52441.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","23188"
"*222472878481b038dba079d39e38666a6d49da0fce417645e9439f6385ffaba4*",".{0,1000}222472878481b038dba079d39e38666a6d49da0fce417645e9439f6385ffaba4.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","23189"
"*222ba94a96c4cd53262600b7d14dce0a100e870e042836ce421fcf8b8b89e01a*",".{0,1000}222ba94a96c4cd53262600b7d14dce0a100e870e042836ce421fcf8b8b89e01a.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23190"
"*2236ee082c1c00e9423365db339a811a36869fcc4d3438e8c89982ccfe4917f4*",".{0,1000}2236ee082c1c00e9423365db339a811a36869fcc4d3438e8c89982ccfe4917f4.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23196"
"*223931256f38c5faffe9402892e379b47f9442189325dc35a8a58f83ac2d4d90*",".{0,1000}223931256f38c5faffe9402892e379b47f9442189325dc35a8a58f83ac2d4d90.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23199"
"*22415883e18cde6e909ddcf683ded67fa419a726557f7124636f980e64b04576*",".{0,1000}22415883e18cde6e909ddcf683ded67fa419a726557f7124636f980e64b04576.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","23201"
"*2249bab380b8772c79a3f47caf4f0538e11c8e10acdc13c5292033fc403b10e9*",".{0,1000}2249bab380b8772c79a3f47caf4f0538e11c8e10acdc13c5292033fc403b10e9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23204"
"*224de67abbba2df8eb17aa567bb2b3be029ad21e4203692b6abb73628e75db02*",".{0,1000}224de67abbba2df8eb17aa567bb2b3be029ad21e4203692b6abb73628e75db02.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","23206"
"*2261b96a6bd64788c498d0cd1e6a327f169a0092972dd3bbbb2ff2251ab78252*",".{0,1000}2261b96a6bd64788c498d0cd1e6a327f169a0092972dd3bbbb2ff2251ab78252.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23211"
"*2266628a8f1495e4ec904646ee77797367b359aaa3b3a1dd49449031bb5c7878*",".{0,1000}2266628a8f1495e4ec904646ee77797367b359aaa3b3a1dd49449031bb5c7878.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","23212"
"*2267fd0ff2e6387c44e736eccceba289a2b273fc3ccec5786af82415a1c9fa5b*",".{0,1000}2267fd0ff2e6387c44e736eccceba289a2b273fc3ccec5786af82415a1c9fa5b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23214"
"*22725b8da1f7759e83424dbef84e89614767804a22e49feaba0013587f21208a*",".{0,1000}22725b8da1f7759e83424dbef84e89614767804a22e49feaba0013587f21208a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23215"
"*229e1c2dcb1fcccacd2816c7a0e1ad43733f7a09cf76df4ecd53ccdafee8bdda*",".{0,1000}229e1c2dcb1fcccacd2816c7a0e1ad43733f7a09cf76df4ecd53ccdafee8bdda.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23227"
"*22ad7d6222dbeb747db8b41dedb9c96ffe566e86e7cd4d5570ea010904d7b7c6*",".{0,1000}22ad7d6222dbeb747db8b41dedb9c96ffe566e86e7cd4d5570ea010904d7b7c6.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23231"
"*22bc4b6ddd64fa969a6181db315429b46f528f88152d90ae4f27efc46791cad7*",".{0,1000}22bc4b6ddd64fa969a6181db315429b46f528f88152d90ae4f27efc46791cad7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23233"
"*22c57d4a0ba5f22b33573aaa1d08f562375a9e33c7d4705fadadbb06450fff00*",".{0,1000}22c57d4a0ba5f22b33573aaa1d08f562375a9e33c7d4705fadadbb06450fff00.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23235"
"*22c7719b9a9d0ba2a43e85623677983dc550957a9f1d855994eb33d2e4db913e*",".{0,1000}22c7719b9a9d0ba2a43e85623677983dc550957a9f1d855994eb33d2e4db913e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23237"
"*22cc11da0c91690bdea21d873ea341d8d31f44ba32602a2e3c40809b334cdf19*",".{0,1000}22cc11da0c91690bdea21d873ea341d8d31f44ba32602a2e3c40809b334cdf19.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23239"
"*22cf3e75a11ac9d8b492e3c97ed730957372cca18f8d5e57f40d6357de006b35*",".{0,1000}22cf3e75a11ac9d8b492e3c97ed730957372cca18f8d5e57f40d6357de006b35.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23240"
"*22dec13f1013b2da0ec52eefe16d35ab027a29ea82c596154714c331ef01453f*",".{0,1000}22dec13f1013b2da0ec52eefe16d35ab027a29ea82c596154714c331ef01453f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23242"
"*22df14e317c351bda4bfaf256c46b6ec281304135ea24c00bb2a71a5e14d4f22*",".{0,1000}22df14e317c351bda4bfaf256c46b6ec281304135ea24c00bb2a71a5e14d4f22.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23244"
"*22eb2e3f446e71d111afbe7e10ec82d0c729545e7823d9ca860f3a65754cc200*",".{0,1000}22eb2e3f446e71d111afbe7e10ec82d0c729545e7823d9ca860f3a65754cc200.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23245"
"*2330295df8b6f96d0a7e962c7b4779f9e5b52bd9b99b289aa1395aaf96e8ae5a*",".{0,1000}2330295df8b6f96d0a7e962c7b4779f9e5b52bd9b99b289aa1395aaf96e8ae5a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23266"
"*2330aca22b29fd0298adffe2e57f8eeea5837f09abdcbf11b58c128249d2f89f*",".{0,1000}2330aca22b29fd0298adffe2e57f8eeea5837f09abdcbf11b58c128249d2f89f.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23267"
"*233717710c3ac45906e2cbd110a167d7779bd6697a508013c5b6559bbce97815*",".{0,1000}233717710c3ac45906e2cbd110a167d7779bd6697a508013c5b6559bbce97815.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","23268"
"*235175349388872210b0d1d5e178bd94a850f5180d63e5c7ccd59101616da5d5*",".{0,1000}235175349388872210b0d1d5e178bd94a850f5180d63e5c7ccd59101616da5d5.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","23276"
"*2353b409ea98230f05e0d26815ad1517fd49b5996d009612fe691f9ace020400*",".{0,1000}2353b409ea98230f05e0d26815ad1517fd49b5996d009612fe691f9ace020400.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23277"
"*23588b81078e4ce796050b5eb3f87e37be16233d45ca17e222be509445127a3f*",".{0,1000}23588b81078e4ce796050b5eb3f87e37be16233d45ca17e222be509445127a3f.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","23278"
"*23705712274935b9b223412bf731ecd672dcc8b5d0c11a39372aacedaa6a66a4*",".{0,1000}23705712274935b9b223412bf731ecd672dcc8b5d0c11a39372aacedaa6a66a4.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23281"
"*2376c3f4134f56449a4ef506be95da5ced01ec152ad558840c47e87ec160235c*",".{0,1000}2376c3f4134f56449a4ef506be95da5ced01ec152ad558840c47e87ec160235c.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23282"
"*2379c3dc7bf783334051c06aec97ffb50007c9d17572aae45500f07c764ab99a*",".{0,1000}2379c3dc7bf783334051c06aec97ffb50007c9d17572aae45500f07c764ab99a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23284"
"*239f075f17c926b724d3128ce8368fa8bb7671ff89524e445312ce115c8f727b*",".{0,1000}239f075f17c926b724d3128ce8368fa8bb7671ff89524e445312ce115c8f727b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23294"
"*23bafd6bf4ac0e631b37bcdc68827f4b36f06c3dcf0bd754f5d0f9acb4606a3b*",".{0,1000}23bafd6bf4ac0e631b37bcdc68827f4b36f06c3dcf0bd754f5d0f9acb4606a3b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23300"
"*23c1ff369e0adee0fa061ef44e5c75ff137e859ccba280354283016faa469e3f*",".{0,1000}23c1ff369e0adee0fa061ef44e5c75ff137e859ccba280354283016faa469e3f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23305"
"*23c553049bbad7d777cd3b3d6065efa2edc2be13fd5eb1af15b43b6bfaf70bac*",".{0,1000}23c553049bbad7d777cd3b3d6065efa2edc2be13fd5eb1af15b43b6bfaf70bac.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23306"
"*23ce78bdc640ea91a0a6c48688a41bfad3c3b62f85ecdd83cab3680c66b16853*",".{0,1000}23ce78bdc640ea91a0a6c48688a41bfad3c3b62f85ecdd83cab3680c66b16853.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23308"
"*23d1a218ea1aa584c37006037a152e7d51ddb7e4328cba41eddf9ce40240b5de*",".{0,1000}23d1a218ea1aa584c37006037a152e7d51ddb7e4328cba41eddf9ce40240b5de.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","23309"
"*23d61c88520628dc2ab58b25e556df92640327ca4f946cd8ea30eb813897d107*",".{0,1000}23d61c88520628dc2ab58b25e556df92640327ca4f946cd8ea30eb813897d107.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#filehash","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","23310"
"*23d83edaf39639ad843dc07a853215fae94265e590e6242951df5e6441dac3c4*",".{0,1000}23d83edaf39639ad843dc07a853215fae94265e590e6242951df5e6441dac3c4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23311"
"*23e12a93521ba83f5a5d238030dec3cc47788a47e252eb06335b613695fe9d34*",".{0,1000}23e12a93521ba83f5a5d238030dec3cc47788a47e252eb06335b613695fe9d34.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23314"
"*23e8d0a95d5769ea14e4fd5eac6b5c111ce538e61b18492c21482afd015170eb*",".{0,1000}23e8d0a95d5769ea14e4fd5eac6b5c111ce538e61b18492c21482afd015170eb.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#filehash","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","23317"
"*23fe91b0f562494d22d23a02a05f35847520170930ceb92cffa6783229b46d78*",".{0,1000}23fe91b0f562494d22d23a02a05f35847520170930ceb92cffa6783229b46d78.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","0","#filehash","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","23324"
"*23fefd6e0803cb90fd71ab9011715c20916a5cddea1b07baac74a92e64106313*",".{0,1000}23fefd6e0803cb90fd71ab9011715c20916a5cddea1b07baac74a92e64106313.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23325"
"*24125fd40e20be4c607e7ff58bdce302473460f5d31cba9172cdff2946878d1f*",".{0,1000}24125fd40e20be4c607e7ff58bdce302473460f5d31cba9172cdff2946878d1f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23328"
"*242194dbbdaca6aa7382e0b9f9677a2e7966bc6db8934119aa096e38a9fbf86d*",".{0,1000}242194dbbdaca6aa7382e0b9f9677a2e7966bc6db8934119aa096e38a9fbf86d.{0,1000}","greyware_tool_keyword","rsocks","reverse socks5 client & server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/brimstone/rsocks","1","0","#filehash","N/A","10","10","85","29","2020-01-09T20:45:32Z","2018-01-05T03:09:07Z","23332"
"*24328a6907e7d2783be6817bdd1c2ca6c14aa1cb556caff0e193af56e799ff1a*",".{0,1000}24328a6907e7d2783be6817bdd1c2ca6c14aa1cb556caff0e193af56e799ff1a.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","23336"
"*24351cf8346262f0dcb4bab290b55ee65de503921906f13dfd106ef259d5fb7f*",".{0,1000}24351cf8346262f0dcb4bab290b55ee65de503921906f13dfd106ef259d5fb7f.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","23337"
"*24395170dfc41544eceeb78529c8de5b57b65250c27a02e058cd013e6f66097f*",".{0,1000}24395170dfc41544eceeb78529c8de5b57b65250c27a02e058cd013e6f66097f.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23340"
"*244b58636bb8104b7b48fbb09402827ad91fd9424a1cb9dc15f8ca353718906d*",".{0,1000}244b58636bb8104b7b48fbb09402827ad91fd9424a1cb9dc15f8ca353718906d.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","23343"
"*2467af3d886f3bd9838846f40134537336671a7ff34370145b233a3f9f265beb*",".{0,1000}2467af3d886f3bd9838846f40134537336671a7ff34370145b233a3f9f265beb.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23345"
"*247a566f09408932d929191a08f7ab02efa583f92834823336ac9983c727026a*",".{0,1000}247a566f09408932d929191a08f7ab02efa583f92834823336ac9983c727026a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23350"
"*2496e4de6363347e5d36ee031c9d307d5f6e2533a20fb0d49d76cc4a2980e3b3*",".{0,1000}2496e4de6363347e5d36ee031c9d307d5f6e2533a20fb0d49d76cc4a2980e3b3.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23355"
"*24a8be4d92df01761061085589d4b912140dc5140861a33bc7addc00042de754*",".{0,1000}24a8be4d92df01761061085589d4b912140dc5140861a33bc7addc00042de754.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23356"
"*24affae5bf7188361d794c1a44445d719c3b7a511d69ba1e29f6cf7c97850030*",".{0,1000}24affae5bf7188361d794c1a44445d719c3b7a511d69ba1e29f6cf7c97850030.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23360"
"*24bde49e5cce1189783eb0ba3c93b48c8f7d994328dacaa4fa2b9a7e2d04ce8c*",".{0,1000}24bde49e5cce1189783eb0ba3c93b48c8f7d994328dacaa4fa2b9a7e2d04ce8c.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23366"
"*24c4dba637f3db20f8975eb696064b95f1f2689aab8b7849b51d2544e3b81c5c*",".{0,1000}24c4dba637f3db20f8975eb696064b95f1f2689aab8b7849b51d2544e3b81c5c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23368"
"*24c7ca3fe6905b3a493a67237ff081ba9e11abfb27dcb73f18d0a4595926c35d*",".{0,1000}24c7ca3fe6905b3a493a67237ff081ba9e11abfb27dcb73f18d0a4595926c35d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23370"
"*24cde0c118655d52ebccd55ad7656a24fc346b6a05d3914ab116235b5726ca5f*",".{0,1000}24cde0c118655d52ebccd55ad7656a24fc346b6a05d3914ab116235b5726ca5f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23371"
"*24d85b5700f05d7b638d294c87e8b8809df80f0611c63ee818f60ed487f1b4bc*",".{0,1000}24d85b5700f05d7b638d294c87e8b8809df80f0611c63ee818f60ed487f1b4bc.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","23374"
"*24edac89937dfd5f8c945fe93d491505868d26280d2c70f8c071279b12174123*",".{0,1000}24edac89937dfd5f8c945fe93d491505868d26280d2c70f8c071279b12174123.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23378"
"*24f8d15c5c09600a2138153f68eebed5831b31d90ae785bf4d25c6129afe2be5*",".{0,1000}24f8d15c5c09600a2138153f68eebed5831b31d90ae785bf4d25c6129afe2be5.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23382"
"*24fccce2e9c6684480bfd8ac0e9ea3e36d4203922fa5a39ae9f63bc0542f68f5*",".{0,1000}24fccce2e9c6684480bfd8ac0e9ea3e36d4203922fa5a39ae9f63bc0542f68f5.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23383"
"*2501494de128471883b5cab25a9ae6a292c118d0fee725dd853d8c1335411781*",".{0,1000}2501494de128471883b5cab25a9ae6a292c118d0fee725dd853d8c1335411781.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23386"
"*25191b226ad7ef139f81890c531b0c606c5645bbca6f149b3679b06c73e6cddc*",".{0,1000}25191b226ad7ef139f81890c531b0c606c5645bbca6f149b3679b06c73e6cddc.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","#filehash","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","23394"
"*2523d17e9fc1b815001f2e7ea951dd3454a78bab0b12cea6a82294b9d93cd95c*",".{0,1000}2523d17e9fc1b815001f2e7ea951dd3454a78bab0b12cea6a82294b9d93cd95c.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","23396"
"*252ac98bb095787764fb981b61eb453c13717e7b2fc1e6275fdfacdc9ff1cbf2*",".{0,1000}252ac98bb095787764fb981b61eb453c13717e7b2fc1e6275fdfacdc9ff1cbf2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23397"
"*2534aa9e6f59df7e78600419268278175681c673a6471e0f4c0b046302b30146*",".{0,1000}2534aa9e6f59df7e78600419268278175681c673a6471e0f4c0b046302b30146.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","23399"
"*2534aa9e6f59df7e78600419268278175681c673a6471e0f4c0b046302b30146*",".{0,1000}2534aa9e6f59df7e78600419268278175681c673a6471e0f4c0b046302b30146.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","23400"
"*2536aad7d213c553a2aa3b6c6d3402bb9adf2c7624bf004a14a19751b24ce80e*",".{0,1000}2536aad7d213c553a2aa3b6c6d3402bb9adf2c7624bf004a14a19751b24ce80e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23401"
"*25431755a121c12dab3c28fec18eaef027a73aa5e9780b33f6801e152e42ab36*",".{0,1000}25431755a121c12dab3c28fec18eaef027a73aa5e9780b33f6801e152e42ab36.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23404"
"*2547c89d62cac68c8dd271cf1d2e41b1d20a9ade7e25586a28a282444724a249*",".{0,1000}2547c89d62cac68c8dd271cf1d2e41b1d20a9ade7e25586a28a282444724a249.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23409"
"*254cc9b46f64f1ae8150c65632ce0e749dd894b20db9d39313e8030477152add*",".{0,1000}254cc9b46f64f1ae8150c65632ce0e749dd894b20db9d39313e8030477152add.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","23410"
"*254d1221d682772e110fac89f96958aa8c8fe830474a672b84048ce1339f8620*",".{0,1000}254d1221d682772e110fac89f96958aa8c8fe830474a672b84048ce1339f8620.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23412"
"*256ade9e6d03ca6e485f0932c122dbd226762d2c29c07414d0dc1dcac2a4eb0b*",".{0,1000}256ade9e6d03ca6e485f0932c122dbd226762d2c29c07414d0dc1dcac2a4eb0b.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","23421"
"*2574d320cc107047490a5e3432c84c4de4b0d9da70f6d4aaa48a80a40b99bc99*",".{0,1000}2574d320cc107047490a5e3432c84c4de4b0d9da70f6d4aaa48a80a40b99bc99.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23424"
"*257ba9e0bb8890194c9e8fc0c606ca928ee75ac9ac0adfc4d53b4489038a5bb5*",".{0,1000}257ba9e0bb8890194c9e8fc0c606ca928ee75ac9ac0adfc4d53b4489038a5bb5.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23427"
"*258b3c1b649e03f58d2c099031014ab8bbef7e3af7bc63cdf3d20d0085025a6d*",".{0,1000}258b3c1b649e03f58d2c099031014ab8bbef7e3af7bc63cdf3d20d0085025a6d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23433"
"*25b3e1f0526fc55142fc27fb7c6c8cc37020edd621768c086938d24dbee2f97f*",".{0,1000}25b3e1f0526fc55142fc27fb7c6c8cc37020edd621768c086938d24dbee2f97f.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","23440"
"*25b3e1f0526fc55142fc27fb7c6c8cc37020edd621768c086938d24dbee2f97f*",".{0,1000}25b3e1f0526fc55142fc27fb7c6c8cc37020edd621768c086938d24dbee2f97f.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","23441"
"*25ce0fa078c6603a909bb391c1cb4eb891554b29ad275beea47042962576f4ff*",".{0,1000}25ce0fa078c6603a909bb391c1cb4eb891554b29ad275beea47042962576f4ff.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","23443"
"*25da7fc5c9269b3897f27b0d946919df595c6dda1b127085fda0fe32aa59d29d*",".{0,1000}25da7fc5c9269b3897f27b0d946919df595c6dda1b127085fda0fe32aa59d29d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23449"
"*25dec6e071fbf271817fa34a76abe61e41e2cb27cc52f25d78488340ccedd190*",".{0,1000}25dec6e071fbf271817fa34a76abe61e41e2cb27cc52f25d78488340ccedd190.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","23451"
"*25e40f43e35ae0bcff2feea99ec311ab0f1dfa84bb311972dca123f1be073c2b*",".{0,1000}25e40f43e35ae0bcff2feea99ec311ab0f1dfa84bb311972dca123f1be073c2b.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23452"
"*25e850edd1cb8707c9a18a0fcc610b831cce25203dff650ec7e781175d900df3*",".{0,1000}25e850edd1cb8707c9a18a0fcc610b831cce25203dff650ec7e781175d900df3.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#filehash","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","23454"
"*2601f8004cb6dda784d4f70fdf9c00d65172640199599416ae266c2977095c2c*",".{0,1000}2601f8004cb6dda784d4f70fdf9c00d65172640199599416ae266c2977095c2c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23456"
"*26052ec687ec20c6de1e140266b194cc316b4ad5eef808e432a5f18988af2819*",".{0,1000}26052ec687ec20c6de1e140266b194cc316b4ad5eef808e432a5f18988af2819.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23458"
"*260e25a0cbe80d9ff05a9b1383bd0ac4f0d0fe0585c744ef1dc6c0e2dea45e06*",".{0,1000}260e25a0cbe80d9ff05a9b1383bd0ac4f0d0fe0585c744ef1dc6c0e2dea45e06.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23461"
"*261755fa0c132c7719c4c5176bb2b5308a0176dc716fea898d3c63d60a21c521*",".{0,1000}261755fa0c132c7719c4c5176bb2b5308a0176dc716fea898d3c63d60a21c521.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","23463"
"*261dc25293f04e40a09a24fd1e039041aea5e27afa7ddb234db3882b74b396ca*",".{0,1000}261dc25293f04e40a09a24fd1e039041aea5e27afa7ddb234db3882b74b396ca.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23466"
"*262a3f517a064466994ff41b9fa24f03b5df660adf9a4ff53ad34fd071bd85a9*",".{0,1000}262a3f517a064466994ff41b9fa24f03b5df660adf9a4ff53ad34fd071bd85a9.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23471"
"*2654a13a86c8ac23149c8a173eed10965036445c50d53515d67a634b43e4ab87*",".{0,1000}2654a13a86c8ac23149c8a173eed10965036445c50d53515d67a634b43e4ab87.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","23476"
"*2655b585e686b5d6c36d1be640d873fa15a53a86c46e2ceb5fb00eb562c428bb*",".{0,1000}2655b585e686b5d6c36d1be640d873fa15a53a86c46e2ceb5fb00eb562c428bb.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23477"
"*265b1f417eafc654b5e789ce044de99635c542f2490708835b95669ed4fa79b1*",".{0,1000}265b1f417eafc654b5e789ce044de99635c542f2490708835b95669ed4fa79b1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23479"
"*26600cf2666c1482269a4844910e9af915894981dedd319dfa47e7f3240dba7e*",".{0,1000}26600cf2666c1482269a4844910e9af915894981dedd319dfa47e7f3240dba7e.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23480"
"*2664814fc6bac015389cad412970cb6617f38a653f30585060c158f4d7963527*",".{0,1000}2664814fc6bac015389cad412970cb6617f38a653f30585060c158f4d7963527.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","23482"
"*2677ada64618dc9d5ac8f15ee9b377009c34376e72c3f460ada6db202821fbef*",".{0,1000}2677ada64618dc9d5ac8f15ee9b377009c34376e72c3f460ada6db202821fbef.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","23490"
"*2680466b47990133f0b027e2aabb9febf182dccc7d9ee4b8d3bd2c269d90b846*",".{0,1000}2680466b47990133f0b027e2aabb9febf182dccc7d9ee4b8d3bd2c269d90b846.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23494"
"*2680ff90db43500e97f1ed688ed181cdbc68a46cbaa5dba1b89425463a3a799e*",".{0,1000}2680ff90db43500e97f1ed688ed181cdbc68a46cbaa5dba1b89425463a3a799e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23495"
"*26850257bff3d64408313c3f6750f9d3880a3729568bd78a40b1d75ca3d4cea1*",".{0,1000}26850257bff3d64408313c3f6750f9d3880a3729568bd78a40b1d75ca3d4cea1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23496"
"*2699a142ddf7b9f8c30c65c37f4511f6dfb7a8114eab3d4ef026f04a3944fac1*",".{0,1000}2699a142ddf7b9f8c30c65c37f4511f6dfb7a8114eab3d4ef026f04a3944fac1.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","23501"
"*26acab3487be8980460ef86f0fdc7a446cfdadab02a5a0b27dc760ecce15ffc2*",".{0,1000}26acab3487be8980460ef86f0fdc7a446cfdadab02a5a0b27dc760ecce15ffc2.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23508"
"*26c05dc5ac0adf3089e93cbd32107eec6bad9393ade5fb2eca16c45dfb9e470a*",".{0,1000}26c05dc5ac0adf3089e93cbd32107eec6bad9393ade5fb2eca16c45dfb9e470a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23512"
"*26c48aa4fa4458ad29d0de364904e24be40424d4f6c37005c2c2d9c6e41e2b06*",".{0,1000}26c48aa4fa4458ad29d0de364904e24be40424d4f6c37005c2c2d9c6e41e2b06.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23513"
"*26c4c55363fc2a15122a97384a44c73fedf14b832721a0b4a86dc361468e7547*",".{0,1000}26c4c55363fc2a15122a97384a44c73fedf14b832721a0b4a86dc361468e7547.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23514"
"*26c7897855af56fb122a0aee9b6854033db315c3235d559ff06e8071acdfc415*",".{0,1000}26c7897855af56fb122a0aee9b6854033db315c3235d559ff06e8071acdfc415.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23516"
"*26cadd85587b74a8eaa26e6eae7724b60fc49b5ec448c41648168748404c4d13*",".{0,1000}26cadd85587b74a8eaa26e6eae7724b60fc49b5ec448c41648168748404c4d13.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23517"
"*26d3bc4ed714c268ba2fc84034d54cbeabc230ab2e498e119a2243cefd9a93f3*",".{0,1000}26d3bc4ed714c268ba2fc84034d54cbeabc230ab2e498e119a2243cefd9a93f3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23519"
"*26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b*",".{0,1000}26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","0","#filehash","N/A","7","10","N/A","N/A","N/A","N/A","23520"
"*26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b*",".{0,1000}26d5748ffe6bd95e3fee6ce184d388a1a681006dc23a0f08d53c083c593c193b.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","0","#filehash","N/A","7","10","N/A","N/A","N/A","N/A","23521"
"*26e454248321c9543371ce81407a9eba31ebe35c58667daaa588965cdee501fe*",".{0,1000}26e454248321c9543371ce81407a9eba31ebe35c58667daaa588965cdee501fe.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","23527"
"*26eb992318437fad2d122ef76cfb3086f1339201486a1cdec910fe1a457ac383*",".{0,1000}26eb992318437fad2d122ef76cfb3086f1339201486a1cdec910fe1a457ac383.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23531"
"*272873c13925ec870472484b99455d3e9dcbf82481b714a9fc05a7c1933137f2*",".{0,1000}272873c13925ec870472484b99455d3e9dcbf82481b714a9fc05a7c1933137f2.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23544"
"*272c46ee6c8dc5d08397a2d602e398ca5465bce04df1571fc53ee993ea58d95f*",".{0,1000}272c46ee6c8dc5d08397a2d602e398ca5465bce04df1571fc53ee993ea58d95f.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23545"
"*2731974930b30b2fce237f48911486b45dbd2d896d9ab3347051b0022a8bd424*",".{0,1000}2731974930b30b2fce237f48911486b45dbd2d896d9ab3347051b0022a8bd424.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","#filehash","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","23547"
"*273bae67f00d98e35f0ae1680307a5daf0bc4c1e3cb489ff2b7a46d54e2f53a3*",".{0,1000}273bae67f00d98e35f0ae1680307a5daf0bc4c1e3cb489ff2b7a46d54e2f53a3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23549"
"*275b254a20dfda754d6aba28d335a392df74150d6945d2da20a7c5718dc2c001*",".{0,1000}275b254a20dfda754d6aba28d335a392df74150d6945d2da20a7c5718dc2c001.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23558"
"*275c6b94849c1dc71f0cc30458339dbef40425657a28cda057074dc5d9105823*",".{0,1000}275c6b94849c1dc71f0cc30458339dbef40425657a28cda057074dc5d9105823.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23559"
"*275de3390b20723991268204fb3f70b0ec76dba29f809ac0152588cecc22e87f*",".{0,1000}275de3390b20723991268204fb3f70b0ec76dba29f809ac0152588cecc22e87f.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","0","#filehash","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","23560"
"*276d3ecc4dcbd180a4ee953cd9721ced7ecf1309d332b05bf3d0f02bfb73bfee*",".{0,1000}276d3ecc4dcbd180a4ee953cd9721ced7ecf1309d332b05bf3d0f02bfb73bfee.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","23563"
"*277f4ea11b12862715088dec3890ed9b54190d7f7f6614652ab87daeff4c4cd7*",".{0,1000}277f4ea11b12862715088dec3890ed9b54190d7f7f6614652ab87daeff4c4cd7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23569"
"*2782da062a67ebf7e34e50c839dead0be150295484d4e408e06e8498f1d5c818*",".{0,1000}2782da062a67ebf7e34e50c839dead0be150295484d4e408e06e8498f1d5c818.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23570"
"*27ab19246f4b8686e96698d8412174e75ad957781e0c6b6ffb49680d26b440f3*",".{0,1000}27ab19246f4b8686e96698d8412174e75ad957781e0c6b6ffb49680d26b440f3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23576"
"*27ba0db8c304b4135bc1398f90e5c975ba4f62aeb148e544a4c1a563dce5ef0b*",".{0,1000}27ba0db8c304b4135bc1398f90e5c975ba4f62aeb148e544a4c1a563dce5ef0b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23579"
"*27c034a6397d29d882e8d6339d6dab65abda6c28a5f1b43babc05bd67f5cb8d6*",".{0,1000}27c034a6397d29d882e8d6339d6dab65abda6c28a5f1b43babc05bd67f5cb8d6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23580"
"*27d7590cf6e7386f9df2777e5f2b1e3473fe990182b2ad8bf31a33b0f5436be4*",".{0,1000}27d7590cf6e7386f9df2777e5f2b1e3473fe990182b2ad8bf31a33b0f5436be4.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","23585"
"*27d9a04aeaab3a37b0de7e3976fd928695c3e2488e7b6b8be5d95e8fa1dd8f4a*",".{0,1000}27d9a04aeaab3a37b0de7e3976fd928695c3e2488e7b6b8be5d95e8fa1dd8f4a.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","23586"
"*27e14febe4ff06aa6a51e01d239d2d4e3af88407d59ffd8feffe54247309b50a*",".{0,1000}27e14febe4ff06aa6a51e01d239d2d4e3af88407d59ffd8feffe54247309b50a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23588"
"*27e5b4ad48de612df3a28a8ca9d0b4015b6d24e959056d66367ec53246899e44*",".{0,1000}27e5b4ad48de612df3a28a8ca9d0b4015b6d24e959056d66367ec53246899e44.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23590"
"*27f2630140201c66ce90182677f6fd305a33baa304034fd47e5f4b78ea66123f*",".{0,1000}27f2630140201c66ce90182677f6fd305a33baa304034fd47e5f4b78ea66123f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23594"
"*27f59f2bcc5b8938d0c3d2d080e15ee67ce8c9a44147b52da52d1183afdd8ce7*",".{0,1000}27f59f2bcc5b8938d0c3d2d080e15ee67ce8c9a44147b52da52d1183afdd8ce7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23596"
"*27f98f852adcf7b03f7a0802cd61d3a6410adf16946bc406c3ac8d586cfec7cb*",".{0,1000}27f98f852adcf7b03f7a0802cd61d3a6410adf16946bc406c3ac8d586cfec7cb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23599"
"*2809d84eb3f9bbc8bb73596d8826e112ebb455aa6228ff0eeff28dc6264ef6e6*",".{0,1000}2809d84eb3f9bbc8bb73596d8826e112ebb455aa6228ff0eeff28dc6264ef6e6.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23602"
"*281629712ccd9fdb0fceff799ddf2dd64e5eb154ef52d9ef145fc4a765800374*",".{0,1000}281629712ccd9fdb0fceff799ddf2dd64e5eb154ef52d9ef145fc4a765800374.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23604"
"*284fb65de7d9c928ca978cebd863136e79c618d65b357d3da9faeed6008783cb*",".{0,1000}284fb65de7d9c928ca978cebd863136e79c618d65b357d3da9faeed6008783cb.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","23613"
"*286a7037bf3d357e80c5535e726e89cc6d157f449762228c6bbf79410eb9431b*",".{0,1000}286a7037bf3d357e80c5535e726e89cc6d157f449762228c6bbf79410eb9431b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23621"
"*286cf8ac789b4752825dd6098cae26394b8803b99cd2d4cdb2153d9ef73f49c4*",".{0,1000}286cf8ac789b4752825dd6098cae26394b8803b99cd2d4cdb2153d9ef73f49c4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23624"
"*2874343d4ca8de15f5a994dbf330d7497cc6798e5685db1d3c4a64ed160dffd2*",".{0,1000}2874343d4ca8de15f5a994dbf330d7497cc6798e5685db1d3c4a64ed160dffd2.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23626"
"*287f321328930e9fcb910c216b530c9e6fc1badefa4797779369b455f16f32a6*",".{0,1000}287f321328930e9fcb910c216b530c9e6fc1badefa4797779369b455f16f32a6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23628"
"*288bac8790bd8f10894a70733ed78bb7afc098d55b41fe6dc4e044f80ef5612e*",".{0,1000}288bac8790bd8f10894a70733ed78bb7afc098d55b41fe6dc4e044f80ef5612e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23633"
"*28931b61113c322159a068082c977b510f424f6f01467221c36a7be1f77684f7*",".{0,1000}28931b61113c322159a068082c977b510f424f6f01467221c36a7be1f77684f7.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","23634"
"*28b4073db264ae8edbbc66194419ba03950a22c63c88555978a6d4747245c9e8*",".{0,1000}28b4073db264ae8edbbc66194419ba03950a22c63c88555978a6d4747245c9e8.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23639"
"*28b8907df12cb866c627f7dd3a692326e073384ceb5e99328007941026bb73b8*",".{0,1000}28b8907df12cb866c627f7dd3a692326e073384ceb5e99328007941026bb73b8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23641"
"*28db376098fd00a050c065ffbbfc5e4d878cea412ce4b3dbc3c45c5c96dfee4f*",".{0,1000}28db376098fd00a050c065ffbbfc5e4d878cea412ce4b3dbc3c45c5c96dfee4f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23650"
"*28f49a724fc8017ef9255fc720eaf31a58d77acd8f86466ab185c833294cc7bf*",".{0,1000}28f49a724fc8017ef9255fc720eaf31a58d77acd8f86466ab185c833294cc7bf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23656"
"*290747f485b0a88e1d2b5d97eefcb63625b068724b0b76204be7223321ffae2d*",".{0,1000}290747f485b0a88e1d2b5d97eefcb63625b068724b0b76204be7223321ffae2d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23662"
"*291fa7918aa575802ced2fb77e45f33a3cf7fc4b5c27c4ac31a68b2506c50a30*",".{0,1000}291fa7918aa575802ced2fb77e45f33a3cf7fc4b5c27c4ac31a68b2506c50a30.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23671"
"*2925973758d3d69cd2a8d4e6b504b367d4d664faecf422e49e614622d7cdb7d5*",".{0,1000}2925973758d3d69cd2a8d4e6b504b367d4d664faecf422e49e614622d7cdb7d5.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","23673"
"*2936b4e711e8becd5535dcab878af7c30479f81e16292b6e044b0f0b8cd945b6*",".{0,1000}2936b4e711e8becd5535dcab878af7c30479f81e16292b6e044b0f0b8cd945b6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23677"
"*2939e97fe8966ded6f0f9962071dde0c2116972dbfdfb778a18b8879ff944df8*",".{0,1000}2939e97fe8966ded6f0f9962071dde0c2116972dbfdfb778a18b8879ff944df8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23679"
"*29548EB7-5E44-21F9-5C82-15DDDC80449A*",".{0,1000}29548EB7\-5E44\-21F9\-5C82\-15DDDC80449A.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","#GUIDproject","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","23687"
"*297ce47c277bcb97df904493b594d6a6e2ddf8c304d572214b53089f0eb55d42*",".{0,1000}297ce47c277bcb97df904493b594d6a6e2ddf8c304d572214b53089f0eb55d42.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23695"
"*298f130b43988ad5a32abb7b59c45387adfc221ce675f98e367caa917dd5c1ff*",".{0,1000}298f130b43988ad5a32abb7b59c45387adfc221ce675f98e367caa917dd5c1ff.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23699"
"*29b4b4f15c9b4d74a44576c80e5cbc3cc4644bf55a7c2ba29c73b3d9e4f24356*",".{0,1000}29b4b4f15c9b4d74a44576c80e5cbc3cc4644bf55a7c2ba29c73b3d9e4f24356.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23709"
"*29b98f2475d297bbf04c80cf85182968b061aba8f326074c5d20af735eb9475d*",".{0,1000}29b98f2475d297bbf04c80cf85182968b061aba8f326074c5d20af735eb9475d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23712"
"*29bc472e151a34cdc5dc5229a27ad5377d091df53500e7ad0022d663a4b9d3a7*",".{0,1000}29bc472e151a34cdc5dc5229a27ad5377d091df53500e7ad0022d663a4b9d3a7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23713"
"*29cacc6ed6f7bfe7412947ead514e4081c7a71bb22e4c959a9c233cec9e54a27*",".{0,1000}29cacc6ed6f7bfe7412947ead514e4081c7a71bb22e4c959a9c233cec9e54a27.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","23716"
"*29d8abba60342eb0cdac692d050c95feab0aa980a2c8779fa4584f97b8196f26*",".{0,1000}29d8abba60342eb0cdac692d050c95feab0aa980a2c8779fa4584f97b8196f26.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23721"
"*29d9ce86776a65e5b326487953fe5aa52510855524f9795c9c2034915620019c*",".{0,1000}29d9ce86776a65e5b326487953fe5aa52510855524f9795c9c2034915620019c.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","23722"
"*29E4E73B-EBA6-495B-A76C-FBB462196C64*",".{0,1000}29E4E73B\-EBA6\-495B\-A76C\-FBB462196C64.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","#GUIDproject","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","23725"
"*2a04a254f60255c10998f74be9d320740df82525a7d16d8ceebab57627137b44*",".{0,1000}2a04a254f60255c10998f74be9d320740df82525a7d16d8ceebab57627137b44.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23727"
"*2a0542f8d159539b07faeb5849be99d1c62e1c16d236178fdc13eb2ebb7b262e*",".{0,1000}2a0542f8d159539b07faeb5849be99d1c62e1c16d236178fdc13eb2ebb7b262e.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","23728"
"*2a17ed79b4a0cb9d1c6345ee3f0d1c6d349a660391345c17e78ceb57a26a32fe*",".{0,1000}2a17ed79b4a0cb9d1c6345ee3f0d1c6d349a660391345c17e78ceb57a26a32fe.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#filehash","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","23733"
"*2a349ec0870eaf921a1925be43539fb43de54a468bf0450965ce2170e8bc8afb*",".{0,1000}2a349ec0870eaf921a1925be43539fb43de54a468bf0450965ce2170e8bc8afb.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23738"
"*2a447f956591e96269715dd5e27ec36cb1cabe61d45de5ee590b43adae67ce5f*",".{0,1000}2a447f956591e96269715dd5e27ec36cb1cabe61d45de5ee590b43adae67ce5f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23741"
"*2a62cd957adb970baa5fd244856516952c33194ae336a49f9b6727561cc48928*",".{0,1000}2a62cd957adb970baa5fd244856516952c33194ae336a49f9b6727561cc48928.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23744"
"*2a782979f8065e162c99cbba25bd80ace68c743192703e7b2d4cc6ca0acf5625*",".{0,1000}2a782979f8065e162c99cbba25bd80ace68c743192703e7b2d4cc6ca0acf5625.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23748"
"*2a7896d5bad2028fec904ac21e4355e0446ad5c9036bd1c3b8b2e93e0646bd6e*",".{0,1000}2a7896d5bad2028fec904ac21e4355e0446ad5c9036bd1c3b8b2e93e0646bd6e.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","23749"
"*2a7a2455eaa1b1bf0ae58b1edd93acc514b4f985ec57c681e85d7490e50402f9*",".{0,1000}2a7a2455eaa1b1bf0ae58b1edd93acc514b4f985ec57c681e85d7490e50402f9.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23751"
"*2ab7b66c09391d9d76bd7a4818e85fb3818a10a46c91a804b982d7d4c9fddce3*",".{0,1000}2ab7b66c09391d9d76bd7a4818e85fb3818a10a46c91a804b982d7d4c9fddce3.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23762"
"*2abf5f64cce68069617766e7d6c105b71215fc936574e31c13a8aa116c14ac4e*",".{0,1000}2abf5f64cce68069617766e7d6c105b71215fc936574e31c13a8aa116c14ac4e.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23763"
"*2ac10f7ff25fac8a1d34f54b0b87bf14de6ae482dc2691fd273702971dd61704*",".{0,1000}2ac10f7ff25fac8a1d34f54b0b87bf14de6ae482dc2691fd273702971dd61704.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23764"
"*2ac214f54f3286db611d416155cb40569f6932fdb45a1e384dac201c5f41a9ff*",".{0,1000}2ac214f54f3286db611d416155cb40569f6932fdb45a1e384dac201c5f41a9ff.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23765"
"*2ac5bb5e54dcd346f6ede08e1b380127ee89d879a2336ef6f6c296cf378a0c86*",".{0,1000}2ac5bb5e54dcd346f6ede08e1b380127ee89d879a2336ef6f6c296cf378a0c86.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23766"
"*2acb885af8fce92b0cca89d8e2b82d954a85f8ce0751a27258a3c4cdd2f8ef88*",".{0,1000}2acb885af8fce92b0cca89d8e2b82d954a85f8ce0751a27258a3c4cdd2f8ef88.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","23770"
"*2acd831051f89004586e5e59b33bf951f338671697def433d22b6c3c5ba0cde6*",".{0,1000}2acd831051f89004586e5e59b33bf951f338671697def433d22b6c3c5ba0cde6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23771"
"*2ad44c7d840018470779d1feaf02584a602a30fa6388be5ef1c2800657b6de4a*",".{0,1000}2ad44c7d840018470779d1feaf02584a602a30fa6388be5ef1c2800657b6de4a.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","23776"
"*2adf13d1d4585ea2efd72e3ffe5d6f9be0a553c66e3d171a0e13f18f7f05d375*",".{0,1000}2adf13d1d4585ea2efd72e3ffe5d6f9be0a553c66e3d171a0e13f18f7f05d375.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","23777"
"*2ae5e02519c7da40c09e81ab02be9151336872b3f65cb39a917d53fa742d9241*",".{0,1000}2ae5e02519c7da40c09e81ab02be9151336872b3f65cb39a917d53fa742d9241.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23779"
"*2afc21c42cca8caf03b00e22e95592ff6cbeb6ef64bd816eb9d32ed260818cb6*",".{0,1000}2afc21c42cca8caf03b00e22e95592ff6cbeb6ef64bd816eb9d32ed260818cb6.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","23784"
"*2b0898db6823fb2d533e7f7f1dbc19ec25ccd87f552b19e046ebcbf13c0efe3c*",".{0,1000}2b0898db6823fb2d533e7f7f1dbc19ec25ccd87f552b19e046ebcbf13c0efe3c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23787"
"*2b13ba11cc9a18e558083ee33b7694fd4f1977bff70fd253687757fc92079ff6*",".{0,1000}2b13ba11cc9a18e558083ee33b7694fd4f1977bff70fd253687757fc92079ff6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23790"
"*2b2705d375cb293e59fbd641bcc42936e458666acbc6a43d81a281091574d469*",".{0,1000}2b2705d375cb293e59fbd641bcc42936e458666acbc6a43d81a281091574d469.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23791"
"*2b33ead1b58d9e5254447cef54119027e5b1ca360c88e5929bff19685955d668*",".{0,1000}2b33ead1b58d9e5254447cef54119027e5b1ca360c88e5929bff19685955d668.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23794"
"*2b3ac83c63ff25980360d246ecf86132dd1cfe3416957f145847c80494750846*",".{0,1000}2b3ac83c63ff25980360d246ecf86132dd1cfe3416957f145847c80494750846.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23796"
"*2b3f74062d1303d71cd368b1090436d1aeddecf45e8561bd94f9fe412dd1abff*",".{0,1000}2b3f74062d1303d71cd368b1090436d1aeddecf45e8561bd94f9fe412dd1abff.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23798"
"*2b4328c30b58ecaf6febe1d7225b543b8886dcb4d8295be5973e6dc36f62c0f2*",".{0,1000}2b4328c30b58ecaf6febe1d7225b543b8886dcb4d8295be5973e6dc36f62c0f2.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","#filehash","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","23799"
"*2b44981a1a7d1f432c53c0f2f0b6bcdd410f6491c47dc55428fdac0b85c763f1*",".{0,1000}2b44981a1a7d1f432c53c0f2f0b6bcdd410f6491c47dc55428fdac0b85c763f1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23800"
"*2b47da18424e13db950d489cd612311163979889ae4272c3eac957acc5cff576*",".{0,1000}2b47da18424e13db950d489cd612311163979889ae4272c3eac957acc5cff576.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","23801"
"*2b4df7d7756102aadcdeda533e9372a45ede141300ef3d7941dd0d445de8adb6*",".{0,1000}2b4df7d7756102aadcdeda533e9372a45ede141300ef3d7941dd0d445de8adb6.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23805"
"*2b5b31aa845de53f3410b452a02bd47d83e4358c53c6e7ae71c4e83386ef690f*",".{0,1000}2b5b31aa845de53f3410b452a02bd47d83e4358c53c6e7ae71c4e83386ef690f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23807"
"*2b5d0530f54a5cb1aa7e037ab075ba27991bafa83a42555d50fde9245a3eb435*",".{0,1000}2b5d0530f54a5cb1aa7e037ab075ba27991bafa83a42555d50fde9245a3eb435.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","23808"
"*2b8d5092b61c3a87ff79a8a23999f1ad4e58735a7a6ca4b0ca046b3be30a4880*",".{0,1000}2b8d5092b61c3a87ff79a8a23999f1ad4e58735a7a6ca4b0ca046b3be30a4880.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23818"
"*2b92a08a76d9b0e13e41660fdc2491eaeda7b8400f9d29542f27ad2edd004d9f*",".{0,1000}2b92a08a76d9b0e13e41660fdc2491eaeda7b8400f9d29542f27ad2edd004d9f.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","23821"
"*2b9b335b2e741aa07e730558f6d27d4a5c4a2722817de67fcfebfcc5ee463bc0*",".{0,1000}2b9b335b2e741aa07e730558f6d27d4a5c4a2722817de67fcfebfcc5ee463bc0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23823"
"*2ba4fae01c0be9c2a3dd365ad2cf3f4c58bb596b007533e2512c400f3be408df*",".{0,1000}2ba4fae01c0be9c2a3dd365ad2cf3f4c58bb596b007533e2512c400f3be408df.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23827"
"*2bae86030b8915d8278720c4d3fe1ea3aa9f414575f38d0a66ecce3906cb6d2d*",".{0,1000}2bae86030b8915d8278720c4d3fe1ea3aa9f414575f38d0a66ecce3906cb6d2d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23829"
"*2bb962d810bd4b823e5ed4879ce64277f177aaa60171b8d1a56d613f41837304*",".{0,1000}2bb962d810bd4b823e5ed4879ce64277f177aaa60171b8d1a56d613f41837304.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23832"
"*2bbe8dacf7d9ce6812dc88c629ef572ea7b7c507b240cfe299c2991a10fefbdf*",".{0,1000}2bbe8dacf7d9ce6812dc88c629ef572ea7b7c507b240cfe299c2991a10fefbdf.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","23833"
"*2bcebbbf1b206309ff012a43cac85378ac6ff60a6c22b623264a9ff27053ca11*",".{0,1000}2bcebbbf1b206309ff012a43cac85378ac6ff60a6c22b623264a9ff27053ca11.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23834"
"*2bd2ecd96c79e54de7c0e286107d0a8def7a3f52fc1fd114736fe51ce6a0bcca*",".{0,1000}2bd2ecd96c79e54de7c0e286107d0a8def7a3f52fc1fd114736fe51ce6a0bcca.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23836"
"*2bd3723b237f9162350b45702b8bb7bf540250a6b73639dd6813c010c17b276a*",".{0,1000}2bd3723b237f9162350b45702b8bb7bf540250a6b73639dd6813c010c17b276a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23838"
"*2bdc646422d0272aca1568c176b0510d965bfe8e266afbbfa713683dece33d65*",".{0,1000}2bdc646422d0272aca1568c176b0510d965bfe8e266afbbfa713683dece33d65.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23841"
"*2be05696ee5c448599221347dbd3e2305b0a1593bc89d27a518fd9e17728ae62*",".{0,1000}2be05696ee5c448599221347dbd3e2305b0a1593bc89d27a518fd9e17728ae62.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23843"
"*2be56ec4a77c58c8aba5a16b91482e088c87d947f4cb2c9ab0a64be782048cd7*",".{0,1000}2be56ec4a77c58c8aba5a16b91482e088c87d947f4cb2c9ab0a64be782048cd7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23845"
"*2be9772e3bec3a363b29f016e167a8c32e49ad64a2fb73b37368c33243e0e27d*",".{0,1000}2be9772e3bec3a363b29f016e167a8c32e49ad64a2fb73b37368c33243e0e27d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23846"
"*2bf454abbd1446061cac6ee9f57b12c572c07a3093e45e29b0cdc088ab18238e*",".{0,1000}2bf454abbd1446061cac6ee9f57b12c572c07a3093e45e29b0cdc088ab18238e.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","23849"
"*2bf61eef4890074ccbfb46cca83d6885557d37e7a2a42afe4a37e508dd3266e5*",".{0,1000}2bf61eef4890074ccbfb46cca83d6885557d37e7a2a42afe4a37e508dd3266e5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23850"
"*2c02d8f219e83bea4bb4c9ddf1222bdabc068f656992e967dc702e70a1aafd80*",".{0,1000}2c02d8f219e83bea4bb4c9ddf1222bdabc068f656992e967dc702e70a1aafd80.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23851"
"*2c183c4c53ddb0419f401cf690f16ccbeefc829f09fafca2a19700665c322cbc*",".{0,1000}2c183c4c53ddb0419f401cf690f16ccbeefc829f09fafca2a19700665c322cbc.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","23857"
"*2c279e408c09fe9be4dad0a1f688b228a8e1948ffca2ab04431fbc53c7877c19*",".{0,1000}2c279e408c09fe9be4dad0a1f688b228a8e1948ffca2ab04431fbc53c7877c19.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23862"
"*2c344a29ed1d2107554b83137bdcd87db445be709b089520282945d21c755189*",".{0,1000}2c344a29ed1d2107554b83137bdcd87db445be709b089520282945d21c755189.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","23867"
"*2c49f5d3ca26b2bdae62d01bee056f2d11f1093b675ad5cd5a902048c4ec58b8*",".{0,1000}2c49f5d3ca26b2bdae62d01bee056f2d11f1093b675ad5cd5a902048c4ec58b8.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","23871"
"*2c50ac9cc40a98a74c88cc3ee248e1550464009866d44356f1db0c3cc6433903*",".{0,1000}2c50ac9cc40a98a74c88cc3ee248e1550464009866d44356f1db0c3cc6433903.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","23874"
"*2c5626009786be43363b7ab1c2cca6a7b0eb57bdf6c40464f2abe874341b0485*",".{0,1000}2c5626009786be43363b7ab1c2cca6a7b0eb57bdf6c40464f2abe874341b0485.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","23876"
"*2c775985d8d4e0262216794d6924aea06a6f9ce9888c6918347e3df3886e8579*",".{0,1000}2c775985d8d4e0262216794d6924aea06a6f9ce9888c6918347e3df3886e8579.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","23885"
"*2c8cf42e378bb18c5ecaaf8deb11a5eb6bf684e849ac2b931ee6e5c3afb5bec7*",".{0,1000}2c8cf42e378bb18c5ecaaf8deb11a5eb6bf684e849ac2b931ee6e5c3afb5bec7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23888"
"*2c9ecb79edd7d06bfec0529052f8fcfc4c9c9add475baa9179f6f9e23c456326*",".{0,1000}2c9ecb79edd7d06bfec0529052f8fcfc4c9c9add475baa9179f6f9e23c456326.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","23892"
"*2ca71789c452d549809f184185b08febc560b5dc81030586a3920a95ea7a3d12*",".{0,1000}2ca71789c452d549809f184185b08febc560b5dc81030586a3920a95ea7a3d12.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","23895"
"*2cade8a207e1fe8a8f21640a14762bcf57b33526c1b70a6a0cc7147ad428f587*",".{0,1000}2cade8a207e1fe8a8f21640a14762bcf57b33526c1b70a6a0cc7147ad428f587.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23896"
"*2cc467b53348d1cafe2d329b96a48fdb54198fca6a6e1cf41b98df353f458e6f*",".{0,1000}2cc467b53348d1cafe2d329b96a48fdb54198fca6a6e1cf41b98df353f458e6f.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","23898"
"*2cc646024fa74ade8763e8e9d030eaab511fb96b4c6cbac1059beae4e7654cb6*",".{0,1000}2cc646024fa74ade8763e8e9d030eaab511fb96b4c6cbac1059beae4e7654cb6.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","23899"
"*2cd1b00947abe2df2cba3997d7bdd5a9043ebe598987f0e9cade0aceb73f9edd*",".{0,1000}2cd1b00947abe2df2cba3997d7bdd5a9043ebe598987f0e9cade0aceb73f9edd.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","23902"
"*2cd4ff8ae7df9bd0433fbed59dacceabe0334b725aad2dc615251f88b7eca9c5*",".{0,1000}2cd4ff8ae7df9bd0433fbed59dacceabe0334b725aad2dc615251f88b7eca9c5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23903"
"*2ce120a7d253c6601c608c5ee29690ac2a329b2ea108db0bca609946dac032eb*",".{0,1000}2ce120a7d253c6601c608c5ee29690ac2a329b2ea108db0bca609946dac032eb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23906"
"*2ce1530925d694ce72da0deda5dc3f7f8ee6b5fe2b3b3ade80973e5b72c35e96*",".{0,1000}2ce1530925d694ce72da0deda5dc3f7f8ee6b5fe2b3b3ade80973e5b72c35e96.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","23907"
"*2cf91adccb7872c4e0526ac1b4c5d9ccb539dcd9f3c2c85daba0837fb2483e2b*",".{0,1000}2cf91adccb7872c4e0526ac1b4c5d9ccb539dcd9f3c2c85daba0837fb2483e2b.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","23911"
"*2d01ced5976ff2524383076dffd3c5ab59dfd2897b00f3e8a3e7ac9dc79312ec*",".{0,1000}2d01ced5976ff2524383076dffd3c5ab59dfd2897b00f3e8a3e7ac9dc79312ec.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23915"
"*2d01e46b4831591ff917c231cd72595b0652c2ce36272111418a5e858c28cb71*",".{0,1000}2d01e46b4831591ff917c231cd72595b0652c2ce36272111418a5e858c28cb71.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23916"
"*2d042ee6e000dbf50b37b2fe8a77fb8cc71de9b4beb0f6f902b4d0885ae8facf*",".{0,1000}2d042ee6e000dbf50b37b2fe8a77fb8cc71de9b4beb0f6f902b4d0885ae8facf.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","23917"
"*2d07711a0e24e3da968ad69aeeb458854572788e7869d276fcfb1189c824f9ff*",".{0,1000}2d07711a0e24e3da968ad69aeeb458854572788e7869d276fcfb1189c824f9ff.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23918"
"*2d4087276e9e72db9ed380898ea8e5342dfdbd049642c8be95ac655cb866cfa2*",".{0,1000}2d4087276e9e72db9ed380898ea8e5342dfdbd049642c8be95ac655cb866cfa2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23930"
"*2d4849ea0fa996daefaa35cd0a3a4f62c49a6aa9b1b493ef2cfb4df2e89acf23*",".{0,1000}2d4849ea0fa996daefaa35cd0a3a4f62c49a6aa9b1b493ef2cfb4df2e89acf23.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","23931"
"*2d5d5cd63277002d698485c5a87a51c1c8d520a963ae1c1689c9e6c5c4964c0c*",".{0,1000}2d5d5cd63277002d698485c5a87a51c1c8d520a963ae1c1689c9e6c5c4964c0c.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","23936"
"*2d65a1cab58434497155118ca19bd1202900532375a4d1356a0e60463437f924*",".{0,1000}2d65a1cab58434497155118ca19bd1202900532375a4d1356a0e60463437f924.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","23939"
"*2d823c8b6076e932d696e8cb8a2c5c5df6d392526cba8e39b64c43635f683009*",".{0,1000}2d823c8b6076e932d696e8cb8a2c5c5df6d392526cba8e39b64c43635f683009.{0,1000}","greyware_tool_keyword","TDSKiller","TDSKiller detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Avaddon","Defense Evasion","https://www.majorgeeks.com/files/details/kaspersky_tdsskiller.html","1","0","#filehash","N/A","8","10","N/A","N/A","N/A","N/A","23944"
"*2d87b8f3d0a56c9e101271c83e0b4c8f243af14a10965619d037210900304dde*",".{0,1000}2d87b8f3d0a56c9e101271c83e0b4c8f243af14a10965619d037210900304dde.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","23947"
"*2d911f801c317eefce3ae952ef5a8c3625c0ba03c9dfb286534511958910b29e*",".{0,1000}2d911f801c317eefce3ae952ef5a8c3625c0ba03c9dfb286534511958910b29e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","23949"
"*2d92293177da319e9cf294c97e6fcc9d32bb2646d1e1dc0129fb02d5c30fbf12*",".{0,1000}2d92293177da319e9cf294c97e6fcc9d32bb2646d1e1dc0129fb02d5c30fbf12.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23950"
"*2d98d3ea74419cd604113a4ccf8a360ebf31d8da740219c4c1f426cfe13afe5b*",".{0,1000}2d98d3ea74419cd604113a4ccf8a360ebf31d8da740219c4c1f426cfe13afe5b.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","23953"
"*2da2aa0a3d231a0b7aee9d0bbd71e6c20a836def31a42711875acc0eeee75635*",".{0,1000}2da2aa0a3d231a0b7aee9d0bbd71e6c20a836def31a42711875acc0eeee75635.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","23956"
"*2da66cfdc6cd351b8c29f04d19ff53de4e12a8893ca902e09f946a2df7eefbb7*",".{0,1000}2da66cfdc6cd351b8c29f04d19ff53de4e12a8893ca902e09f946a2df7eefbb7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23957"
"*2db3eb786f155f3eae64e0f3af00a3c3f417f257c80733b4b0cdd01991041ba1*",".{0,1000}2db3eb786f155f3eae64e0f3af00a3c3f417f257c80733b4b0cdd01991041ba1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23960"
"*2df0d687e0626898fdb0f52f665e8e413f063fe1c5088d4fb26d07284a43de35*",".{0,1000}2df0d687e0626898fdb0f52f665e8e413f063fe1c5088d4fb26d07284a43de35.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23970"
"*2df23e00a1d18a2291f17cbea17c1e4981e43ed09de3608197bb9a62c104c553*",".{0,1000}2df23e00a1d18a2291f17cbea17c1e4981e43ed09de3608197bb9a62c104c553.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23971"
"*2df6d9782b8656772c842c22b6582ee91782bde800f345491a71eb72c294e6fc*",".{0,1000}2df6d9782b8656772c842c22b6582ee91782bde800f345491a71eb72c294e6fc.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","23973"
"*2dfa8caa50560a707a4877e2c9bb40acecaa475d5b792ef78f5309a46038f1ba*",".{0,1000}2dfa8caa50560a707a4877e2c9bb40acecaa475d5b792ef78f5309a46038f1ba.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","23975"
"*2dfc1eeac50e3d783d124fa88c3072c2e475d6d95603b85d4774c37e37a76165*",".{0,1000}2dfc1eeac50e3d783d124fa88c3072c2e475d6d95603b85d4774c37e37a76165.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","23976"
"*2e1a85c3cfa7cbbcb8747f53de4d7c913cd8ace7475988d823ca0e30bdcfa44e*",".{0,1000}2e1a85c3cfa7cbbcb8747f53de4d7c913cd8ace7475988d823ca0e30bdcfa44e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","23986"
"*2e28d91e35ca1009d77fc67d36553730e785333ffc14cb8af621113571bd730b*",".{0,1000}2e28d91e35ca1009d77fc67d36553730e785333ffc14cb8af621113571bd730b.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","23988"
"*2e3f38fe1955a659f09a14d2c8b1fe2b242972e65a305f7fddf8c7f2d619f460*",".{0,1000}2e3f38fe1955a659f09a14d2c8b1fe2b242972e65a305f7fddf8c7f2d619f460.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","23992"
"*2e441805f8ad1cd674a7d024936547d4268d9b8be63a7b08445ad6e394974f44*",".{0,1000}2e441805f8ad1cd674a7d024936547d4268d9b8be63a7b08445ad6e394974f44.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","23994"
"*2e4ce6b3a2e7019459a3f6cad24e07ee614c800a9d5b29c3d83f50fd758d1a93*",".{0,1000}2e4ce6b3a2e7019459a3f6cad24e07ee614c800a9d5b29c3d83f50fd758d1a93.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","23996"
"*2e57c62a9fe28ddf0a4da23123c2622652dde869c366f6f1da6ff8bf78dd50c7*",".{0,1000}2e57c62a9fe28ddf0a4da23123c2622652dde869c366f6f1da6ff8bf78dd50c7.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","23999"
"*2e7585939693c87bbb35a55bdce13253747dcbab8ec4eab0e10b342ffe9148a4*",".{0,1000}2e7585939693c87bbb35a55bdce13253747dcbab8ec4eab0e10b342ffe9148a4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24006"
"*2e75b82c2b0c1f1c1d449fb6077cad9bb5311ed933f990214efdb6556b27017e*",".{0,1000}2e75b82c2b0c1f1c1d449fb6077cad9bb5311ed933f990214efdb6556b27017e.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24009"
"*2e7a9e27d26187a0ee5fd4a47c785fcd5b1daaf4a076ad4e156a0827d1f6df4f*",".{0,1000}2e7a9e27d26187a0ee5fd4a47c785fcd5b1daaf4a076ad4e156a0827d1f6df4f.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","24012"
"*2e8a57f0d1d2b90d67253d1287159dc467bdb7f3b385be2db39e7213b44672be*",".{0,1000}2e8a57f0d1d2b90d67253d1287159dc467bdb7f3b385be2db39e7213b44672be.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24020"
"*2e8bd529f1452a300c60d13e57b46c35d1c3c2f8b42a4b03ce82fbf78211af49*",".{0,1000}2e8bd529f1452a300c60d13e57b46c35d1c3c2f8b42a4b03ce82fbf78211af49.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24023"
"*2e8d4bdf96c2294bb242e69f02fb44afcc5b710bb99d45047ee39d8d22f3f025*",".{0,1000}2e8d4bdf96c2294bb242e69f02fb44afcc5b710bb99d45047ee39d8d22f3f025.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24024"
"*2e90b0aeb75f7fc93b683697981df8cbcc207690fc550f0d36d80d2281ce4d14*",".{0,1000}2e90b0aeb75f7fc93b683697981df8cbcc207690fc550f0d36d80d2281ce4d14.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24026"
"*2e935829f4623f148f3d97424f8863452ac19cf2edc1a659af7500428b894b47*",".{0,1000}2e935829f4623f148f3d97424f8863452ac19cf2edc1a659af7500428b894b47.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","24027"
"*2e980bd99add2b0859b0bd6586dddcd688e1f8588ef6c9bf5922674e947a6dc6*",".{0,1000}2e980bd99add2b0859b0bd6586dddcd688e1f8588ef6c9bf5922674e947a6dc6.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","24031"
"*2e9ce2ed5ed7d036357e30c59478f345a7266f3531c2621785b91186ce241911*",".{0,1000}2e9ce2ed5ed7d036357e30c59478f345a7266f3531c2621785b91186ce241911.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24034"
"*2ea3ba0640d7202718bd5d6a00c1db2a3c09e3cf1e9d2ca2247a12dbbc4b1a44*",".{0,1000}2ea3ba0640d7202718bd5d6a00c1db2a3c09e3cf1e9d2ca2247a12dbbc4b1a44.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24035"
"*2eb477c2093771c42fd12d4c6c4bd7b94b9b6238909bdd5b3fb872408ce127a5*",".{0,1000}2eb477c2093771c42fd12d4c6c4bd7b94b9b6238909bdd5b3fb872408ce127a5.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24038"
"*2eb58b8d72bebd6f4ca4d55ac855dae5dd7f29b825ad14aba8e4a96e19c5ae54*",".{0,1000}2eb58b8d72bebd6f4ca4d55ac855dae5dd7f29b825ad14aba8e4a96e19c5ae54.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","24039"
"*2ec1517476a6c8d3a524fba2461233a2f44f7fdc5ee8906aa7bead7514854cc7*",".{0,1000}2ec1517476a6c8d3a524fba2461233a2f44f7fdc5ee8906aa7bead7514854cc7.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24042"
"*2ec2fe545387d5c91845130aad884ee212fdf3374690dfceaa422ad7545ea7a0*",".{0,1000}2ec2fe545387d5c91845130aad884ee212fdf3374690dfceaa422ad7545ea7a0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24043"
"*2ec4ee6330d9e05cf8be0e465298e4da33f47e6ab5f93581998dc7ed2837bffd*",".{0,1000}2ec4ee6330d9e05cf8be0e465298e4da33f47e6ab5f93581998dc7ed2837bffd.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24044"
"*2ed85cb524b3d21a29ae39ad50874d1cf8546d2dfedb931b9fcf76cc4e0e7cf0*",".{0,1000}2ed85cb524b3d21a29ae39ad50874d1cf8546d2dfedb931b9fcf76cc4e0e7cf0.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","24051"
"*2ee2106e77f6c197ed167c064e4cd24cdca2a824c3d37805e201c9eed6c2f3a2*",".{0,1000}2ee2106e77f6c197ed167c064e4cd24cdca2a824c3d37805e201c9eed6c2f3a2.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24055"
"*2ef8a13faa44755fab1ac6fb3665cc78f7e7b451*",".{0,1000}2ef8a13faa44755fab1ac6fb3665cc78f7e7b451.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","24067"
"*2efdffd1cf3adab21ff760f009d8893d8c4cbcf63b2c3bfcc1139457c9cd430b*",".{0,1000}2efdffd1cf3adab21ff760f009d8893d8c4cbcf63b2c3bfcc1139457c9cd430b.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","#filehash","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","24069"
"*2effa3692c2567b15931e21ad84374cbfbffca84aec823bbb190f492b062a2ef*",".{0,1000}2effa3692c2567b15931e21ad84374cbfbffca84aec823bbb190f492b062a2ef.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24070"
"*2f1f3b1b11933cc4f1396967bc588143aaa84313f08cf5aa1c4d009509d4d20d*",".{0,1000}2f1f3b1b11933cc4f1396967bc588143aaa84313f08cf5aa1c4d009509d4d20d.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24077"
"*2f23c814d800ebaf516418f4cde8dcfc04fb6f50f343ef8ac94d40066463fd78*",".{0,1000}2f23c814d800ebaf516418f4cde8dcfc04fb6f50f343ef8ac94d40066463fd78.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24078"
"*2f2d847e45c63766134c300e0fffec4acc13141b7fa23e77485e14592a933b4b*",".{0,1000}2f2d847e45c63766134c300e0fffec4acc13141b7fa23e77485e14592a933b4b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24082"
"*2f36ff1ba8c834c8a47211ccd879acb37f75b1b34cc814c39728c7a190151c97*",".{0,1000}2f36ff1ba8c834c8a47211ccd879acb37f75b1b34cc814c39728c7a190151c97.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24083"
"*2f3b4900a63d32a14e1578b2de68f78daad89b7c47b9388c26d922962faef430*",".{0,1000}2f3b4900a63d32a14e1578b2de68f78daad89b7c47b9388c26d922962faef430.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24084"
"*2f3d3e246dcff30bd0f9c1d2918e276d118658c53f2a414852c34af1d935b9d1*",".{0,1000}2f3d3e246dcff30bd0f9c1d2918e276d118658c53f2a414852c34af1d935b9d1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24086"
"*2f46c381b4f2964068e256f85f11cacdda75601cf0ef5069e08b3ed91c2f7c9c*",".{0,1000}2f46c381b4f2964068e256f85f11cacdda75601cf0ef5069e08b3ed91c2f7c9c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24088"
"*2f4e89575f662c72f7c1dcb4f7b5d2bfb356594883e39b0d3b6e17dd941c278f*",".{0,1000}2f4e89575f662c72f7c1dcb4f7b5d2bfb356594883e39b0d3b6e17dd941c278f.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","24090"
"*2f5301deb35d5d2bd0639dc172247df8b33dddb04034addf3d42c9bf2a9bacc6*",".{0,1000}2f5301deb35d5d2bd0639dc172247df8b33dddb04034addf3d42c9bf2a9bacc6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24093"
"*2f545953aefbb11842c6152dc1eb4b0ad576c7f3d648ef2ce762679bd45b6771*",".{0,1000}2f545953aefbb11842c6152dc1eb4b0ad576c7f3d648ef2ce762679bd45b6771.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24094"
"*2f58a372dc62e70149bd29621cb76049c438204127426299b9a8bdcff002c23a*",".{0,1000}2f58a372dc62e70149bd29621cb76049c438204127426299b9a8bdcff002c23a.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","24095"
"*2f6d418d6b2a974433581cdb959f6b0f8f305fa48c00ad44dc19a9d7504a4c5f*",".{0,1000}2f6d418d6b2a974433581cdb959f6b0f8f305fa48c00ad44dc19a9d7504a4c5f.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24100"
"*2f6d418d6b2a974433581cdb959f6b0f8f305fa48c00ad44dc19a9d7504a4c5f*",".{0,1000}2f6d418d6b2a974433581cdb959f6b0f8f305fa48c00ad44dc19a9d7504a4c5f.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24101"
"*2f747edb8eed5af60f18975abb44746e3986e332b6099764f91b6e2882736150*",".{0,1000}2f747edb8eed5af60f18975abb44746e3986e332b6099764f91b6e2882736150.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24102"
"*2f81bffd408e9f57f31d9c91dd59473bbd57dd27d6e90eb582db2365bf3faf1b*",".{0,1000}2f81bffd408e9f57f31d9c91dd59473bbd57dd27d6e90eb582db2365bf3faf1b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24104"
"*2f925ad68e769796a2b1d6bc7c09ce44164b192f30dbc94c3902a427d38f459b*",".{0,1000}2f925ad68e769796a2b1d6bc7c09ce44164b192f30dbc94c3902a427d38f459b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24108"
"*2fa7c005c6cc92c0f79b288471e7f555672583aca74cdc223881b07d98794390*",".{0,1000}2fa7c005c6cc92c0f79b288471e7f555672583aca74cdc223881b07d98794390.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24113"
"*2fae90ae2544f8b46582cfb7d46984d837b193601b35aa9d63c2f4f52007e32b*",".{0,1000}2fae90ae2544f8b46582cfb7d46984d837b193601b35aa9d63c2f4f52007e32b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","24115"
"*2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29*",".{0,1000}2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","24116"
"*2fc0ed12ef82482e5f7afc1fc61e25f43139421f3a999d366ac1a403b33ece3c*",".{0,1000}2fc0ed12ef82482e5f7afc1fc61e25f43139421f3a999d366ac1a403b33ece3c.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24124"
"*2fdef205058424a234864a4f77be2f451f1e52608781fb0ec10fdf867d2b4dfb*",".{0,1000}2fdef205058424a234864a4f77be2f451f1e52608781fb0ec10fdf867d2b4dfb.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","24133"
"*2fe30d5fe08c566db85ac6ac32cfe92afd66b24aa2ecc8263c86c3bc8a1260d1*",".{0,1000}2fe30d5fe08c566db85ac6ac32cfe92afd66b24aa2ecc8263c86c3bc8a1260d1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24134"
"*2FEB96F5-08E6-48A3-B306-794277650A08*",".{0,1000}2FEB96F5\-08E6\-48A3\-B306\-794277650A08.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","#GUIDproject","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","24140"
"*2FEB96F5-08E6-48A3-B306-794277650A08*",".{0,1000}2FEB96F5\-08E6\-48A3\-B306\-794277650A08.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","#GUIDproject","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","24141"
"*2ff4610933ac3310b66beca9b0f12bb88aa346c5ab8f1cfd4fd03219efbeacc9*",".{0,1000}2ff4610933ac3310b66beca9b0f12bb88aa346c5ab8f1cfd4fd03219efbeacc9.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24144"
"*2ff46b2628610c91de2378a820fc1290e40c1d28029da8609a338ba7efe2a684*",".{0,1000}2ff46b2628610c91de2378a820fc1290e40c1d28029da8609a338ba7efe2a684.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","24145"
"*3000e68455aa68222a46c10161ffdd921929fb2a14d5093cb4f64a569737c50c*",".{0,1000}3000e68455aa68222a46c10161ffdd921929fb2a14d5093cb4f64a569737c50c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24157"
"*300161cd89c6094776ad40c08308249c7323c9b19105e09f15ef209f4e1f7980*",".{0,1000}300161cd89c6094776ad40c08308249c7323c9b19105e09f15ef209f4e1f7980.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#filehash","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","24158"
"*30199cd67bbed08c65f86c2420f0967491cad2ec791c97936666bc930d65e73e*",".{0,1000}30199cd67bbed08c65f86c2420f0967491cad2ec791c97936666bc930d65e73e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","24163"
"*302d86070ce4c463d98f5217f85e9fa79b798d80948097d6847d38813a44a769*",".{0,1000}302d86070ce4c463d98f5217f85e9fa79b798d80948097d6847d38813a44a769.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24167"
"*30338174d43234b97ffa081de00dc8364df7e1bc50e69ebba7c915c61adfacf1*",".{0,1000}30338174d43234b97ffa081de00dc8364df7e1bc50e69ebba7c915c61adfacf1.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24168"
"*30340c4d6f41f2565c2bb369f45e789a67409c7ed18008a5fbad5d087b2f00b2*",".{0,1000}30340c4d6f41f2565c2bb369f45e789a67409c7ed18008a5fbad5d087b2f00b2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24169"
"*303d31423ac6fc64a185886ae639a9f85126cc39e4bc0c58ca1320a06cd2ac2c*",".{0,1000}303d31423ac6fc64a185886ae639a9f85126cc39e4bc0c58ca1320a06cd2ac2c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24170"
"*304e4f8f45a5a18fc6785efbb4171b853bf2bddbdf4ed2e49c5f843ba53ca8e1*",".{0,1000}304e4f8f45a5a18fc6785efbb4171b853bf2bddbdf4ed2e49c5f843ba53ca8e1.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","24176"
"*30612705f43fb5234efab3db8ec78568c8392cdf652cd5b7ef95c31a1876c670*",".{0,1000}30612705f43fb5234efab3db8ec78568c8392cdf652cd5b7ef95c31a1876c670.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","24178"
"*306a981bc54a0720a927f9c10f35db8f8c884d923d2c516f022ca6a7b0950836*",".{0,1000}306a981bc54a0720a927f9c10f35db8f8c884d923d2c516f022ca6a7b0950836.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","24181"
"*3070edf334a7ecaf3259b124641526d1b9f56a4c67ff892e0948913cd57ffff2*",".{0,1000}3070edf334a7ecaf3259b124641526d1b9f56a4c67ff892e0948913cd57ffff2.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","24183"
"*3071cf9b377f62becd8f5ede7a3370eb94499fe28e87a6f6a4be6f6df3c0ac12*",".{0,1000}3071cf9b377f62becd8f5ede7a3370eb94499fe28e87a6f6a4be6f6df3c0ac12.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24184"
"*308128ad3679e15f7992bcb3305e5a286a8a865df3ee7e6b3e4a07b5a041a46a*",".{0,1000}308128ad3679e15f7992bcb3305e5a286a8a865df3ee7e6b3e4a07b5a041a46a.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24189"
"*308c29b3d5768de138fa87755f165d95aa021c78564f4740102628acc7e4a2aa*",".{0,1000}308c29b3d5768de138fa87755f165d95aa021c78564f4740102628acc7e4a2aa.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24191"
"*308f03aa9f8e2055a27007bb566fd24068cf518e7042aa000a0bc53b29214c9d*",".{0,1000}308f03aa9f8e2055a27007bb566fd24068cf518e7042aa000a0bc53b29214c9d.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24192"
"*308f634fd322185fc1bb9b371be9ea5d8509c979f73f77a70d0ad75dba2799c1*",".{0,1000}308f634fd322185fc1bb9b371be9ea5d8509c979f73f77a70d0ad75dba2799c1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24193"
"*309a6b123ebdbb92766addeb8326311b86c26a21eb5cad30c8cde6c237019046*",".{0,1000}309a6b123ebdbb92766addeb8326311b86c26a21eb5cad30c8cde6c237019046.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","#filehash","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","24197"
"*30b14705cdfcc4fbc654b55863d110a99deaa92a1490561e8dfd84326f9a9e9c*",".{0,1000}30b14705cdfcc4fbc654b55863d110a99deaa92a1490561e8dfd84326f9a9e9c.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","24204"
"*30c290f0f1d6bb3553604c337d4a85cd38b7b5c8dc738386cda54ff740a9bb1f*",".{0,1000}30c290f0f1d6bb3553604c337d4a85cd38b7b5c8dc738386cda54ff740a9bb1f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24207"
"*30d8f383f5472499fe1b395778196adb4ad6b000245b0c4786c398f3291f78aa*",".{0,1000}30d8f383f5472499fe1b395778196adb4ad6b000245b0c4786c398f3291f78aa.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24215"
"*30e21bf4f47fa0edf53e738c13fdc4ee0a22f1b544165cbef1d362a25c1714c9*",".{0,1000}30e21bf4f47fa0edf53e738c13fdc4ee0a22f1b544165cbef1d362a25c1714c9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24216"
"*30fe5d62f0f47418dc83e03bc80977426010c8edcf01e4e7db820965e2781442*",".{0,1000}30fe5d62f0f47418dc83e03bc80977426010c8edcf01e4e7db820965e2781442.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","24223"
"*30ff629067623e3bb4a4056527fdc3e9d9c7b2428836445ea58a88c720173296*",".{0,1000}30ff629067623e3bb4a4056527fdc3e9d9c7b2428836445ea58a88c720173296.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24224"
"*3101575fbdbee11b2d4d592f92582489c842f20fab0cb2ade9f2f3a207c202d8*",".{0,1000}3101575fbdbee11b2d4d592f92582489c842f20fab0cb2ade9f2f3a207c202d8.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24225"
"*310cc90d4dc88a16e78873ceb1eb4e337e8039ec392df36073900b766585d0fb*",".{0,1000}310cc90d4dc88a16e78873ceb1eb4e337e8039ec392df36073900b766585d0fb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24226"
"*310e8f12c406cfe608fd6feec36bdb122180c3e13a179eb638593bf97b79fc9f*",".{0,1000}310e8f12c406cfe608fd6feec36bdb122180c3e13a179eb638593bf97b79fc9f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24228"
"*311a9c3ba000730148d78ed854f7235a3d05530ccfff5a868cb6357ec93b83c3*",".{0,1000}311a9c3ba000730148d78ed854f7235a3d05530ccfff5a868cb6357ec93b83c3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24233"
"*31339090e3e8a044d014b9341c025cf59bf7bc133ae267bc5acdea5ac07837a9*",".{0,1000}31339090e3e8a044d014b9341c025cf59bf7bc133ae267bc5acdea5ac07837a9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24238"
"*313f6252693b97c7b97fd97da6323ecf9ca3342819e954fb23f1b3988d9ec464*",".{0,1000}313f6252693b97c7b97fd97da6323ecf9ca3342819e954fb23f1b3988d9ec464.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24242"
"*314215d36ba200db6ce4ea71ff15203b3b048203621329269801c6c27042ba7c*",".{0,1000}314215d36ba200db6ce4ea71ff15203b3b048203621329269801c6c27042ba7c.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","24245"
"*3149fa9e7dcbe7b1992fb9475f76fd2d0ebad88318c9497fd34ced76b3c9150d*",".{0,1000}3149fa9e7dcbe7b1992fb9475f76fd2d0ebad88318c9497fd34ced76b3c9150d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24247"
"*314cb197b38516ee6dea9f5494587a21f303ca00e4894df11e4739e3bebfdc6a*",".{0,1000}314cb197b38516ee6dea9f5494587a21f303ca00e4894df11e4739e3bebfdc6a.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","24249"
"*315aa5d2bb34c286245719163ffb168ef69e17c1f2fd0d4a9f7b0feb203d1d53*",".{0,1000}315aa5d2bb34c286245719163ffb168ef69e17c1f2fd0d4a9f7b0feb203d1d53.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24251"
"*3166a71c855545de502838af5fdec240655d4946cbf81e32181bee033a1cb86a*",".{0,1000}3166a71c855545de502838af5fdec240655d4946cbf81e32181bee033a1cb86a.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24256"
"*317459a7d2933c3bb095b5c4d188c83ce6dbed8dd9f282cd3406c9f364a04363*",".{0,1000}317459a7d2933c3bb095b5c4d188c83ce6dbed8dd9f282cd3406c9f364a04363.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","24258"
"*319a1fbefb63c3be58dcf357864f13ff21c664f0c15e535ac87723955e7826b1*",".{0,1000}319a1fbefb63c3be58dcf357864f13ff21c664f0c15e535ac87723955e7826b1.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","24269"
"*319aa6516c8bef2fc13ae80390fb4a2a99b8ceaaf6ceb462842001b89f22bca1*",".{0,1000}319aa6516c8bef2fc13ae80390fb4a2a99b8ceaaf6ceb462842001b89f22bca1.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","24270"
"*31a9863499b273ade500620c3863eac9d905c677aecfe8e8c3d68fad63e1e343*",".{0,1000}31a9863499b273ade500620c3863eac9d905c677aecfe8e8c3d68fad63e1e343.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24276"
"*31bd31d107caf59b48fcdc9af0f428d80aafb0e1a7166b32aa047b3b495d8457*",".{0,1000}31bd31d107caf59b48fcdc9af0f428d80aafb0e1a7166b32aa047b3b495d8457.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","24285"
"*31c085fa529ca13e77e2ad911bf901a0d0c7e21cd27142b09371da30d676ad60*",".{0,1000}31c085fa529ca13e77e2ad911bf901a0d0c7e21cd27142b09371da30d676ad60.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","24288"
"*31c80fc12c2b391726f2a026981e0ce53bf6e68e55e4288f2b2662445d667ef5*",".{0,1000}31c80fc12c2b391726f2a026981e0ce53bf6e68e55e4288f2b2662445d667ef5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24289"
"*31dc3fe53dd1ad80d2c5e6ffa9221b62385b1cd2f16ecc240cd59e5f485155cd*",".{0,1000}31dc3fe53dd1ad80d2c5e6ffa9221b62385b1cd2f16ecc240cd59e5f485155cd.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","24294"
"*31fb21714d9ecb2e14dd5f34680bcbb1167cfc72d6433e193d061a9bc34b27c5*",".{0,1000}31fb21714d9ecb2e14dd5f34680bcbb1167cfc72d6433e193d061a9bc34b27c5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24298"
"*31fb5154969f2729699b04a7ea6202ad59dabb1e36eb5f8f9b1159e3775e267f*",".{0,1000}31fb5154969f2729699b04a7ea6202ad59dabb1e36eb5f8f9b1159e3775e267f.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","24299"
"*31fb7bc782823a725a7fc61e590911ddeac1989e10ab67fe5bba42c355d58b7f*",".{0,1000}31fb7bc782823a725a7fc61e590911ddeac1989e10ab67fe5bba42c355d58b7f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24300"
"*3204a42f02f8cfed9ba183a2141e16079ad99854b74f9a9e0c6a4831e8b25d8e*",".{0,1000}3204a42f02f8cfed9ba183a2141e16079ad99854b74f9a9e0c6a4831e8b25d8e.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","24303"
"*3212ec3f0ece0d3d4df29f816f2928ca98398c57f110f3e18dbbb656ff56f073*",".{0,1000}3212ec3f0ece0d3d4df29f816f2928ca98398c57f110f3e18dbbb656ff56f073.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24309"
"*321889f1b67fe66ee689b320e977646ddec0544fc89a23ad54e49408f7a4ae5e*",".{0,1000}321889f1b67fe66ee689b320e977646ddec0544fc89a23ad54e49408f7a4ae5e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24310"
"*321f8b3fa818470657f9bf25d73016bf13ca8833c32f3c2fd98e54f4ef5d00d2*",".{0,1000}321f8b3fa818470657f9bf25d73016bf13ca8833c32f3c2fd98e54f4ef5d00d2.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24311"
"*3225d34d16ecfb04fca67e9ed68230ebcbe65bafe70b12ca0c687a039ebe0851*",".{0,1000}3225d34d16ecfb04fca67e9ed68230ebcbe65bafe70b12ca0c687a039ebe0851.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","24316"
"*32273bc91ff97d985a6a1e97037b9e3814f87db6b1751201e94594ee49bdb808*",".{0,1000}32273bc91ff97d985a6a1e97037b9e3814f87db6b1751201e94594ee49bdb808.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24317"
"*3241d780f32a6a89d3b3f30d85f21f33f9d4d91227d129b2fd81d75baa870337*",".{0,1000}3241d780f32a6a89d3b3f30d85f21f33f9d4d91227d129b2fd81d75baa870337.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","#filehash","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","24320"
"*32544295fb7ff44cb0052693474c713aa5b9fdd0574bed4a29f09fad6b1733eb*",".{0,1000}32544295fb7ff44cb0052693474c713aa5b9fdd0574bed4a29f09fad6b1733eb.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24323"
"*3262dee2fa68eb8d9428d209b2e87c2293d007529898850874b19707088c416e*",".{0,1000}3262dee2fa68eb8d9428d209b2e87c2293d007529898850874b19707088c416e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","24325"
"*32665745aaf03d263a9ce87f0ea7a17eb3476328c25c1a1fcccd0925934f7313*",".{0,1000}32665745aaf03d263a9ce87f0ea7a17eb3476328c25c1a1fcccd0925934f7313.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","24326"
"*327426b8391497fc97c5d0fd0ccc9107cb3e2c2c2c25c5c8d3d7bf138ebfebe8*",".{0,1000}327426b8391497fc97c5d0fd0ccc9107cb3e2c2c2c25c5c8d3d7bf138ebfebe8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24332"
"*3277b33dfc78aeaf0a039394592d87ecbdd8a1964a0cca388df58a5684f796c1*",".{0,1000}3277b33dfc78aeaf0a039394592d87ecbdd8a1964a0cca388df58a5684f796c1.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24333"
"*327F3F26-182F-4E58-ABEA-A0CEDBCA0FCD*",".{0,1000}327F3F26\-182F\-4E58\-ABEA\-A0CEDBCA0FCD.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","#GUIDproject","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","24334"
"*3283db621b621cbd7761709125c8097dc52ef0b9329bd25c9eb79a162b86eb12*",".{0,1000}3283db621b621cbd7761709125c8097dc52ef0b9329bd25c9eb79a162b86eb12.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24335"
"*328dac26bf8b47c20c4525f0c4c21f17857c1606355dc42362d37be5d3d4c95b*",".{0,1000}328dac26bf8b47c20c4525f0c4c21f17857c1606355dc42362d37be5d3d4c95b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24337"
"*32A2A734-7429-47E6-A362-E344A19C0D85*",".{0,1000}32A2A734\-7429\-47E6\-A362\-E344A19C0D85.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","#GUIDproject","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","24342"
"*32aa4a7dcec317cef0a8e65e25a63c0c8e656745f72c49734ca7aedc8ec9a264*",".{0,1000}32aa4a7dcec317cef0a8e65e25a63c0c8e656745f72c49734ca7aedc8ec9a264.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","24344"
"*32bc7de6f818df84a75f7ed501f1a152bb7a606687cd700b0144719261e3524d*",".{0,1000}32bc7de6f818df84a75f7ed501f1a152bb7a606687cd700b0144719261e3524d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24347"
"*32dc4748174790882d0d962dd7b5a6bf332cb8cd6c8ccf8d75d9ec5cd703274a*",".{0,1000}32dc4748174790882d0d962dd7b5a6bf332cb8cd6c8ccf8d75d9ec5cd703274a.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","24360"
"*32de5f522092e4dd545d064e7bc2db58244200af33559bc7190d18c93edbc397*",".{0,1000}32de5f522092e4dd545d064e7bc2db58244200af33559bc7190d18c93edbc397.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24362"
"*32ea3247b4e572e80e116ae9a9ffb122c0766b0cc546c6122dab07da5aefde16*",".{0,1000}32ea3247b4e572e80e116ae9a9ffb122c0766b0cc546c6122dab07da5aefde16.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","24366"
"*32ef83acc082cff716fd44e6f96f80c8bc39f1a3de74e59a2afcf71592374325*",".{0,1000}32ef83acc082cff716fd44e6f96f80c8bc39f1a3de74e59a2afcf71592374325.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24367"
"*330c1069831f7c60d89436905cb8ac6794d40896e9b8b5e539a2c9876a9cd324*",".{0,1000}330c1069831f7c60d89436905cb8ac6794d40896e9b8b5e539a2c9876a9cd324.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24371"
"*331052f70446cec6cc6392f80aac15a71b4e987b506b5ec3e6aada2b555a5ed9*",".{0,1000}331052f70446cec6cc6392f80aac15a71b4e987b506b5ec3e6aada2b555a5ed9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24373"
"*332436f5e6ee1c744ab5c658cc360e3d9f084e39ba583d8b2bcbf2e36f68a7fb*",".{0,1000}332436f5e6ee1c744ab5c658cc360e3d9f084e39ba583d8b2bcbf2e36f68a7fb.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","24378"
"*3327d1a9abb9c15aea54434986986bf094fca303a3bd0cf82189d32a0dce44aa*",".{0,1000}3327d1a9abb9c15aea54434986986bf094fca303a3bd0cf82189d32a0dce44aa.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24379"
"*333c5aa4c44f10b270cfd2c4d2bd58ec2615cd8874a9e8896c05ea3810b50395*",".{0,1000}333c5aa4c44f10b270cfd2c4d2bd58ec2615cd8874a9e8896c05ea3810b50395.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24382"
"*333fe7eb77d75398f57ac89dff603d71f9fe0857decee22e276a5734ea11b6ac*",".{0,1000}333fe7eb77d75398f57ac89dff603d71f9fe0857decee22e276a5734ea11b6ac.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24383"
"*33420ebb3630aadbca112f47b772f4557e7a2c94ec6d6e149c94a58647cc4f89*",".{0,1000}33420ebb3630aadbca112f47b772f4557e7a2c94ec6d6e149c94a58647cc4f89.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","24385"
"*334ec9e7d937c42e8ef12f9d4ec90862ecc5410c06442393a38390b34886aa59*",".{0,1000}334ec9e7d937c42e8ef12f9d4ec90862ecc5410c06442393a38390b34886aa59.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","24388"
"*335ce7cb470142a3022d1158a8f102bcd97a8a0348d47022c4674d70a1487e6e*",".{0,1000}335ce7cb470142a3022d1158a8f102bcd97a8a0348d47022c4674d70a1487e6e.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24395"
"*335e0c71b9818e5d688121452eadca3107ade9e60a36af0328e2843a70b2ebfb*",".{0,1000}335e0c71b9818e5d688121452eadca3107ade9e60a36af0328e2843a70b2ebfb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24397"
"*33604e221e6a0b033d4f00192bac45ed68d4f29fe1be7c14314ea6e6add7f2cb*",".{0,1000}33604e221e6a0b033d4f00192bac45ed68d4f29fe1be7c14314ea6e6add7f2cb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24400"
"*3365e35e064a5dc3720c596dbc64c56f8cf6d079b30085f2ff7a148e7ebc6e55*",".{0,1000}3365e35e064a5dc3720c596dbc64c56f8cf6d079b30085f2ff7a148e7ebc6e55.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24403"
"*336cc961fe07dfb37fc61a5b585ae5b9e966389062aa2cc0d70d282e56edf32f*",".{0,1000}336cc961fe07dfb37fc61a5b585ae5b9e966389062aa2cc0d70d282e56edf32f.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24405"
"*33893a93b57e6509132b4d6ae29f3e8a1f4c105c21746f0f0f036df0cf8d1979*",".{0,1000}33893a93b57e6509132b4d6ae29f3e8a1f4c105c21746f0f0f036df0cf8d1979.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","24412"
"*338e40f0af3c9e5afe576a70b19b005239fb97bd028891a1040ffd974927070f*",".{0,1000}338e40f0af3c9e5afe576a70b19b005239fb97bd028891a1040ffd974927070f.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","24413"
"*33ab2fa30777211450e30c21c45803cdf076cb991f05691bd60aef97a8183e04*",".{0,1000}33ab2fa30777211450e30c21c45803cdf076cb991f05691bd60aef97a8183e04.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","#filehash","N/A","10","1","N/A","N/A","N/A","N/A","24421"
"*33ab89888c82d2e34bf39998f3070105b6d67911dbf89084fa185a0058e70692*",".{0,1000}33ab89888c82d2e34bf39998f3070105b6d67911dbf89084fa185a0058e70692.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24422"
"*33afcd4459db6fdcd977d24963acff551615be452d0fe8e1df8f862f058d6c48*",".{0,1000}33afcd4459db6fdcd977d24963acff551615be452d0fe8e1df8f862f058d6c48.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24423"
"*33b86805dca512c7216444a881630170042d43acabc30cfd17ce4f1f95318bcc*",".{0,1000}33b86805dca512c7216444a881630170042d43acabc30cfd17ce4f1f95318bcc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24427"
"*33c9fa0bbaca1c4af7cf7c6016cda366612f497d08edd017bced7c617baa7fc2*",".{0,1000}33c9fa0bbaca1c4af7cf7c6016cda366612f497d08edd017bced7c617baa7fc2.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","24434"
"*33de7cf074cc9aa8850b99ef61fb64e490cdf04f0231d76988b207b3d09cbdae*",".{0,1000}33de7cf074cc9aa8850b99ef61fb64e490cdf04f0231d76988b207b3d09cbdae.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","24440"
"*33e25c7c66bf6996e75bda20c9640cc175fcb18b9891f2ecc73201e0d4f74748*",".{0,1000}33e25c7c66bf6996e75bda20c9640cc175fcb18b9891f2ecc73201e0d4f74748.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","24442"
"*33e46384b3caa71163ac79470de2af0cca5f8ea7593a9c9ea4e714dd66c099f5*",".{0,1000}33e46384b3caa71163ac79470de2af0cca5f8ea7593a9c9ea4e714dd66c099f5.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","24443"
"*33e6876bd55c2db13a931cf812feb9cb17c071ab45d3b50c588642b022693cdc*",".{0,1000}33e6876bd55c2db13a931cf812feb9cb17c071ab45d3b50c588642b022693cdc.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","24444"
"*33e707f51a0012e333c2646c6b1458f389b5192bbfcced6b41ca1c3725b53a98*",".{0,1000}33e707f51a0012e333c2646c6b1458f389b5192bbfcced6b41ca1c3725b53a98.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24445"
"*340318e256a321e87e1a56c948c1d6ab6dcae8f585aacb26b0de457b215b9fbe*",".{0,1000}340318e256a321e87e1a56c948c1d6ab6dcae8f585aacb26b0de457b215b9fbe.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","24449"
"*340371f94604e6771cc4a2c91e37d1bf00a524deab520340440fb0968e783f63*",".{0,1000}340371f94604e6771cc4a2c91e37d1bf00a524deab520340440fb0968e783f63.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24450"
"*341e6c79cb6383b166d0f21f77f88735b340195dce8945bf9ff05a3cda1cb9a0*",".{0,1000}341e6c79cb6383b166d0f21f77f88735b340195dce8945bf9ff05a3cda1cb9a0.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","24456"
"*3426d131f3dc67cb3fac4cf53328d1510e71621f9ab42d77fd9db5dc6de50440*",".{0,1000}3426d131f3dc67cb3fac4cf53328d1510e71621f9ab42d77fd9db5dc6de50440.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","24459"
"*34286d2404219856835c624def995c2c71413456d9a9e7b8cb5affe8597f7dec*",".{0,1000}34286d2404219856835c624def995c2c71413456d9a9e7b8cb5affe8597f7dec.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","24460"
"*3435ba98d798b679b5b6dac4b04fd440389f1a3a4992ac998fe5231b2a83cbe4*",".{0,1000}3435ba98d798b679b5b6dac4b04fd440389f1a3a4992ac998fe5231b2a83cbe4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24462"
"*34362de1defeb018d71e6319afabca362fa4acd69341bfcfb3ce77b6e8c61a6a*",".{0,1000}34362de1defeb018d71e6319afabca362fa4acd69341bfcfb3ce77b6e8c61a6a.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#filehash","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","24463"
"*3445e757daa58d7e316d8d5bd308bccb43bcaf8504e17305a7c849b919a52d99*",".{0,1000}3445e757daa58d7e316d8d5bd308bccb43bcaf8504e17305a7c849b919a52d99.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24465"
"*3448383224c7ac46a72a5717633490909333d1a50a29dbfc4434ff90e16d6b33*",".{0,1000}3448383224c7ac46a72a5717633490909333d1a50a29dbfc4434ff90e16d6b33.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","24466"
"*3451e50cf07aa0e206cc3a632482276574f820542860187ffb8ec2221453a875*",".{0,1000}3451e50cf07aa0e206cc3a632482276574f820542860187ffb8ec2221453a875.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","24469"
"*3458ddb17264d13bba09748cf14ea009b123f67823d1d5b7e6f8b0e8edbd238b*",".{0,1000}3458ddb17264d13bba09748cf14ea009b123f67823d1d5b7e6f8b0e8edbd238b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24470"
"*345f591a27c4b776215371a38f0ad8159357d30e9c1860c420a7eab8b5f0f63c*",".{0,1000}345f591a27c4b776215371a38f0ad8159357d30e9c1860c420a7eab8b5f0f63c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24471"
"*34710e9813ebda068adcec9296582c8396c1576532a77e86cca9245c549e6eac*",".{0,1000}34710e9813ebda068adcec9296582c8396c1576532a77e86cca9245c549e6eac.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24476"
"*348064a4a5a249c2e4a76251dea47477f366babc23bb26633923c75302d844f2*",".{0,1000}348064a4a5a249c2e4a76251dea47477f366babc23bb26633923c75302d844f2.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24480"
"*34848aab797df134ed0268cbc77a7db060f63e0ccba71062c9e6b1512e6b6993*",".{0,1000}34848aab797df134ed0268cbc77a7db060f63e0ccba71062c9e6b1512e6b6993.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","24482"
"*3488de41725dc14d6140e5f547836af19402922776413bdd584acd0c9df254e8*",".{0,1000}3488de41725dc14d6140e5f547836af19402922776413bdd584acd0c9df254e8.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","24483"
"*348f4866ac76baf0405695404432c5192faed33da7b8faea07947ba7427c688c*",".{0,1000}348f4866ac76baf0405695404432c5192faed33da7b8faea07947ba7427c688c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24485"
"*349d0d0ecabf954caa8a1a78ab35b16bbc625424e827e008db1c76fd4bd29dc5*",".{0,1000}349d0d0ecabf954caa8a1a78ab35b16bbc625424e827e008db1c76fd4bd29dc5.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","24487"
"*349eb981d2d5b1f4b16127d6a0c07929ff6851d15f816a9d09ff71154743a9e1*",".{0,1000}349eb981d2d5b1f4b16127d6a0c07929ff6851d15f816a9d09ff71154743a9e1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24489"
"*34abcda5eb491ea4b167e4b2d9aa157adb87f035c1fbcc43aaedb6f9e3018418*",".{0,1000}34abcda5eb491ea4b167e4b2d9aa157adb87f035c1fbcc43aaedb6f9e3018418.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24493"
"*34b0ca12dcc9c13b405e6428926e48d33e3bbca4e2341eca7e9dce8ac13837e7*",".{0,1000}34b0ca12dcc9c13b405e6428926e48d33e3bbca4e2341eca7e9dce8ac13837e7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24494"
"*34b5107c27cbae4cab4addfece8236d168102d7d6cc3ee93d29bf4d4b550065c*",".{0,1000}34b5107c27cbae4cab4addfece8236d168102d7d6cc3ee93d29bf4d4b550065c.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","24497"
"*34b5f52047741c7bbf54572c02cc9998489c4736a753af3c99255296b1af125d*",".{0,1000}34b5f52047741c7bbf54572c02cc9998489c4736a753af3c99255296b1af125d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24499"
"*34b8d45bfea0d60f3b897a8c36276bdfeb7e9b00f0ee673d43f4555baf9eb8b4*",".{0,1000}34b8d45bfea0d60f3b897a8c36276bdfeb7e9b00f0ee673d43f4555baf9eb8b4.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","24501"
"*34cb5687aff755ad7a3d1069b3cb0f5dd0b5b592b4d539ecd6c6a82599131ec7*",".{0,1000}34cb5687aff755ad7a3d1069b3cb0f5dd0b5b592b4d539ecd6c6a82599131ec7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24503"
"*34d8c2352fa1c264b7d9146069ebc780495b896bc767c10ba916e5a55cb9d1a6*",".{0,1000}34d8c2352fa1c264b7d9146069ebc780495b896bc767c10ba916e5a55cb9d1a6.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24506"
"*34f4d439f01d02cf9b4d3f840375af6f2ef130e70730cf45f3989f9349c65326*",".{0,1000}34f4d439f01d02cf9b4d3f840375af6f2ef130e70730cf45f3989f9349c65326.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24510"
"*351a2dd0dff54c031a54ea2d2ec8dee2f6f9325ddfd85cf3c10472e68f21e178*",".{0,1000}351a2dd0dff54c031a54ea2d2ec8dee2f6f9325ddfd85cf3c10472e68f21e178.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24520"
"*351b90825fb48695f36208f0e6cfbbd53f9539306119b5ca0aeb949bd255066a*",".{0,1000}351b90825fb48695f36208f0e6cfbbd53f9539306119b5ca0aeb949bd255066a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","24522"
"*35386af9e43ed1948faa7037050573eda3299d4a11061734fce5f4be51c56dd3*",".{0,1000}35386af9e43ed1948faa7037050573eda3299d4a11061734fce5f4be51c56dd3.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","24525"
"*3538bb3c8d8d8640f15a31a53e7d688fec5043a5d9ee8ac917da83e699e503e2*",".{0,1000}3538bb3c8d8d8640f15a31a53e7d688fec5043a5d9ee8ac917da83e699e503e2.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24526"
"*35396671b32a78b457168a6413a2e0c7818e8ae740905eb273c0198f051e930f*",".{0,1000}35396671b32a78b457168a6413a2e0c7818e8ae740905eb273c0198f051e930f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24527"
"*356d44637750712f238bd27f49fc6dba7f5ce22c92c83e94be7b9d3f59e54853*",".{0,1000}356d44637750712f238bd27f49fc6dba7f5ce22c92c83e94be7b9d3f59e54853.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24539"
"*356dd15f05b37e62f334000101f95094b81c0c473cba0e8c033bec5f9f2b84eb*",".{0,1000}356dd15f05b37e62f334000101f95094b81c0c473cba0e8c033bec5f9f2b84eb.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","24541"
"*356eae02a0b678a82174417da439cbdcab3e678197aa8a91824849fb9085fc32*",".{0,1000}356eae02a0b678a82174417da439cbdcab3e678197aa8a91824849fb9085fc32.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","24542"
"*357374d483045884038aa500fdba371af79e095d8e900f2d49bc23c45348ac07*",".{0,1000}357374d483045884038aa500fdba371af79e095d8e900f2d49bc23c45348ac07.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24544"
"*357799ea43b606f6a5dfc27dc1310f47041bc34692b956401e22210496cd2cc5*",".{0,1000}357799ea43b606f6a5dfc27dc1310f47041bc34692b956401e22210496cd2cc5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24545"
"*3579ab708388d7be3e66c1a45deea0f6a249865ce4105310d8fe340ed28accca*",".{0,1000}3579ab708388d7be3e66c1a45deea0f6a249865ce4105310d8fe340ed28accca.{0,1000}","greyware_tool_keyword","tunnel","Tunnel is a server/client package that enables to proxy public connections to your local machine over a tunnel connection from the local machine to the public server. What this means is, you can share your localhost even if it doesn't have a Public IP or if it's not reachable from outside","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/koding/tunnel","1","0","#filehash","N/A","10","10","328","72","2023-10-20T13:43:58Z","2015-05-28T07:26:42Z","24546"
"*359d3b8e555a9952f2b98c81ee3dbec8dc441e12789c436ca564762aaacec095*",".{0,1000}359d3b8e555a9952f2b98c81ee3dbec8dc441e12789c436ca564762aaacec095.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24552"
"*35a9481ddbed5177431a9ea4bd09468fe987797d7b1231d64942d17eb54ec269*",".{0,1000}35a9481ddbed5177431a9ea4bd09468fe987797d7b1231d64942d17eb54ec269.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","#filehash","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","24556"
"*35aac6d3ab27419d02271d75a4cacd7f51fbf5244eb87c75c2e38dddc46e3af6*",".{0,1000}35aac6d3ab27419d02271d75a4cacd7f51fbf5244eb87c75c2e38dddc46e3af6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24558"
"*35d6b2ef9a31b54ebee2a29bf22bb623bb5c9a74110472268581d6ea8122132c*",".{0,1000}35d6b2ef9a31b54ebee2a29bf22bb623bb5c9a74110472268581d6ea8122132c.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","24566"
"*35e6e7e783afa5c5397acfde3b9237a5b1ace0cf4d0d3bf3f2d77ff601cd5157*",".{0,1000}35e6e7e783afa5c5397acfde3b9237a5b1ace0cf4d0d3bf3f2d77ff601cd5157.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24568"
"*35fb32ecde0afcac0b1feb446052674763484264adae6c09148f4a0c7adac433*",".{0,1000}35fb32ecde0afcac0b1feb446052674763484264adae6c09148f4a0c7adac433.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","24569"
"*36152e9a1e47217f9aa049b7893acd4cf08098874396ff06b0c52373bedab5fb*",".{0,1000}36152e9a1e47217f9aa049b7893acd4cf08098874396ff06b0c52373bedab5fb.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24574"
"*36266479e235929cc0640fdf68ca395aaf851273908bb06c3b4143d8fbac2830*",".{0,1000}36266479e235929cc0640fdf68ca395aaf851273908bb06c3b4143d8fbac2830.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","24579"
"*362e60a32dc864d5660bb7a9caae50b068bdd81924469bb014af395ebeef9a9e*",".{0,1000}362e60a32dc864d5660bb7a9caae50b068bdd81924469bb014af395ebeef9a9e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24583"
"*3631e3c3833c84ba71f22ea3df20381676abc7476a7f6d14424d9abfada91414*",".{0,1000}3631e3c3833c84ba71f22ea3df20381676abc7476a7f6d14424d9abfada91414.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24585"
"*364440d6c449fbc8befdf3b510891e2d6e99eb5ca4a5d151d1fc5ae8deb6a3e2*",".{0,1000}364440d6c449fbc8befdf3b510891e2d6e99eb5ca4a5d151d1fc5ae8deb6a3e2.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","24589"
"*3660fe9f10b94d38fecaea009e6625850a46b1d47bb7788fc47f286c1008e2ec*",".{0,1000}3660fe9f10b94d38fecaea009e6625850a46b1d47bb7788fc47f286c1008e2ec.{0,1000}","greyware_tool_keyword","Alpemix","connect to your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.alpemix.com/","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","24598"
"*368a22aa636e65268cc2073d41a5d2a2b163de580dc72d57239f561da6603b6f*",".{0,1000}368a22aa636e65268cc2073d41a5d2a2b163de580dc72d57239f561da6603b6f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24604"
"*3697258decc0f5c953d11873d12e8fe86bbef7d3dd033bd38a57ddcb60fae93e*",".{0,1000}3697258decc0f5c953d11873d12e8fe86bbef7d3dd033bd38a57ddcb60fae93e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24606"
"*36977be1450de456579fc31a1afd86ed716fbb9a0c7d1c1b854b34152b3ac161*",".{0,1000}36977be1450de456579fc31a1afd86ed716fbb9a0c7d1c1b854b34152b3ac161.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24607"
"*3699b102bf5ad1120ef560ae3036f27c74f6161b62b31fda8087bd7ae1496ee1*",".{0,1000}3699b102bf5ad1120ef560ae3036f27c74f6161b62b31fda8087bd7ae1496ee1.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","#filehash","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","24610"
"*36a3dedaed8d89acb2703ab54c0f7ded489a1210b8e21935e970bddd3115e87c*",".{0,1000}36a3dedaed8d89acb2703ab54c0f7ded489a1210b8e21935e970bddd3115e87c.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","24611"
"*36a7532a957652a55dbf0b196905652a1f0b8c4019b7ca4e749fa81e5f2c149b*",".{0,1000}36a7532a957652a55dbf0b196905652a1f0b8c4019b7ca4e749fa81e5f2c149b.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","#filehash","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","24615"
"*36b87e150926457e25e95098f2f386f63f43c2aee5d30275582e6ba044de4003*",".{0,1000}36b87e150926457e25e95098f2f386f63f43c2aee5d30275582e6ba044de4003.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24622"
"*36d16c928a88a7a600fb6d3599f13e1b601c79b0eafd7cb1e2dde43d42893d0f*",".{0,1000}36d16c928a88a7a600fb6d3599f13e1b601c79b0eafd7cb1e2dde43d42893d0f.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","24630"
"*36dc83f98c27d4afc1e0a28b47aa176cd1bb1abcd4b5ed7e4ee6e430625d7fac*",".{0,1000}36dc83f98c27d4afc1e0a28b47aa176cd1bb1abcd4b5ed7e4ee6e430625d7fac.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24632"
"*36e59507a58d54c025b62c0ef2699382e6ca9211062540ee263544bf54854768*",".{0,1000}36e59507a58d54c025b62c0ef2699382e6ca9211062540ee263544bf54854768.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","24637"
"*36ea25323b263a1ac1d300a2bd8267905eaa7d752fd9e7d7b4ec40f836c737a6*",".{0,1000}36ea25323b263a1ac1d300a2bd8267905eaa7d752fd9e7d7b4ec40f836c737a6.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","24638"
"*370485cb64eca360249e7232e2b0400a5d1d0c937f91e8bcc7b1d545eb23a162*",".{0,1000}370485cb64eca360249e7232e2b0400a5d1d0c937f91e8bcc7b1d545eb23a162.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24651"
"*37206e26ef07932cdc1c9f37bb28242b85c7c895bfcfa0b58c48875e0979daf3*",".{0,1000}37206e26ef07932cdc1c9f37bb28242b85c7c895bfcfa0b58c48875e0979daf3.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","24660"
"*3731a5ba51666d673e03442e09d34b68b9afe2b629c5adfd279b13c43da69ea6*",".{0,1000}3731a5ba51666d673e03442e09d34b68b9afe2b629c5adfd279b13c43da69ea6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24664"
"*37349352fd09ebb634460449aa308f2bbb399349fe208c6cf3d1da9bfa9c6542*",".{0,1000}37349352fd09ebb634460449aa308f2bbb399349fe208c6cf3d1da9bfa9c6542.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24666"
"*376c1371b87dd3ea20ad65ada4ef47f811218382422843a4ecb3fd590fc62c8a*",".{0,1000}376c1371b87dd3ea20ad65ada4ef47f811218382422843a4ecb3fd590fc62c8a.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24679"
"*378a4fd9f3fc47d51413ba48e31a275c972a9e31f3483d46c196ab26f8f1d7e7*",".{0,1000}378a4fd9f3fc47d51413ba48e31a275c972a9e31f3483d46c196ab26f8f1d7e7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24684"
"*378e780acaaf2fe122d76ac501684d9e82ec880c466c61a6d28b463fd18e7ae6*",".{0,1000}378e780acaaf2fe122d76ac501684d9e82ec880c466c61a6d28b463fd18e7ae6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24685"
"*37b1e2141c2d5c0d7d65637a4694fe0707c46acfb7dd19307c2d7629a3045aad*",".{0,1000}37b1e2141c2d5c0d7d65637a4694fe0707c46acfb7dd19307c2d7629a3045aad.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24693"
"*37B9B43761672219E98BFA826E7AF17E799592BC57ACBC4AAC38DAF5EFAAF653*",".{0,1000}37B9B43761672219E98BFA826E7AF17E799592BC57ACBC4AAC38DAF5EFAAF653.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","24695"
"*37bc6496577a618cfba0ea53759dabf7e01e218ede999d5290d32040cd219eba*",".{0,1000}37bc6496577a618cfba0ea53759dabf7e01e218ede999d5290d32040cd219eba.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24696"
"*37d6f27953cdc681076bc90bfb4e4acaf882a75cc11a39c4ba4749087f819796*",".{0,1000}37d6f27953cdc681076bc90bfb4e4acaf882a75cc11a39c4ba4749087f819796.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24702"
"*37dbd859160bbb6d1b95e9f4a5c498c8df386db510950875c70328f688cb4e5d*",".{0,1000}37dbd859160bbb6d1b95e9f4a5c498c8df386db510950875c70328f688cb4e5d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24704"
"*37e85dd1f3987fcc566c1b29bda5b94e4b2fd129a39cc7eeba3af7a69a0cdb09*",".{0,1000}37e85dd1f3987fcc566c1b29bda5b94e4b2fd129a39cc7eeba3af7a69a0cdb09.{0,1000}","greyware_tool_keyword","localtunnels","client for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/localtunnel","1","0","#filehash","N/A","8","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","24707"
"*37f9d73191d95d637f39fdc07f8ddead00f0093d3459a43b7b3f8e00ecf261af*",".{0,1000}37f9d73191d95d637f39fdc07f8ddead00f0093d3459a43b7b3f8e00ecf261af.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","24714"
"*38022b590f11207be34e2eb14ab67b85774ee27d3f9903460173f1d1b77db6de*",".{0,1000}38022b590f11207be34e2eb14ab67b85774ee27d3f9903460173f1d1b77db6de.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24717"
"*380d521181512fb9f4276d6f8fabbdcce082cee36efe133f68000a153ac3960f*",".{0,1000}380d521181512fb9f4276d6f8fabbdcce082cee36efe133f68000a153ac3960f.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24722"
"*380df39f172e53d4749d9cb0db5334901ac6e342c193e5c23b0c8147f068a1c1*",".{0,1000}380df39f172e53d4749d9cb0db5334901ac6e342c193e5c23b0c8147f068a1c1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24723"
"*381bca8edcf6cb2302baccebc9daada145989116aace489ba3d9072a57a853ed*",".{0,1000}381bca8edcf6cb2302baccebc9daada145989116aace489ba3d9072a57a853ed.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","24727"
"*383f712ce7d07385f41a48f0965db96ac74bea74e7eae0c297d973ad5a9be620*",".{0,1000}383f712ce7d07385f41a48f0965db96ac74bea74e7eae0c297d973ad5a9be620.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","24732"
"*38744af426f8304c5ee9c2857291225726bffe2788870f2cb9e6a3b8836297e6*",".{0,1000}38744af426f8304c5ee9c2857291225726bffe2788870f2cb9e6a3b8836297e6.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","24745"
"*38744af426f8304c5ee9c2857291225726bffe2788870f2cb9e6a3b8836297e6*",".{0,1000}38744af426f8304c5ee9c2857291225726bffe2788870f2cb9e6a3b8836297e6.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","24746"
"*3877bed52de5a213bb2ca2d6bf94f63819eb5e8864fb589c083cde736dc95e16*",".{0,1000}3877bed52de5a213bb2ca2d6bf94f63819eb5e8864fb589c083cde736dc95e16.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24748"
"*3880d59cbdb217668d95c8aba770bf9a96338f159ecbd140e3aaaabd8cac583a*",".{0,1000}3880d59cbdb217668d95c8aba770bf9a96338f159ecbd140e3aaaabd8cac583a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24753"
"*3883b30618c5e6fc1c413969f6172d5dd3cbbdb675cc26559a837181e6cfcc94*",".{0,1000}3883b30618c5e6fc1c413969f6172d5dd3cbbdb675cc26559a837181e6cfcc94.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24755"
"*3887f7179aa36da3d9fc527a714d6f4be500dd25beede1e161e9f019beaf7636*",".{0,1000}3887f7179aa36da3d9fc527a714d6f4be500dd25beede1e161e9f019beaf7636.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","24756"
"*388d03b5f42d14e0d68541fa74da9abc891e3fb7f7f6daae98d8e0e963c255b4*",".{0,1000}388d03b5f42d14e0d68541fa74da9abc891e3fb7f7f6daae98d8e0e963c255b4.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24758"
"*3892be4225abb7e205c7603577da120277af2a7d2ccba47cea239ae20f1b78d3*",".{0,1000}3892be4225abb7e205c7603577da120277af2a7d2ccba47cea239ae20f1b78d3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24764"
"*3892f45ccf44d24fbe3b48933a876414e79e8e9a35f3924ef2dd1c63053f4656*",".{0,1000}3892f45ccf44d24fbe3b48933a876414e79e8e9a35f3924ef2dd1c63053f4656.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","24765"
"*38a5a54c12beb19883e6bcd33ddfba7894df01fd2869599d84efc784d1d6cc35*",".{0,1000}38a5a54c12beb19883e6bcd33ddfba7894df01fd2869599d84efc784d1d6cc35.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24768"
"*38a98cc77a24b59f8f7c9fb34901dc655ce7296aebd865aee48fb5f33c953f9e*",".{0,1000}38a98cc77a24b59f8f7c9fb34901dc655ce7296aebd865aee48fb5f33c953f9e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24770"
"*38a99341371c90b6029eadb9c2a5508b3db4263a1b869948d43edb9cf04bacf5*",".{0,1000}38a99341371c90b6029eadb9c2a5508b3db4263a1b869948d43edb9cf04bacf5.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","24771"
"*38b4843755a0ceca33637b4a1bc052b4c379b666e512511c4629ca6a65468bd3*",".{0,1000}38b4843755a0ceca33637b4a1bc052b4c379b666e512511c4629ca6a65468bd3.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","24773"
"*38b5790e1fd1bea17231a3a55e701217ebde42428046e029f609b1d1734c7140*",".{0,1000}38b5790e1fd1bea17231a3a55e701217ebde42428046e029f609b1d1734c7140.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","24775"
"*38c02b41d5db41d58683737cb04191cdfd3b61f41d31dc14b8d68a3a141cc647*",".{0,1000}38c02b41d5db41d58683737cb04191cdfd3b61f41d31dc14b8d68a3a141cc647.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24779"
"*38c646e446ecfec33fded951544ee72eab17433e43c997e9c56bd7ccf1d7aaa4*",".{0,1000}38c646e446ecfec33fded951544ee72eab17433e43c997e9c56bd7ccf1d7aaa4.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","24780"
"*38cc200f3ba7b488ee7e629feb9621064e5681396edb70282f3daf3d09d4c3c7*",".{0,1000}38cc200f3ba7b488ee7e629feb9621064e5681396edb70282f3daf3d09d4c3c7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24781"
"*38cd3309626aa2310571aa17637b72281c54aa873a2782dcc7c5f7cdb20c8985*",".{0,1000}38cd3309626aa2310571aa17637b72281c54aa873a2782dcc7c5f7cdb20c8985.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","24782"
"*38d9cd1b16698848ef5e7bf46d6469b63b3ff61f4a5cafb4ce8937b3995b35f9*",".{0,1000}38d9cd1b16698848ef5e7bf46d6469b63b3ff61f4a5cafb4ce8937b3995b35f9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24785"
"*39037993-9571-4DF2-8E39-CD2909043574*",".{0,1000}39037993\-9571\-4DF2\-8E39\-CD2909043574.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#GUIDproject","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","24789"
"*390e1635b9a3a704a9bc3e252316898f1a61ec6c3c6b65114fbccceacaaa8db8*",".{0,1000}390e1635b9a3a704a9bc3e252316898f1a61ec6c3c6b65114fbccceacaaa8db8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24792"
"*391432015104d8987eb9bce325017b71f6343d8ca970c94b81374aca7aa5035f*",".{0,1000}391432015104d8987eb9bce325017b71f6343d8ca970c94b81374aca7aa5035f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24794"
"*391fd08daf4986afda1690225e4d9fed0c6d36ad1a56e4362cd8f2797e2ac93a*",".{0,1000}391fd08daf4986afda1690225e4d9fed0c6d36ad1a56e4362cd8f2797e2ac93a.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24796"
"*393d1d4e9992cbda5a9980c25d9d16890b18f276fc08a44c5855b3a14f4be894*",".{0,1000}393d1d4e9992cbda5a9980c25d9d16890b18f276fc08a44c5855b3a14f4be894.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","24810"
"*39433eab5c47e1153d8e17086402f2848b7ba868df213fce01db52a664f53d64*",".{0,1000}39433eab5c47e1153d8e17086402f2848b7ba868df213fce01db52a664f53d64.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24811"
"*394a6568c9b0e5de222256451e18de4e5b9379b058cb9fb3b04ae66c45354e16*",".{0,1000}394a6568c9b0e5de222256451e18de4e5b9379b058cb9fb3b04ae66c45354e16.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24813"
"*394daa8e246f41baa4f37b1721991248f003766f079e671b8e51794259818c91*",".{0,1000}394daa8e246f41baa4f37b1721991248f003766f079e671b8e51794259818c91.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","#filehash","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","24816"
"*39598a1e7623f06f98429b4d31706dd12e7cb8f2b62ef82a89796f529317a956*",".{0,1000}39598a1e7623f06f98429b4d31706dd12e7cb8f2b62ef82a89796f529317a956.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","24822"
"*395fe3d081d4bcd031770591913016fd6f5af3e7fdbf29219610acca1da3b6c9*",".{0,1000}395fe3d081d4bcd031770591913016fd6f5af3e7fdbf29219610acca1da3b6c9.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24825"
"*3961db6d3c5951da49b40cfdae22c8fd53ea87a2ff97245d8aadd4d4206c6fea*",".{0,1000}3961db6d3c5951da49b40cfdae22c8fd53ea87a2ff97245d8aadd4d4206c6fea.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","24826"
"*397ac6bd1ffe2d8baf3c8e41307bb36339fa0f7a97e61b614d25ab85cb3b90a7*",".{0,1000}397ac6bd1ffe2d8baf3c8e41307bb36339fa0f7a97e61b614d25ab85cb3b90a7.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","24832"
"*3984e827963ca5f0925404d02526b0c12956f4d04a64853226e54a2f9333bf04*",".{0,1000}3984e827963ca5f0925404d02526b0c12956f4d04a64853226e54a2f9333bf04.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","24834"
"*3990b68a8b0de116612ecfe7b85690659aad1ef779c606b0b6d928c402f3d821*",".{0,1000}3990b68a8b0de116612ecfe7b85690659aad1ef779c606b0b6d928c402f3d821.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24836"
"*39af973b5bd6a20c70101c2e5c2b394985d0c3f043c64c24de4c1cc8546b03c6*",".{0,1000}39af973b5bd6a20c70101c2e5c2b394985d0c3f043c64c24de4c1cc8546b03c6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24843"
"*39b615a36a5082209a049cce188f0654c6435f0bc4178b7663672334594f10fe*",".{0,1000}39b615a36a5082209a049cce188f0654c6435f0bc4178b7663672334594f10fe.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24846"
"*39e4be4d1d4bb0a5c9bdffd4128901444e603f9c77f5525c87a381131d82f323*",".{0,1000}39e4be4d1d4bb0a5c9bdffd4128901444e603f9c77f5525c87a381131d82f323.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24849"
"*39f119574d66d00a12ab7ed202bca6e41204bf838fb5f58ca170bdf76beaa445*",".{0,1000}39f119574d66d00a12ab7ed202bca6e41204bf838fb5f58ca170bdf76beaa445.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24852"
"*39fecd95598215f63b002a0c59db0455a2800e9c40430eb1a0d72a941fc24bf2*",".{0,1000}39fecd95598215f63b002a0c59db0455a2800e9c40430eb1a0d72a941fc24bf2.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","24858"
"*3a0743b046340770a16cdddacc4bfef4e2f07e0062669d07589f0d62af1a2702*",".{0,1000}3a0743b046340770a16cdddacc4bfef4e2f07e0062669d07589f0d62af1a2702.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","24860"
"*3a137179e0095bf147e50fea7bec3ffb989f0b53d0bbe5bdab21dba5c173b414*",".{0,1000}3a137179e0095bf147e50fea7bec3ffb989f0b53d0bbe5bdab21dba5c173b414.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24866"
"*3a1456c9405163b1ad8cdee71e82752fdf5ab2c8004c36d8d86134ebb90d212e*",".{0,1000}3a1456c9405163b1ad8cdee71e82752fdf5ab2c8004c36d8d86134ebb90d212e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24867"
"*3a21f457d1ab0c317b828b68937b74dc4b4229d3613c1c04ef20123960bfe379*",".{0,1000}3a21f457d1ab0c317b828b68937b74dc4b4229d3613c1c04ef20123960bfe379.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24871"
"*3a2f34f529cd12950c905d2c68637bb071a12ebd0c00dd887d807fe6c23de762*",".{0,1000}3a2f34f529cd12950c905d2c68637bb071a12ebd0c00dd887d807fe6c23de762.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","24874"
"*3a3788e15d2cde3cc0b07bcae1b38a52f756e004cc7426bb45d275d28b7989da*",".{0,1000}3a3788e15d2cde3cc0b07bcae1b38a52f756e004cc7426bb45d275d28b7989da.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","24878"
"*3a379eedcb90ad0ec60a24c89f9892eb7a12ddb8a28045e432fc2c43e7faa186*",".{0,1000}3a379eedcb90ad0ec60a24c89f9892eb7a12ddb8a28045e432fc2c43e7faa186.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24879"
"*3a4957346500bfcb99f671ffde44447a7d25da2f17e9ceefd68944beceb687b2*",".{0,1000}3a4957346500bfcb99f671ffde44447a7d25da2f17e9ceefd68944beceb687b2.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","24885"
"*3a4b15468738335105fdb2b811e7eaf58c9daa764bcc8661e0a34e2a4cbbd7bc*",".{0,1000}3a4b15468738335105fdb2b811e7eaf58c9daa764bcc8661e0a34e2a4cbbd7bc.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","24886"
"*3a4ce767d5ff5706372f654aa5ccf01bf84d10dc87777094be635dca8869ed39*",".{0,1000}3a4ce767d5ff5706372f654aa5ccf01bf84d10dc87777094be635dca8869ed39.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24887"
"*3a5163c77da1011ace25120f77a4ec0932cc66d18f6fc1fc4f2470f7877ff2ea*",".{0,1000}3a5163c77da1011ace25120f77a4ec0932cc66d18f6fc1fc4f2470f7877ff2ea.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24889"
"*3a52dc3df7ea98057fb163965ed3390702a95a57e8b4e5e263c7efeb83908577*",".{0,1000}3a52dc3df7ea98057fb163965ed3390702a95a57e8b4e5e263c7efeb83908577.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","24891"
"*3a671bd31450b20b6288c5334a1259e37e314713fbc031b1c44f11b78d8de6cd*",".{0,1000}3a671bd31450b20b6288c5334a1259e37e314713fbc031b1c44f11b78d8de6cd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24897"
"*3a762c02c202a9142c2d5c1a3927563a556d1683abadd25d2f695e237e4ea693*",".{0,1000}3a762c02c202a9142c2d5c1a3927563a556d1683abadd25d2f695e237e4ea693.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24900"
"*3a7686526b309fdfe287a88e49efb56bc9dfe5c5e02e78b4f09a942cfb2de7d0*",".{0,1000}3a7686526b309fdfe287a88e49efb56bc9dfe5c5e02e78b4f09a942cfb2de7d0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24901"
"*3a828c63459e09fa4b7fd6020d9e35df05d7e03ad9214f6a321f6788089c6a1f*",".{0,1000}3a828c63459e09fa4b7fd6020d9e35df05d7e03ad9214f6a321f6788089c6a1f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","24903"
"*3ab9418d217a75325f9e75c5b9cf0aa7d41678edad25d1a2d6a64cba75f81b2e*",".{0,1000}3ab9418d217a75325f9e75c5b9cf0aa7d41678edad25d1a2d6a64cba75f81b2e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24917"
"*3acd2648aa3fcdfdaa9fbcfb4afbf00749b641657822db80dae66783cbc3e1a9*",".{0,1000}3acd2648aa3fcdfdaa9fbcfb4afbf00749b641657822db80dae66783cbc3e1a9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24920"
"*3adee5344212720044b12dac4fa3e11231bb07a9cd65e2bd6031804278a3ef35*",".{0,1000}3adee5344212720044b12dac4fa3e11231bb07a9cd65e2bd6031804278a3ef35.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24925"
"*3b03a0738da391cc91566ea46c9b2a672546a0dcca12d3c6f2c10664c8c8e100*",".{0,1000}3b03a0738da391cc91566ea46c9b2a672546a0dcca12d3c6f2c10664c8c8e100.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","24933"
"*3b047ae119ef323d9fa486d1be07bcf85163fc392ab02ec37fd5437578d06d4b*",".{0,1000}3b047ae119ef323d9fa486d1be07bcf85163fc392ab02ec37fd5437578d06d4b.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24934"
"*3b0d7d1a140835725d11b4044a9f83f76b9b02281d2b907b16255d73ccdccaab*",".{0,1000}3b0d7d1a140835725d11b4044a9f83f76b9b02281d2b907b16255d73ccdccaab.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24937"
"*3b29215b47016a94daad3066fcfa2c11599d03ced78e4f40a71cb152aa9b1d5f*",".{0,1000}3b29215b47016a94daad3066fcfa2c11599d03ced78e4f40a71cb152aa9b1d5f.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24940"
"*3b2cec2cc3a2e3185fc1797590dc58421cf4382e86d83e8658990bb3979d7209*",".{0,1000}3b2cec2cc3a2e3185fc1797590dc58421cf4382e86d83e8658990bb3979d7209.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","24942"
"*3b39b4f2bc0e474051c15ec7f110d9087f096107096913f2672ef8fd4f2ecfb6*",".{0,1000}3b39b4f2bc0e474051c15ec7f110d9087f096107096913f2672ef8fd4f2ecfb6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24943"
"*3b5cbf0dddc3ef7e3af7d783baef315bf47be6ce11ff83455a2165befe6711f5*",".{0,1000}3b5cbf0dddc3ef7e3af7d783baef315bf47be6ce11ff83455a2165befe6711f5.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","#filehash","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","24952"
"*3b5f8f9ea98033c46c65edd222a676b5844186114ada1d91a56c58b0abcd0612*",".{0,1000}3b5f8f9ea98033c46c65edd222a676b5844186114ada1d91a56c58b0abcd0612.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","24953"
"*3b76d79a32202f1cdbae1e5ed949ee7a75f373a9280fbdfd15a6cc4490a1b595*",".{0,1000}3b76d79a32202f1cdbae1e5ed949ee7a75f373a9280fbdfd15a6cc4490a1b595.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","24960"
"*3b86cb342175e34a6bd96c020a73c0b368572c894b2e6f4dfcac234c58449e22*",".{0,1000}3b86cb342175e34a6bd96c020a73c0b368572c894b2e6f4dfcac234c58449e22.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24963"
"*3b96ccd1383bbd60d1b79867f5ed32bd15778b94399fb891c3172ea02516ccb1*",".{0,1000}3b96ccd1383bbd60d1b79867f5ed32bd15778b94399fb891c3172ea02516ccb1.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24965"
"*3b9a9cc912b0817c09577835d094c74a61911213e0533f606f20a602ea3c1703*",".{0,1000}3b9a9cc912b0817c09577835d094c74a61911213e0533f606f20a602ea3c1703.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24966"
"*3b9f8b80f13f20194490851b076186124b67b9a7845b32e5e035ae4aed2e45dc*",".{0,1000}3b9f8b80f13f20194490851b076186124b67b9a7845b32e5e035ae4aed2e45dc.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","24967"
"*3ba1b87c659e4c9ca752c50c7e9414ed46f982ce88d668e7d918a95af13315c9*",".{0,1000}3ba1b87c659e4c9ca752c50c7e9414ed46f982ce88d668e7d918a95af13315c9.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24969"
"*3bad0a20a77b7839ab4e236d31b4de469a0e0e58ce2195d2d7b2df8decec7ce3*",".{0,1000}3bad0a20a77b7839ab4e236d31b4de469a0e0e58ce2195d2d7b2df8decec7ce3.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","24973"
"*3bae7cc19b18dfc427e61c4e42c03c4a77ace51552c2583b644b7fa89380776c*",".{0,1000}3bae7cc19b18dfc427e61c4e42c03c4a77ace51552c2583b644b7fa89380776c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24974"
"*3bb03c08f11fda276c953544487558c3c0bfe14f89796b9eaa108a334d854ed1*",".{0,1000}3bb03c08f11fda276c953544487558c3c0bfe14f89796b9eaa108a334d854ed1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24975"
"*3bbd5d43f581b39aa84a88d801f48506ab3105b7f958ea718556b4faa4564c0f*",".{0,1000}3bbd5d43f581b39aa84a88d801f48506ab3105b7f958ea718556b4faa4564c0f.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","24980"
"*3bcd2aa02fed9aad200636add540ac159c082eb6058a9da45ed0dc7410713f38*",".{0,1000}3bcd2aa02fed9aad200636add540ac159c082eb6058a9da45ed0dc7410713f38.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","24983"
"*3bd117db83f5fae64618cfdf7def01d1f91cb00245af1bfbccbcd671978d62bd*",".{0,1000}3bd117db83f5fae64618cfdf7def01d1f91cb00245af1bfbccbcd671978d62bd.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","24987"
"*3bdf7c5f0c87c94b461668137a3e7cbf757d59dafc7a063362c34d17f2f33e61*",".{0,1000}3bdf7c5f0c87c94b461668137a3e7cbf757d59dafc7a063362c34d17f2f33e61.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","#filehash","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","24989"
"*3be15a6f8a0de053d4fde83cfba6880cfbbf83566b37c35a6a7ab82a7dfc3441*",".{0,1000}3be15a6f8a0de053d4fde83cfba6880cfbbf83566b37c35a6a7ab82a7dfc3441.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","24991"
"*3bef28a58c4ee75b3b4ac0a6025f1c0332bb1d9f27d066082fa2e32416da4eac*",".{0,1000}3bef28a58c4ee75b3b4ac0a6025f1c0332bb1d9f27d066082fa2e32416da4eac.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","24994"
"*3bf56844b1e6391473d1e6758622840471eac1e24c36eacfcde1aca27eadb810*",".{0,1000}3bf56844b1e6391473d1e6758622840471eac1e24c36eacfcde1aca27eadb810.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","24998"
"*3c10eb3a8cb98f387491c7e8e28c1e7a0e885c74139c9df60043a9ad6d9593fe*",".{0,1000}3c10eb3a8cb98f387491c7e8e28c1e7a0e885c74139c9df60043a9ad6d9593fe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","25004"
"*3c139c9ae721f89e61a98294cb486143ee435297beff1a6178cc7347b4ff278e*",".{0,1000}3c139c9ae721f89e61a98294cb486143ee435297beff1a6178cc7347b4ff278e.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","25005"
"*3c217d484b2d801274b135b11ea010a3084a25943735e7a1e153f6acfe8659f3*",".{0,1000}3c217d484b2d801274b135b11ea010a3084a25943735e7a1e153f6acfe8659f3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25008"
"*3c4e769a29f03bcc9e998adcd1281142abfb5ff1dd66da5a435830a1cff34217*",".{0,1000}3c4e769a29f03bcc9e998adcd1281142abfb5ff1dd66da5a435830a1cff34217.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25022"
"*3c577e92b14614dc484b1062561dbab2550708789fa1e70f7136c44195dd7275*",".{0,1000}3c577e92b14614dc484b1062561dbab2550708789fa1e70f7136c44195dd7275.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25025"
"*3c582f611716c77db5e4f69823fc72572006608f63d9859dea598f0dfc74ed0b*",".{0,1000}3c582f611716c77db5e4f69823fc72572006608f63d9859dea598f0dfc74ed0b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25026"
"*3c5d123aea23f54ce965bd72d3019945db3f07524fba2e76e36a6a0efc0d8650*",".{0,1000}3c5d123aea23f54ce965bd72d3019945db3f07524fba2e76e36a6a0efc0d8650.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","25028"
"*3c63b475a56cfb3569784a78f7e712843d096779fa5b1984bdef0cebb2c31437*",".{0,1000}3c63b475a56cfb3569784a78f7e712843d096779fa5b1984bdef0cebb2c31437.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25033"
"*3c6bef218514ed8b5f4b07dac9005fa1f844750589c60d9c39e8ac2c2b6c6373*",".{0,1000}3c6bef218514ed8b5f4b07dac9005fa1f844750589c60d9c39e8ac2c2b6c6373.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","25036"
"*3c6f9fec7bf83c71b2ac9fbcea0f30ab0aaf949bf53b70e8ec12413bc059911a*",".{0,1000}3c6f9fec7bf83c71b2ac9fbcea0f30ab0aaf949bf53b70e8ec12413bc059911a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25037"
"*3c71b38d49bf71f15200d7439ae3c99e46ad6b395db1188a597834920576c34f*",".{0,1000}3c71b38d49bf71f15200d7439ae3c99e46ad6b395db1188a597834920576c34f.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","25038"
"*3c748064aa6d61727905c9ecd3be96b282448ae9c13368f836834ab0b49ad6e1*",".{0,1000}3c748064aa6d61727905c9ecd3be96b282448ae9c13368f836834ab0b49ad6e1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25039"
"*3c7522dd19a1d8341e33c910afe1a84d8b9dda03de6d2cddbfb145f401e56a33*",".{0,1000}3c7522dd19a1d8341e33c910afe1a84d8b9dda03de6d2cddbfb145f401e56a33.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25040"
"*3c882962fc07f611a6147ada99c9909770d3e519210fd483cde9609c6bdd900c*",".{0,1000}3c882962fc07f611a6147ada99c9909770d3e519210fd483cde9609c6bdd900c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25041"
"*3c8b4049525d16bfe42738bf74f2d264fc18499397e46e907d1214a39bea21dd*",".{0,1000}3c8b4049525d16bfe42738bf74f2d264fc18499397e46e907d1214a39bea21dd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25043"
"*3c9ce97365381994fdf43d5f68c87af7c656334556fae7fa066a037efef3d743*",".{0,1000}3c9ce97365381994fdf43d5f68c87af7c656334556fae7fa066a037efef3d743.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25044"
"*3c9e03e28899ba18e42f51006f7d94192fbae009885fd91cfc75b354cffebf58*",".{0,1000}3c9e03e28899ba18e42f51006f7d94192fbae009885fd91cfc75b354cffebf58.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25045"
"*3cb6b58557fd8452c97f46484d284d61d86586b007b4cee7ca1f3ccb43c06951*",".{0,1000}3cb6b58557fd8452c97f46484d284d61d86586b007b4cee7ca1f3ccb43c06951.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25051"
"*3cc1f7c3389f4f9d9f67dc0c0bf9a12d1ef413edc6b3c770f5faa5cd6e275dfe*",".{0,1000}3cc1f7c3389f4f9d9f67dc0c0bf9a12d1ef413edc6b3c770f5faa5cd6e275dfe.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25052"
"*3cc79f9fc44300aed80988b31845328b428c0999572eb7f1df949eccee0f518e*",".{0,1000}3cc79f9fc44300aed80988b31845328b428c0999572eb7f1df949eccee0f518e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25055"
"*3cd7ec9209b973520d47d784a09a368bfb9e2bb195f3c543ae5311720249e315*",".{0,1000}3cd7ec9209b973520d47d784a09a368bfb9e2bb195f3c543ae5311720249e315.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25058"
"*3ce4df319c7ea35f8cfa13d1e03a0309fc4f57aeaaa02d05fb9fd560443e67ba*",".{0,1000}3ce4df319c7ea35f8cfa13d1e03a0309fc4f57aeaaa02d05fb9fd560443e67ba.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25062"
"*3cedfcd57d1096bfc0c7469e8e356e13b999a338214dd610063f8abee6d80873*",".{0,1000}3cedfcd57d1096bfc0c7469e8e356e13b999a338214dd610063f8abee6d80873.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25064"
"*3d064459b1bd3505d03217197c2dfa4db9efc0e9f71e6caaf1706ab8697b9a03*",".{0,1000}3d064459b1bd3505d03217197c2dfa4db9efc0e9f71e6caaf1706ab8697b9a03.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","25070"
"*3d114e763a2bbe22290cdadd30241c690243d4990539c891273a82ef50460940*",".{0,1000}3d114e763a2bbe22290cdadd30241c690243d4990539c891273a82ef50460940.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","25076"
"*3d3deaf15f2bf36dc998286809ee0fa327cb526bd5a93026d8124af3b8d8182b*",".{0,1000}3d3deaf15f2bf36dc998286809ee0fa327cb526bd5a93026d8124af3b8d8182b.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","25084"
"*3d4704e3a7c0c5d4d1c0a272160e7d0944a017cea7cb08b367689f89516e4e6c*",".{0,1000}3d4704e3a7c0c5d4d1c0a272160e7d0944a017cea7cb08b367689f89516e4e6c.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","25088"
"*3d4d43c169a9e28ea76303b1e8b810f0dcede7478555fdaa8959971ad499e324*",".{0,1000}3d4d43c169a9e28ea76303b1e8b810f0dcede7478555fdaa8959971ad499e324.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25090"
"*3d62de527d3a1292219a95c311513899fe899b750428d9d809f556371d1f90b9*",".{0,1000}3d62de527d3a1292219a95c311513899fe899b750428d9d809f556371d1f90b9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25093"
"*3d735de00aeb9535224e29d0adb6f2fefc79b7a46f76702af0d8eebcd49c1772*",".{0,1000}3d735de00aeb9535224e29d0adb6f2fefc79b7a46f76702af0d8eebcd49c1772.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","25098"
"*3d74803de0136e858f96678e1cdea410256fbf34fc83c54edd204d186ecd412e*",".{0,1000}3d74803de0136e858f96678e1cdea410256fbf34fc83c54edd204d186ecd412e.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","25099"
"*3d815e0319651626bb752b11a4a1d78ea7fea889b99a92a52f5ce54db641f82f*",".{0,1000}3d815e0319651626bb752b11a4a1d78ea7fea889b99a92a52f5ce54db641f82f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25102"
"*3da0eb5c83daa77c9e52759d3b668774b0bccbe16b87c74301ec08979ffb15d4*",".{0,1000}3da0eb5c83daa77c9e52759d3b668774b0bccbe16b87c74301ec08979ffb15d4.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","25108"
"*3daf819f691c66a2216bc047349e5d6ed252aa1393c076cce9f68a1a7bed5b76*",".{0,1000}3daf819f691c66a2216bc047349e5d6ed252aa1393c076cce9f68a1a7bed5b76.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","25115"
"*3dc341f1a1daa80084699b292d0493012a3a85a5cbc157f6984c04def0d2dce7*",".{0,1000}3dc341f1a1daa80084699b292d0493012a3a85a5cbc157f6984c04def0d2dce7.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25119"
"*3dcf212a13eccca01b047a9becb99480bfbb9d0ad9b095407ca9b3546c429274*",".{0,1000}3dcf212a13eccca01b047a9becb99480bfbb9d0ad9b095407ca9b3546c429274.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","25122"
"*3dd29906bd9c9a5db310bf6ef3d8142dbd8c5c69d6b61a91805d0fce9bf2bbda*",".{0,1000}3dd29906bd9c9a5db310bf6ef3d8142dbd8c5c69d6b61a91805d0fce9bf2bbda.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","25123"
"*3DDF7FBB35EC90BCF15E723F1445EEB71E71C9757243EFEC1CEB4E74A10A1D9F*",".{0,1000}3DDF7FBB35EC90BCF15E723F1445EEB71E71C9757243EFEC1CEB4E74A10A1D9F.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","25124"
"*3de0933657899d15dc795c7ac763f5b3835f55882392526dd4448d233fcb5392*",".{0,1000}3de0933657899d15dc795c7ac763f5b3835f55882392526dd4448d233fcb5392.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","25125"
"*3de87c7ff687b90e126d6daac0218388de8266c8158badf95c10b511cb1f90c7*",".{0,1000}3de87c7ff687b90e126d6daac0218388de8266c8158badf95c10b511cb1f90c7.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","25126"
"*3dec7fe9898d3e4b31c6d61a1316390572bc6964128f14ad1595e4b252e10085*",".{0,1000}3dec7fe9898d3e4b31c6d61a1316390572bc6964128f14ad1595e4b252e10085.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","25127"
"*3e04c44cdbc61721edef92ac05cc7e548e57e69397e54c24878e2edc56ddd3fb*",".{0,1000}3e04c44cdbc61721edef92ac05cc7e548e57e69397e54c24878e2edc56ddd3fb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25130"
"*3e08555b23f907601feacbfcbece4fa635812ae7a28061f25e2aa6d54e48124c*",".{0,1000}3e08555b23f907601feacbfcbece4fa635812ae7a28061f25e2aa6d54e48124c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25131"
"*3e105195cd87067bb899810e747a1e5d8e55929d183950bc008933beeb47e41a*",".{0,1000}3e105195cd87067bb899810e747a1e5d8e55929d183950bc008933beeb47e41a.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#filehash","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","25132"
"*3e1b11f8d4839e0d7f09b7cc27a6d10a82b5944512a59dfa9192603f28b50baf*",".{0,1000}3e1b11f8d4839e0d7f09b7cc27a6d10a82b5944512a59dfa9192603f28b50baf.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","25133"
"*3e1cfdaa245dd2d7789d33a0be13c5bd5ef91e1da6e5eefd380cdf3fb1d50d63*",".{0,1000}3e1cfdaa245dd2d7789d33a0be13c5bd5ef91e1da6e5eefd380cdf3fb1d50d63.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25134"
"*3e3a7b98aa6f420061710d64c9bda2aac9040304d2952f46661696d16aed402f*",".{0,1000}3e3a7b98aa6f420061710d64c9bda2aac9040304d2952f46661696d16aed402f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","25139"
"*3e3d48e0a1de878866d3f6d9beb1009c4140ede45b95d092bcaf68fae6a030a0*",".{0,1000}3e3d48e0a1de878866d3f6d9beb1009c4140ede45b95d092bcaf68fae6a030a0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25142"
"*3e435c81cc364a3c6f1d5f9305f03dbf5152e85f445c9354cc16b30654fd444e*",".{0,1000}3e435c81cc364a3c6f1d5f9305f03dbf5152e85f445c9354cc16b30654fd444e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25145"
"*3e5ffce470feaeeb55edfaaec9b89ccb43feed4133d267eb77fd4ef3da4d9b73*",".{0,1000}3e5ffce470feaeeb55edfaaec9b89ccb43feed4133d267eb77fd4ef3da4d9b73.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25152"
"*3e62062061ddd7a0974eb2f6106dc96d3c54f95f41121ff355de12d5a23e2624*",".{0,1000}3e62062061ddd7a0974eb2f6106dc96d3c54f95f41121ff355de12d5a23e2624.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","25153"
"*3e6945f3127371b2f2c3f0bdcb2a1c574f92394cc78fbe2144ecefe23f83c983*",".{0,1000}3e6945f3127371b2f2c3f0bdcb2a1c574f92394cc78fbe2144ecefe23f83c983.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","25156"
"*3e754f15b17e2c21e6579a263990aecdf7652c7994b117d928782cd31cca590a*",".{0,1000}3e754f15b17e2c21e6579a263990aecdf7652c7994b117d928782cd31cca590a.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25160"
"*3e7874880edf4af1c31a79d1291358791c9fbec5ee633839712af9edde7dbada*",".{0,1000}3e7874880edf4af1c31a79d1291358791c9fbec5ee633839712af9edde7dbada.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25161"
"*3e7d0d0f365120cd3cd351d147d1a12ee960c8068b464d4dd533a3821873b80e*",".{0,1000}3e7d0d0f365120cd3cd351d147d1a12ee960c8068b464d4dd533a3821873b80e.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25163"
"*3e81cd5540da875704d3109537203c7381b80b854851fe43ff2c806778b061b0*",".{0,1000}3e81cd5540da875704d3109537203c7381b80b854851fe43ff2c806778b061b0.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25164"
"*3e8a768889dd85d952fc7160d196c68866c9155383b0347c4049d079c8ae2cdd*",".{0,1000}3e8a768889dd85d952fc7160d196c68866c9155383b0347c4049d079c8ae2cdd.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25167"
"*3e9460a86fa16e9273c3a09f4cefccfd6e9a27ece4836fe2c3409593ba24c21f*",".{0,1000}3e9460a86fa16e9273c3a09f4cefccfd6e9a27ece4836fe2c3409593ba24c21f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25170"
"*3ea27a3727d42fba0e3862628a13fe6458bae277d5f477d1fce626e90e12e569*",".{0,1000}3ea27a3727d42fba0e3862628a13fe6458bae277d5f477d1fce626e90e12e569.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","25175"
"*3eaa14907c96c3a261cce8f5379fa8ecab9911cc2f3711b4b08b8d382a7ee772*",".{0,1000}3eaa14907c96c3a261cce8f5379fa8ecab9911cc2f3711b4b08b8d382a7ee772.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","25178"
"*3eb961a803189e9d9d3195464a55acf9eebcd5f626c7e176c906b9639f43169e*",".{0,1000}3eb961a803189e9d9d3195464a55acf9eebcd5f626c7e176c906b9639f43169e.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","25180"
"*3ee17b78ee6df429959331d016e7a2a64931584c70275c2b72da8b5ff33a3d59*",".{0,1000}3ee17b78ee6df429959331d016e7a2a64931584c70275c2b72da8b5ff33a3d59.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","25194"
"*3ee1b022bb0519d3aeb745f00dae50452b159ba1b912d607278609d7a582f883*",".{0,1000}3ee1b022bb0519d3aeb745f00dae50452b159ba1b912d607278609d7a582f883.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25195"
"*3ee1eca313dce3dea259fcf6951a9350b09763ecfef0ef1866ec2e9fe81f7b61*",".{0,1000}3ee1eca313dce3dea259fcf6951a9350b09763ecfef0ef1866ec2e9fe81f7b61.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25196"
"*3ee64a172c1a706749b25d6b12c4bf8c7896a93c52a803fc90548917cef72e13*",".{0,1000}3ee64a172c1a706749b25d6b12c4bf8c7896a93c52a803fc90548917cef72e13.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25199"
"*3f01015707ba586af211445b24c078088e888e1d496776d2290c85ced4c0fc8d*",".{0,1000}3f01015707ba586af211445b24c078088e888e1d496776d2290c85ced4c0fc8d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25203"
"*3f031af58b8b614eafe0fbefb338542b7b04f878853fa9f62394a00923375735*",".{0,1000}3f031af58b8b614eafe0fbefb338542b7b04f878853fa9f62394a00923375735.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25204"
"*3f04e968871c818880aa23cecc9239651b7e550a625d655236690af22ea2bbdc*",".{0,1000}3f04e968871c818880aa23cecc9239651b7e550a625d655236690af22ea2bbdc.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25205"
"*3f06328ca39cad23ca718129de65b24c3630dbc51fb473b42405c18a23e21992*",".{0,1000}3f06328ca39cad23ca718129de65b24c3630dbc51fb473b42405c18a23e21992.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","25206"
"*3f11e922d2e804a34396aab6ec9e7e48a23be82982a90f7b1d407c9b92062991*",".{0,1000}3f11e922d2e804a34396aab6ec9e7e48a23be82982a90f7b1d407c9b92062991.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","25210"
"*3f1b1ca2800dbae254969ed5365848e4fbcf8725ec68d265c40318fe7e3d51a3*",".{0,1000}3f1b1ca2800dbae254969ed5365848e4fbcf8725ec68d265c40318fe7e3d51a3.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","25211"
"*3f2b33ff51dfa3351b72926fc97202f2681af4aa329b815e55100851b02b8896*",".{0,1000}3f2b33ff51dfa3351b72926fc97202f2681af4aa329b815e55100851b02b8896.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","#filehash","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","25213"
"*3f34a1d2be46289a7f93e67e605d1d3b45001e2d14d78407da986f3d6d0a7075*",".{0,1000}3f34a1d2be46289a7f93e67e605d1d3b45001e2d14d78407da986f3d6d0a7075.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","25216"
"*3f3ab39136e22d9cf714ab609d182d079a5cf2c6acf36d26ec9d88b64b209509*",".{0,1000}3f3ab39136e22d9cf714ab609d182d079a5cf2c6acf36d26ec9d88b64b209509.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25219"
"*3f3be7d94aa91ed9d14a8c8f37413d2a3057c0a2758d579189c84904285007d5*",".{0,1000}3f3be7d94aa91ed9d14a8c8f37413d2a3057c0a2758d579189c84904285007d5.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","25220"
"*3f3ebac013334cb9fd5d1f4556c67ed3e663338b72b48dce0ec0ee774690a8c5*",".{0,1000}3f3ebac013334cb9fd5d1f4556c67ed3e663338b72b48dce0ec0ee774690a8c5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25222"
"*3f47dae30e9b18dcfd50eef1d188f83171072136257758ea39997818f38d49e8*",".{0,1000}3f47dae30e9b18dcfd50eef1d188f83171072136257758ea39997818f38d49e8.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","25224"
"*3f50d0a422df063a5b331f49f2255d8180e851f963f54857b722ae1c2eb89bd0*",".{0,1000}3f50d0a422df063a5b331f49f2255d8180e851f963f54857b722ae1c2eb89bd0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25228"
"*3f6e46e4ac8b1b6da7d8527546f81dcff4b4077a4390c261c4f182abb2ceaccb*",".{0,1000}3f6e46e4ac8b1b6da7d8527546f81dcff4b4077a4390c261c4f182abb2ceaccb.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","25236"
"*3f75d981d58670ce7e0e3f5ead2bd3359cdd1f33b96da726c62013567a884639*",".{0,1000}3f75d981d58670ce7e0e3f5ead2bd3359cdd1f33b96da726c62013567a884639.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25241"
"*3f9462f9c7aad6fec22159529b1db7382acd7254605894fbc44c7a7c464e148b*",".{0,1000}3f9462f9c7aad6fec22159529b1db7382acd7254605894fbc44c7a7c464e148b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25248"
"*3fabb19b2157709cb6baea755513f38b2d5674539b54f7853454c48c5a9f22bf*",".{0,1000}3fabb19b2157709cb6baea755513f38b2d5674539b54f7853454c48c5a9f22bf.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25251"
"*3fad6d60c83b9bce3ca61da5ef4cd799d91e6c1f17db783ebd515953c392cd4a*",".{0,1000}3fad6d60c83b9bce3ca61da5ef4cd799d91e6c1f17db783ebd515953c392cd4a.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25254"
"*3fafe29d84e57deb5130c4f7a77f50e52ae5f4dc0d1499a11b7ac499c6c106b3*",".{0,1000}3fafe29d84e57deb5130c4f7a77f50e52ae5f4dc0d1499a11b7ac499c6c106b3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25255"
"*3fb343762a0cdfe57ac0e85f3b5cb93dc5579c9d820d4a268ca81e809bea089c*",".{0,1000}3fb343762a0cdfe57ac0e85f3b5cb93dc5579c9d820d4a268ca81e809bea089c.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25257"
"*3fcf04657f8efd6c6418047bb8c219878c913c4bdc678a8c4bbc8a49d3a389d1*",".{0,1000}3fcf04657f8efd6c6418047bb8c219878c913c4bdc678a8c4bbc8a49d3a389d1.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25265"
"*3fd70ccfab20e75b8517627ec58e30b33003a24ca4629ed42650ef1b98f17e7d*",".{0,1000}3fd70ccfab20e75b8517627ec58e30b33003a24ca4629ed42650ef1b98f17e7d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25269"
"*3fe6bb27a84dc5b565f2a31d2297497df75af2da88390e0b893ef90cae605a23*",".{0,1000}3fe6bb27a84dc5b565f2a31d2297497df75af2da88390e0b893ef90cae605a23.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25271"
"*3fee12f2bf405e28cc35e8fe8379d9d73345a79ee8347f4928701158495bb266*",".{0,1000}3fee12f2bf405e28cc35e8fe8379d9d73345a79ee8347f4928701158495bb266.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25272"
"*3ff847c73e2ab0d5f1f1440046cd001d25639793a352d9558b24708d77ac3127*",".{0,1000}3ff847c73e2ab0d5f1f1440046cd001d25639793a352d9558b24708d77ac3127.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","25273"
"*3ff86dceb685d7dc4b7c14553cc557a3a9eac36e0f0565d8a4c0576f6eee242c*",".{0,1000}3ff86dceb685d7dc4b7c14553cc557a3a9eac36e0f0565d8a4c0576f6eee242c.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25274"
"*3proxy --install*",".{0,1000}3proxy\s\-\-install.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","25287"
"*3proxy --remove*",".{0,1000}3proxy\s\-\-remove.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","25288"
"*3proxy tiny proxy server*",".{0,1000}3proxy\stiny\sproxy\sserver.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","25289"
"*3proxy Windows Authentication plugin*",".{0,1000}3proxy\sWindows\sAuthentication\splugin.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","25290"
"*3proxy.exe --*",".{0,1000}3proxy\.exe\s\-\-.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","25291"
"*3proxy.service*",".{0,1000}3proxy\.service.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","#servicename","linux servicename","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","25292"
"*3proxy/3proxy*",".{0,1000}3proxy\/3proxy.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","1","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","25293"
"*3proxy@3proxy.org*",".{0,1000}3proxy\@3proxy\.org.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","#email","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","25294"
"*4002d10859ed910f4196db8dcc00732f75553aa972ea262884d69b649754d924*",".{0,1000}4002d10859ed910f4196db8dcc00732f75553aa972ea262884d69b649754d924.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25303"
"*400e477ebf627aa5ba9c11ef2cf9cb2bd4acc53a6beca20148f141f6f3c504da*",".{0,1000}400e477ebf627aa5ba9c11ef2cf9cb2bd4acc53a6beca20148f141f6f3c504da.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","25306"
"*400ed1628aabb30719dcca007c4d5a78e8cfcb794d35621c787a76e20fbb58c6*",".{0,1000}400ed1628aabb30719dcca007c4d5a78e8cfcb794d35621c787a76e20fbb58c6.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25307"
"*4019e9601d40a27634c95f10d98a0ee8c6820d2653665d8c718e132e92887814*",".{0,1000}4019e9601d40a27634c95f10d98a0ee8c6820d2653665d8c718e132e92887814.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","25308"
"*402b28519547fad2da345db67120a53369c50bfa90807fff186e3cdafad82de1*",".{0,1000}402b28519547fad2da345db67120a53369c50bfa90807fff186e3cdafad82de1.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","25311"
"*403d4848966e4e5e7859758766269a5340f309c641e71f65fd3cf4b01049b8d9*",".{0,1000}403d4848966e4e5e7859758766269a5340f309c641e71f65fd3cf4b01049b8d9.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#filehash","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","25316"
"*4042d649ac4c62d1b8eac5c071ff714f62f94df4a308e3a0b17de7e2e57df9ab*",".{0,1000}4042d649ac4c62d1b8eac5c071ff714f62f94df4a308e3a0b17de7e2e57df9ab.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25318"
"*405609b8cafc3821bbb266aa2b6378d5e8ffe3f98ceac55afc3a18c61b4f97d6*",".{0,1000}405609b8cafc3821bbb266aa2b6378d5e8ffe3f98ceac55afc3a18c61b4f97d6.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","25322"
"*405f614bdde26a1e2ff55631cf9be70946b1cf0270812869979d9c0d8a5eaa5e*",".{0,1000}405f614bdde26a1e2ff55631cf9be70946b1cf0270812869979d9c0d8a5eaa5e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25326"
"*4071819358aab734ff8346fa8540427d3735d964d636af6a803f84433e9ca03a*",".{0,1000}4071819358aab734ff8346fa8540427d3735d964d636af6a803f84433e9ca03a.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","25328"
"*407225db88e109bedc93d568ec7b0a241fc362156587b8b710bc2cbe270c257c*",".{0,1000}407225db88e109bedc93d568ec7b0a241fc362156587b8b710bc2cbe270c257c.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25329"
"*408376273b03ff8f5c3e4b216647a5db23b9aa75b9b8026f2fe7d0ffa6bf2d3b*",".{0,1000}408376273b03ff8f5c3e4b216647a5db23b9aa75b9b8026f2fe7d0ffa6bf2d3b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25332"
"*40862cc6300a8460151fc4adda2d95bfc405f581919c0732ef654cf22a99584f*",".{0,1000}40862cc6300a8460151fc4adda2d95bfc405f581919c0732ef654cf22a99584f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25334"
"*4087bcd3d012bd26bb52001da514e1604ccae2221acd339262b5fd47ea7115c3*",".{0,1000}4087bcd3d012bd26bb52001da514e1604ccae2221acd339262b5fd47ea7115c3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25335"
"*40921f28b6e294a3511e27b2ef2026561df96ac0908f16fa90b8af5849e981f4*",".{0,1000}40921f28b6e294a3511e27b2ef2026561df96ac0908f16fa90b8af5849e981f4.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","25337"
"*40b08d7e300fd1d46d9225ad6d52149e4194c3f0d0b65361c04fb606d908a689*",".{0,1000}40b08d7e300fd1d46d9225ad6d52149e4194c3f0d0b65361c04fb606d908a689.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25346"
"*40b9410d301646531ac34beb1e22c3ac94742d21fd0d701b8b9b4fa04481e6fb*",".{0,1000}40b9410d301646531ac34beb1e22c3ac94742d21fd0d701b8b9b4fa04481e6fb.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","25350"
"*40c2cf70de786de022195f0e3eb003c0f81c4dcb177fd1aad0c6cbb489eb900b*",".{0,1000}40c2cf70de786de022195f0e3eb003c0f81c4dcb177fd1aad0c6cbb489eb900b.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25353"
"*40c8f1e14c24fe384c4ed1845716ea52b391c9a867838f0a817e60d9eff6f941*",".{0,1000}40c8f1e14c24fe384c4ed1845716ea52b391c9a867838f0a817e60d9eff6f941.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25357"
"*40d243dd3460e13d50f226a15179c41c2aacbd94aab1e674b1437f377b57c6f2*",".{0,1000}40d243dd3460e13d50f226a15179c41c2aacbd94aab1e674b1437f377b57c6f2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25361"
"*40d5025cb0b0a6f26cc79fd23fc78ccdfa050bd7e80d694f2039ab98093f831d*",".{0,1000}40d5025cb0b0a6f26cc79fd23fc78ccdfa050bd7e80d694f2039ab98093f831d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25363"
"*40d9fe8c9f191ab5d0f3e172eadac4fb3aef7a698b895a22ce81102b0a0f270a*",".{0,1000}40d9fe8c9f191ab5d0f3e172eadac4fb3aef7a698b895a22ce81102b0a0f270a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25365"
"*40dbbb8a09fa361ae16c91c374e435391b9104989241ba67389e2dc15d9e6034*",".{0,1000}40dbbb8a09fa361ae16c91c374e435391b9104989241ba67389e2dc15d9e6034.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","25366"
"*40dd6156b4167e4846f1ea091960a88547de9d3986d96a7b9044a934aec61d86*",".{0,1000}40dd6156b4167e4846f1ea091960a88547de9d3986d96a7b9044a934aec61d86.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","25367"
"*40eb2e3dcca0c9f4ed11b3fd96b5824489f60fc0c3caa8f609539dd68ec6f1d5*",".{0,1000}40eb2e3dcca0c9f4ed11b3fd96b5824489f60fc0c3caa8f609539dd68ec6f1d5.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","25373"
"*40fa588b18db010c3b2826ea38be66a2894f95e284682caf14bc8894b16c4cae*",".{0,1000}40fa588b18db010c3b2826ea38be66a2894f95e284682caf14bc8894b16c4cae.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25377"
"*410422844c6e562b64f05a07c069860f94c5da5e3971409a1159e066bb450158*",".{0,1000}410422844c6e562b64f05a07c069860f94c5da5e3971409a1159e066bb450158.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25379"
"*41092e2433211a876f2b14f16a29fdae85a0d7e74565b23ab9e9c85bee892351*",".{0,1000}41092e2433211a876f2b14f16a29fdae85a0d7e74565b23ab9e9c85bee892351.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","#filehash","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","25381"
"*410e18b7e5221f4759bc9f7ed1c2daf1fa919b588db0f3430819854bd0c3d432*",".{0,1000}410e18b7e5221f4759bc9f7ed1c2daf1fa919b588db0f3430819854bd0c3d432.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25385"
"*411b16657e992717f0eb9ac77b2a5468e23afcc8747bdabba4bcdfc008c845e7*",".{0,1000}411b16657e992717f0eb9ac77b2a5468e23afcc8747bdabba4bcdfc008c845e7.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","25388"
"*411cd0194b22b0faf50bcf7beaed9a0d4efabf13baff4dfa7697793319d6f175*",".{0,1000}411cd0194b22b0faf50bcf7beaed9a0d4efabf13baff4dfa7697793319d6f175.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25389"
"*411e557dd4765d49299e45c2c6700f436da20c1e455dffa36406bd841b5863c9*",".{0,1000}411e557dd4765d49299e45c2c6700f436da20c1e455dffa36406bd841b5863c9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25390"
"*411ea6ded074b7a3e461672d528e2a8e80bddcbaddcba7a2addbc4399e44d140*",".{0,1000}411ea6ded074b7a3e461672d528e2a8e80bddcbaddcba7a2addbc4399e44d140.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","25391"
"*4142fb8124bf37c432a14d469b8f3b194f3a0ea3aec3aa690d2c28d12affda90*",".{0,1000}4142fb8124bf37c432a14d469b8f3b194f3a0ea3aec3aa690d2c28d12affda90.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25397"
"*415737ed99f26da6de88354af631091e63510fe1ad26cf6572878a27f160e10d*",".{0,1000}415737ed99f26da6de88354af631091e63510fe1ad26cf6572878a27f160e10d.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#filehash","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","25401"
"*415ee455fb8a1823252290b37409c13929d66e1176efdbcbc02ff289c3151e80*",".{0,1000}415ee455fb8a1823252290b37409c13929d66e1176efdbcbc02ff289c3151e80.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","25402"
"*418ad6ef7472d4a0d275bb3912b5c1498e26efd801344f581f6eb63e1076e2c4*",".{0,1000}418ad6ef7472d4a0d275bb3912b5c1498e26efd801344f581f6eb63e1076e2c4.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","25422"
"*41a3a760ab0e04271f8bee1fd80011ce8e93a8455f78919864bcb13200f758f5*",".{0,1000}41a3a760ab0e04271f8bee1fd80011ce8e93a8455f78919864bcb13200f758f5.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25433"
"*41a404f59d6640bae7726c29479528113cb7e95c0a3c5ea91eefabdf6cf43f24*",".{0,1000}41a404f59d6640bae7726c29479528113cb7e95c0a3c5ea91eefabdf6cf43f24.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25434"
"*41b357d80dd91685737274a7c03aaabf90d9d67245f84fd1af5eff5dc56fa330*",".{0,1000}41b357d80dd91685737274a7c03aaabf90d9d67245f84fd1af5eff5dc56fa330.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","25443"
"*41b647ed1bfa946a10402ea65ff73f59309ac1a208e304f2ce68664ad247e3d7*",".{0,1000}41b647ed1bfa946a10402ea65ff73f59309ac1a208e304f2ce68664ad247e3d7.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25445"
"*41c75d72848375144e46b9b9fe56168f365ce4bee56280757dada6c92bb8abc0*",".{0,1000}41c75d72848375144e46b9b9fe56168f365ce4bee56280757dada6c92bb8abc0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25446"
"*41cc6ad3ac5e99ee088011f628fafcb4fa1e4d3846be2333e5c2a3f6143cd0c1*",".{0,1000}41cc6ad3ac5e99ee088011f628fafcb4fa1e4d3846be2333e5c2a3f6143cd0c1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25447"
"*41d0b1d19e7427cca350e9079cd4c52145d6c1bc4c9f89d1b9b7328ceeaa9d26*",".{0,1000}41d0b1d19e7427cca350e9079cd4c52145d6c1bc4c9f89d1b9b7328ceeaa9d26.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25449"
"*41d31ce4d0e4133c1121a02d2d7121bff87c1a8ebc560181517bc72bde3e8fe5*",".{0,1000}41d31ce4d0e4133c1121a02d2d7121bff87c1a8ebc560181517bc72bde3e8fe5.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","25450"
"*41d47f100f61c503c462f53069e5c2aaad4dafec461e56b85b1de7730e4f9c4d*",".{0,1000}41d47f100f61c503c462f53069e5c2aaad4dafec461e56b85b1de7730e4f9c4d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25453"
"*41dcb500cafd238bee5efab4de53eaca0c22bb5d504c4ef5e2672b91c341c5e4*",".{0,1000}41dcb500cafd238bee5efab4de53eaca0c22bb5d504c4ef5e2672b91c341c5e4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25455"
"*41de382da51e57e7519012830002af83ca551927551ab8b277a21d24905ff177*",".{0,1000}41de382da51e57e7519012830002af83ca551927551ab8b277a21d24905ff177.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25456"
"*41f1014ee2ee7ed0a6e989deb937af9a8c01f4974fc1ef541583065475511d65*",".{0,1000}41f1014ee2ee7ed0a6e989deb937af9a8c01f4974fc1ef541583065475511d65.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25459"
"*421d9592c839d903608d1725007dfe5243f30fe812c0054b9d21f1eaa05b4a1c*",".{0,1000}421d9592c839d903608d1725007dfe5243f30fe812c0054b9d21f1eaa05b4a1c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25467"
"*421df18208f862250939213750c7573b4880fc0583a46d757e039e615bc60877*",".{0,1000}421df18208f862250939213750c7573b4880fc0583a46d757e039e615bc60877.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25468"
"*4231518d2e5ed5fa9f486f6259367e6cf82e850b19842e8c4f801bba4ed781be*",".{0,1000}4231518d2e5ed5fa9f486f6259367e6cf82e850b19842e8c4f801bba4ed781be.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25470"
"*4241fd63136c5f19a197d232b8be95e88b06dd9d2052c950404dd6567d922ab7*",".{0,1000}4241fd63136c5f19a197d232b8be95e88b06dd9d2052c950404dd6567d922ab7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25472"
"*42551d31c0028e2322dab5e6a26702990f03ca68e7c4c68f32cbee9dd0631a7c*",".{0,1000}42551d31c0028e2322dab5e6a26702990f03ca68e7c4c68f32cbee9dd0631a7c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25476"
"*4255a5579488169942100c59340c13cd7c7918ee2ef75efee8f237a7996f2c7f*",".{0,1000}4255a5579488169942100c59340c13cd7c7918ee2ef75efee8f237a7996f2c7f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25477"
"*4264273bccb4971f1fd61b50ce4ac53dacdc5f3b103954524eadfa8c061e3351*",".{0,1000}4264273bccb4971f1fd61b50ce4ac53dacdc5f3b103954524eadfa8c061e3351.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","25484"
"*42697577979dbc80eb0f7506f4e515fcb22ef731e4199c33d98c450ed73967ac*",".{0,1000}42697577979dbc80eb0f7506f4e515fcb22ef731e4199c33d98c450ed73967ac.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25486"
"*426eb5437d5f204ca5788afd05e3f8e5ead876235bb6182b06a03c353bdaf8c7*",".{0,1000}426eb5437d5f204ca5788afd05e3f8e5ead876235bb6182b06a03c353bdaf8c7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25489"
"*4278d9d0aa57b846f13198f9cb4ef1ccc8ab321333cf4b73c308c3406216bedd*",".{0,1000}4278d9d0aa57b846f13198f9cb4ef1ccc8ab321333cf4b73c308c3406216bedd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25491"
"*427b5beef3af730379ab66c28fe12f192768f4aebcd24e02f540feee952d001f*",".{0,1000}427b5beef3af730379ab66c28fe12f192768f4aebcd24e02f540feee952d001f.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25495"
"*427bb5079d04d1eb37eb67d56d2aae2d9e60f837c3abd410ade4c07cab895b7a*",".{0,1000}427bb5079d04d1eb37eb67d56d2aae2d9e60f837c3abd410ade4c07cab895b7a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25496"
"*42850266bcac0528664c59738c32ba234582c70ffa0326b35c79612914961740*",".{0,1000}42850266bcac0528664c59738c32ba234582c70ffa0326b35c79612914961740.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25499"
"*429aab2804d7431f684c6d409342af57381dbcafc4b37c49606063be2f92d4a3*",".{0,1000}429aab2804d7431f684c6d409342af57381dbcafc4b37c49606063be2f92d4a3.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25503"
"*429ab13f98bcc8f07a1b320c2f9d89ff081facd016682ddfb73208fdcf41c9ce*",".{0,1000}429ab13f98bcc8f07a1b320c2f9d89ff081facd016682ddfb73208fdcf41c9ce.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25504"
"*429b1032624f2fa211d31521f1d7f3703c022e476f6e225325842500eb3a37c6*",".{0,1000}429b1032624f2fa211d31521f1d7f3703c022e476f6e225325842500eb3a37c6.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25505"
"*42a758228141c7215bd913352516e8ab1e02c9f786e1f4076f7c1d245e9815b0*",".{0,1000}42a758228141c7215bd913352516e8ab1e02c9f786e1f4076f7c1d245e9815b0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25509"
"*42ab238bd96334665442e896141ba5e9aca31b2a27d672f7a6f111be1f825611*",".{0,1000}42ab238bd96334665442e896141ba5e9aca31b2a27d672f7a6f111be1f825611.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25511"
"*42efd51a6ecfbc09d747d57e7c8c9a056b984aae674c267b483fa776c0f35ace*",".{0,1000}42efd51a6ecfbc09d747d57e7c8c9a056b984aae674c267b483fa776c0f35ace.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25530"
"*42f742e6fa63b5b289083c4d17d57065e599754618d56d6a4690199436cdd316*",".{0,1000}42f742e6fa63b5b289083c4d17d57065e599754618d56d6a4690199436cdd316.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","25533"
"*431c443be43fc659fd31b19c64026b55759664a44cf2e308be9c58029f80729a*",".{0,1000}431c443be43fc659fd31b19c64026b55759664a44cf2e308be9c58029f80729a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25536"
"*43486a6363b656d155d759db8a67e2e7264c38984c9ffa2d7449dfb085ad009d*",".{0,1000}43486a6363b656d155d759db8a67e2e7264c38984c9ffa2d7449dfb085ad009d.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25548"
"*434d77b8079a27f303d30758ad99152abf3102095b6bb3573c1de307f1ab6345*",".{0,1000}434d77b8079a27f303d30758ad99152abf3102095b6bb3573c1de307f1ab6345.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25550"
"*434de407f7f00410d2413e6d854a70380a5d046fefc918170cb3347a41ba38ac*",".{0,1000}434de407f7f00410d2413e6d854a70380a5d046fefc918170cb3347a41ba38ac.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","25551"
"*4351d255c804e04bf047407c30ef1f96fa3930fa4ffb0891d0007d232957a87a*",".{0,1000}4351d255c804e04bf047407c30ef1f96fa3930fa4ffb0891d0007d232957a87a.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","25553"
"*43534e7300dc4de9b8dc796f15ff168eb017fd8e895ad73b183ce71dbe0b9beb*",".{0,1000}43534e7300dc4de9b8dc796f15ff168eb017fd8e895ad73b183ce71dbe0b9beb.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25555"
"*4363de01f1dfd6b393f889bb916128df95a02bc1df2c294e28a48bd197a685f2*",".{0,1000}4363de01f1dfd6b393f889bb916128df95a02bc1df2c294e28a48bd197a685f2.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","25559"
"*4371963ea620ef5dd65176c19997b8067d5d7f72dd722a63f982b5de6659d45c*",".{0,1000}4371963ea620ef5dd65176c19997b8067d5d7f72dd722a63f982b5de6659d45c.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","25563"
"*43791d1689cb309eac4e6e9748f86decf655732c3790d10ec2d30962900d52e2*",".{0,1000}43791d1689cb309eac4e6e9748f86decf655732c3790d10ec2d30962900d52e2.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","25566"
"*43836fc05af4c552cb500cdc87a6ca06a6fb0f6b8f179171f1a971aee0a4d6f7*",".{0,1000}43836fc05af4c552cb500cdc87a6ca06a6fb0f6b8f179171f1a971aee0a4d6f7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25580"
"*43861355ea40db311824a51d5a4c6dc773ebfc0c5862a252a4692847f184594c*",".{0,1000}43861355ea40db311824a51d5a4c6dc773ebfc0c5862a252a4692847f184594c.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","25581"
"*43999af8d360359e36555f3a7843d4e987df5fc727e4fbd67e9bb1c4eff08150*",".{0,1000}43999af8d360359e36555f3a7843d4e987df5fc727e4fbd67e9bb1c4eff08150.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","25585"
"*43a9334196ef0bd1d9c1247b7fac5110f4fa1daabd565f7ff5b6e2e8ae5102cc*",".{0,1000}43a9334196ef0bd1d9c1247b7fac5110f4fa1daabd565f7ff5b6e2e8ae5102cc.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25589"
"*43b55bc926924487614bedd1aed51dbc73ec39b5eadcf2ef8e9e10f6c88ec59f*",".{0,1000}43b55bc926924487614bedd1aed51dbc73ec39b5eadcf2ef8e9e10f6c88ec59f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25591"
"*43ba05d30fa8d86631e5b24dd8eb9a81e189d146a3eb39d6cf230329bce81c8d*",".{0,1000}43ba05d30fa8d86631e5b24dd8eb9a81e189d146a3eb39d6cf230329bce81c8d.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","25593"
"*43c68bdc9adf3cea7c3643492732aac7e8731d0abd50fdeab1f9b078801d41a8*",".{0,1000}43c68bdc9adf3cea7c3643492732aac7e8731d0abd50fdeab1f9b078801d41a8.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","25598"
"*43cb85b6a163e9ab66491f8e694e092a075c3974a241815332073bc16ec8adbf*",".{0,1000}43cb85b6a163e9ab66491f8e694e092a075c3974a241815332073bc16ec8adbf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25599"
"*43d1d270b11291f565e46b42c488c37e1259768f87348c66689c2e0b0351a4c3*",".{0,1000}43d1d270b11291f565e46b42c488c37e1259768f87348c66689c2e0b0351a4c3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25601"
"*43d3a9e3e07ebacf08278a47845b29b0c29daac00ae1d6ca7756f47de4a67b7b*",".{0,1000}43d3a9e3e07ebacf08278a47845b29b0c29daac00ae1d6ca7756f47de4a67b7b.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","25602"
"*43e2c9b640eee24a3a4da058758392e5733dc2571c5cf5b1187116821987f0cd*",".{0,1000}43e2c9b640eee24a3a4da058758392e5733dc2571c5cf5b1187116821987f0cd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25607"
"*43e4ddd1285dfb190c49ab4c6d488369b5ae72234a5d87afd93bc6fc2d675076*",".{0,1000}43e4ddd1285dfb190c49ab4c6d488369b5ae72234a5d87afd93bc6fc2d675076.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25608"
"*43f13d70c3f9912a1ff1eac831c2c728b3864b332974fb57b0a33a4bba85487c*",".{0,1000}43f13d70c3f9912a1ff1eac831c2c728b3864b332974fb57b0a33a4bba85487c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25610"
"*43fc6c375a8f2e40c144d4b47c6d807dcb9aa4dc58fff62761beab1b13c62015*",".{0,1000}43fc6c375a8f2e40c144d4b47c6d807dcb9aa4dc58fff62761beab1b13c62015.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","25614"
"*44026a4ab85bb59d02241e400848ac77be17c60fc86a0d07055e8ed8fe490ba2*",".{0,1000}44026a4ab85bb59d02241e400848ac77be17c60fc86a0d07055e8ed8fe490ba2.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","25615"
"*4416b23c351acb1ea86eff2f75926ee7fbb78dea66fe2f01e38e9f81683645e9*",".{0,1000}4416b23c351acb1ea86eff2f75926ee7fbb78dea66fe2f01e38e9f81683645e9.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","25617"
"*442fbc52ff95adad5ab1e0325fe7a74c5aef1816c6870d83df2fba658edb208d*",".{0,1000}442fbc52ff95adad5ab1e0325fe7a74c5aef1816c6870d83df2fba658edb208d.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25623"
"*-443.devtunnels.ms*",".{0,1000}\-443\.devtunnels\.ms.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","25624"
"*4445ad2ca90c814faa03bcbd25681af7063bb0d3f6ae4930e433e9d4b6ae84e3*",".{0,1000}4445ad2ca90c814faa03bcbd25681af7063bb0d3f6ae4930e433e9d4b6ae84e3.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25631"
"*4452bf743b91f801adca4d2faeb2333fc33f22a478251d6b910f204f0f06dd6c*",".{0,1000}4452bf743b91f801adca4d2faeb2333fc33f22a478251d6b910f204f0f06dd6c.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25633"
"*4466b826446373956d48283e2f52cd0fc3e52e0a9d4c67cccc5ddeb5838940cd*",".{0,1000}4466b826446373956d48283e2f52cd0fc3e52e0a9d4c67cccc5ddeb5838940cd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25636"
"*447a5e8b424ebc3b82e909ab8c585fda579881ad26c35cba3c32b77896008c62*",".{0,1000}447a5e8b424ebc3b82e909ab8c585fda579881ad26c35cba3c32b77896008c62.{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","25645"
"*447d9a15567f0eb81871ddbdc2de28bd2e339b892548bab25a9f58afbbc177a7*",".{0,1000}447d9a15567f0eb81871ddbdc2de28bd2e339b892548bab25a9f58afbbc177a7.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","25647"
"*4485d53cfd05d5c8845a2c8ab222a87a236ab23fee8c6362d20813e797af2b40*",".{0,1000}4485d53cfd05d5c8845a2c8ab222a87a236ab23fee8c6362d20813e797af2b40.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25649"
"*44941b5b0c0c3b9dfed32117a7d72c488a20e60e404ba4840489371a6af990df*",".{0,1000}44941b5b0c0c3b9dfed32117a7d72c488a20e60e404ba4840489371a6af990df.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25652"
"*449748dbd27c349146664fe691ea0f2cc57748de0e42d08126fe455d51275400*",".{0,1000}449748dbd27c349146664fe691ea0f2cc57748de0e42d08126fe455d51275400.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25654"
"*44a2461a051dde2487b73014e314cd29b2a8f5587d88b99d13a495c5071923b8*",".{0,1000}44a2461a051dde2487b73014e314cd29b2a8f5587d88b99d13a495c5071923b8.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","25658"
"*44a6a2ef723f7c63941136f85f6a757ef9c5a0d7d455f75ad9ec5a58abd62bdb*",".{0,1000}44a6a2ef723f7c63941136f85f6a757ef9c5a0d7d455f75ad9ec5a58abd62bdb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25660"
"*44ce3367b0b413ad48757de8e2a1f4e2c30137e7cdc77db64906f3eb7087b78f*",".{0,1000}44ce3367b0b413ad48757de8e2a1f4e2c30137e7cdc77db64906f3eb7087b78f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25667"
"*44ce6895d6f3ed6945853af571d2ac24cb04a55ff4fa9425952181b840a028d2*",".{0,1000}44ce6895d6f3ed6945853af571d2ac24cb04a55ff4fa9425952181b840a028d2.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","25668"
"*44f46a9703c0876bf31acb1ff75b29db81ce484e8dba90ff2b13e2448ebba9e0*",".{0,1000}44f46a9703c0876bf31acb1ff75b29db81ce484e8dba90ff2b13e2448ebba9e0.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","25679"
"*450aed08c24729159e19afe354aba83bd88f31606765d83c6a8c91a062e49246*",".{0,1000}450aed08c24729159e19afe354aba83bd88f31606765d83c6a8c91a062e49246.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25683"
"*450bf298cc66b2d739e6270a9e509eed80026db3551e3754b3810b63db62354e*",".{0,1000}450bf298cc66b2d739e6270a9e509eed80026db3551e3754b3810b63db62354e.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","25685"
"*4511497ad6ecfef8d3a9fcf7585eb454edf22ea0dae6f77be2c81e7a6539dcd7*",".{0,1000}4511497ad6ecfef8d3a9fcf7585eb454edf22ea0dae6f77be2c81e7a6539dcd7.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25688"
"*451728655552b12d5f39dc742f9877f79ba194ec57b2807821d09b9e4094315a*",".{0,1000}451728655552b12d5f39dc742f9877f79ba194ec57b2807821d09b9e4094315a.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25690"
"*451d8fa3adce80028ea451e1ddf7a185ea4a3329aae156bf40fdda5d1ac60c84*",".{0,1000}451d8fa3adce80028ea451e1ddf7a185ea4a3329aae156bf40fdda5d1ac60c84.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","25693"
"*4524035a526a4871f7165635991d84d188b944dcd74971d3db44335d1e7565fd*",".{0,1000}4524035a526a4871f7165635991d84d188b944dcd74971d3db44335d1e7565fd.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25695"
"*452b0b0626412b439f83ad72cce7f280434fc690f4b4851417a759fc4d60392b*",".{0,1000}452b0b0626412b439f83ad72cce7f280434fc690f4b4851417a759fc4d60392b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25698"
"*452ef95ff3475ce13c5533a13d6f3e084ec940091c710a75a335d2cdf47ce846*",".{0,1000}452ef95ff3475ce13c5533a13d6f3e084ec940091c710a75a335d2cdf47ce846.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25699"
"*453388653c7d68a5478c82f71496229ec9f9fbafbff2ffc4a3817f392d23fcdd*",".{0,1000}453388653c7d68a5478c82f71496229ec9f9fbafbff2ffc4a3817f392d23fcdd.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","#filehash","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","25700"
"*45348fbbfaebb3eeee47d5a96c4254e02e44da4628427fd5da1e5904479b5ce5*",".{0,1000}45348fbbfaebb3eeee47d5a96c4254e02e44da4628427fd5da1e5904479b5ce5.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","25702"
"*4549122ba17882aaa89999d170ca7cfe4d2f4d9cc9b6c57961abf276576c9d42*",".{0,1000}4549122ba17882aaa89999d170ca7cfe4d2f4d9cc9b6c57961abf276576c9d42.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","25709"
"*4570d2de6fa24427fe99f395693a798d918c58a67fe5be87317e58548605f27d*",".{0,1000}4570d2de6fa24427fe99f395693a798d918c58a67fe5be87317e58548605f27d.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","25720"
"*457676a918bae4371b312fcf6308578078d5c944758ff808307d9b416a98f68f*",".{0,1000}457676a918bae4371b312fcf6308578078d5c944758ff808307d9b416a98f68f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25722"
"*458413bdd7a85cb8a19a7f955e25ac633fe1513f956b6bc09efd5ca51d44aa8a*",".{0,1000}458413bdd7a85cb8a19a7f955e25ac633fe1513f956b6bc09efd5ca51d44aa8a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25727"
"*4585828aa5ae1aec2a5d5bfb371236dc180ed47489a6684d468b8b83a5d300dd*",".{0,1000}4585828aa5ae1aec2a5d5bfb371236dc180ed47489a6684d468b8b83a5d300dd.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","25728"
"*459f93b1384a4a734787f259252959e88baaea1cb7b790a4f1779c4163efb1ed*",".{0,1000}459f93b1384a4a734787f259252959e88baaea1cb7b790a4f1779c4163efb1ed.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25734"
"*45aa2b0be897c25e45040ae8b45c93882f3c15802ce8be0ab09c3a54b95df10c*",".{0,1000}45aa2b0be897c25e45040ae8b45c93882f3c15802ce8be0ab09c3a54b95df10c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25738"
"*45bc362420127dc6d00395da6c61d94036da73d110119965a52a8d83a5a88d31*",".{0,1000}45bc362420127dc6d00395da6c61d94036da73d110119965a52a8d83a5a88d31.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","25741"
"*45d5b7799b90d8d6cc2d926d7920383a606842162e41303f5044058f5848892c*",".{0,1000}45d5b7799b90d8d6cc2d926d7920383a606842162e41303f5044058f5848892c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25745"
"*45ec732d50b2517dc2c860317a3bf79867634a8143e4a441a3e399434ad6c141*",".{0,1000}45ec732d50b2517dc2c860317a3bf79867634a8143e4a441a3e399434ad6c141.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25750"
"*45f654720ebb2583ea767c849f3ac197e386c6a8dd0015db4084603da6c9ae8b*",".{0,1000}45f654720ebb2583ea767c849f3ac197e386c6a8dd0015db4084603da6c9ae8b.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25751"
"*45f65dafd172f3a5e05eabf3d4efbb954c92a88851a027f79c19f61a10b78287*",".{0,1000}45f65dafd172f3a5e05eabf3d4efbb954c92a88851a027f79c19f61a10b78287.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25752"
"*4600b361c95e232cf152cb7a0e9c004fd8e76e577ced2bae2e063dda12a5c50b*",".{0,1000}4600b361c95e232cf152cb7a0e9c004fd8e76e577ced2bae2e063dda12a5c50b.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","25755"
"*460acbb38b0bdb3d227de65010b1a323f448ec196860ce4979c0b8314763eb56*",".{0,1000}460acbb38b0bdb3d227de65010b1a323f448ec196860ce4979c0b8314763eb56.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","25757"
"*46143050aa4cea03129c03b45faacccaa3773f2d7f300f7f031ffb83de547cbf*",".{0,1000}46143050aa4cea03129c03b45faacccaa3773f2d7f300f7f031ffb83de547cbf.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","25759"
"*4615cb76b150bcc5934470afc6d899730cdc6c80be322d519874067f8370b3f9*",".{0,1000}4615cb76b150bcc5934470afc6d899730cdc6c80be322d519874067f8370b3f9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25761"
"*461c507d612d0d88c91ef4dde79f266ecbaa3b5518df24597b8b40af6dc90ddb*",".{0,1000}461c507d612d0d88c91ef4dde79f266ecbaa3b5518df24597b8b40af6dc90ddb.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25762"
"*4625292d15399581f185b11ab34ba654c5b10f25bfe917132f7e1dcd19dddc94*",".{0,1000}4625292d15399581f185b11ab34ba654c5b10f25bfe917132f7e1dcd19dddc94.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25766"
"*462f891bb87bcfa4551769f696db8bb39d168f2086951bccf0bd5d02e906aa8b*",".{0,1000}462f891bb87bcfa4551769f696db8bb39d168f2086951bccf0bd5d02e906aa8b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25770"
"*464d8deeac82443951b7c6e10caf82f4ba0d8ee6687540cc1047404a743465b6*",".{0,1000}464d8deeac82443951b7c6e10caf82f4ba0d8ee6687540cc1047404a743465b6.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","25774"
"*4655c54ddae45ebc1b2b32a9568af775791964cf9ed6e2198a5d11ce466c23fd*",".{0,1000}4655c54ddae45ebc1b2b32a9568af775791964cf9ed6e2198a5d11ce466c23fd.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25775"
"*4668623f3ac867b7edd563e139dff0bda23393199629d5b8c5499328999ed7ee*",".{0,1000}4668623f3ac867b7edd563e139dff0bda23393199629d5b8c5499328999ed7ee.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","25780"
"*466869834998e6668cf4b7e73ed043c145c73c5a62e21d1bbf1ebf7cde3f86bd*",".{0,1000}466869834998e6668cf4b7e73ed043c145c73c5a62e21d1bbf1ebf7cde3f86bd.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","25781"
"*4669cb8c374ff0ec48c0f6d15a939c59390c2109645914dd52d4deca519c084d*",".{0,1000}4669cb8c374ff0ec48c0f6d15a939c59390c2109645914dd52d4deca519c084d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25782"
"*466ccb2dcccfff96a199d4f84c05a0e80e932ba44d0f4de4b851f1b8180a7a4c*",".{0,1000}466ccb2dcccfff96a199d4f84c05a0e80e932ba44d0f4de4b851f1b8180a7a4c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25783"
"*466de31afaad2ff25fb1e080ec326c31d4d08bc8639b2c957f3f02f2e5900139*",".{0,1000}466de31afaad2ff25fb1e080ec326c31d4d08bc8639b2c957f3f02f2e5900139.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","25784"
"*466fba9c2e3bb99aaaa0041443a360a4fef5ccbb869e995b8f60dc0a3ef70e08*",".{0,1000}466fba9c2e3bb99aaaa0041443a360a4fef5ccbb869e995b8f60dc0a3ef70e08.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25785"
"*46805de0bffb415983feda5b60fc36618b3aa8622517bba3e565362caf2d3a0d*",".{0,1000}46805de0bffb415983feda5b60fc36618b3aa8622517bba3e565362caf2d3a0d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25790"
"*46813eb8d4d50118f67087792670db2b8efdef414c6d3134ad474f1e6856c704*",".{0,1000}46813eb8d4d50118f67087792670db2b8efdef414c6d3134ad474f1e6856c704.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25792"
"*46843aa0bde60a8caf19de891d80c68c51d85f36334f46f0477282fec1c6eb8c*",".{0,1000}46843aa0bde60a8caf19de891d80c68c51d85f36334f46f0477282fec1c6eb8c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25793"
"*4684afc644880a2ba1b92c512ed3d4e5c653236d370e069b13065b1af878fe5c*",".{0,1000}4684afc644880a2ba1b92c512ed3d4e5c653236d370e069b13065b1af878fe5c.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25794"
"*4688b505beadf010c8c571386ded7ff67a07fcbc261108b74b6d24b8372f609e*",".{0,1000}4688b505beadf010c8c571386ded7ff67a07fcbc261108b74b6d24b8372f609e.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#filehash","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","25795"
"*46894d7590536bd8edf120a558ab6044327bf8b04456af3fd6780eed0a8aeb53*",".{0,1000}46894d7590536bd8edf120a558ab6044327bf8b04456af3fd6780eed0a8aeb53.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25796"
"*468a7286eb3df5e54e711ed56796e0b5d2ffe1d237677d4318c26b5f20f265d2*",".{0,1000}468a7286eb3df5e54e711ed56796e0b5d2ffe1d237677d4318c26b5f20f265d2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25797"
"*469b789cfedcb5d0c3ffd47a4fb4666f38e582b56fb75efb21e38de4b23d8e9b*",".{0,1000}469b789cfedcb5d0c3ffd47a4fb4666f38e582b56fb75efb21e38de4b23d8e9b.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25801"
"*46a5d26f4dcb3d1e7d52cd2c26739782837d48dde9fb7a0255f9ccbfc1092e47*",".{0,1000}46a5d26f4dcb3d1e7d52cd2c26739782837d48dde9fb7a0255f9ccbfc1092e47.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25803"
"*46b6b8e83ccbbbc2e639c852dae9a41e79f8523d444fe39f9d8f7cc5e7661081*",".{0,1000}46b6b8e83ccbbbc2e639c852dae9a41e79f8523d444fe39f9d8f7cc5e7661081.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25808"
"*46c6e992b3552d3672c40e7a91ecfb6f9b4620199cf2b5d1dd11cfccd44fa4b0*",".{0,1000}46c6e992b3552d3672c40e7a91ecfb6f9b4620199cf2b5d1dd11cfccd44fa4b0.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25811"
"*46cb2aec929225e1d9c943333a1e117660c11fc3d490397142cf7182faff8535*",".{0,1000}46cb2aec929225e1d9c943333a1e117660c11fc3d490397142cf7182faff8535.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25814"
"*46d335c6ebda027aea00f5a8261b4d1a1763e17b858fe512bbe541f9bb66d464*",".{0,1000}46d335c6ebda027aea00f5a8261b4d1a1763e17b858fe512bbe541f9bb66d464.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","#filehash","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","25816"
"*46d4423a5cf1811ceb701cd756aa94bcc6d53a3c4ca49d961a4fd2b2a75ab300*",".{0,1000}46d4423a5cf1811ceb701cd756aa94bcc6d53a3c4ca49d961a4fd2b2a75ab300.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","25818"
"*46d932ff5e5ca781fb01d313a56cf4087f27250fbdc0d7cb56fa958476bb8af8*",".{0,1000}46d932ff5e5ca781fb01d313a56cf4087f27250fbdc0d7cb56fa958476bb8af8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25819"
"*46d99596923f252752f41d0efef2e3f37b40cce80771202b1cedefa608dae3dc*",".{0,1000}46d99596923f252752f41d0efef2e3f37b40cce80771202b1cedefa608dae3dc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25820"
"*46e430adf1e95bd73f253c42f270b1e2b209457cad4e45edae59ff6e87a27069*",".{0,1000}46e430adf1e95bd73f253c42f270b1e2b209457cad4e45edae59ff6e87a27069.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25822"
"*47076023e33117b13ed9e9ef7be415067600c180b460a1c73823560de005eb0d*",".{0,1000}47076023e33117b13ed9e9ef7be415067600c180b460a1c73823560de005eb0d.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25831"
"*4721c0b58d6421bff09d13ade097f71af24d0752c2a9d69021f53e2726c76b5b*",".{0,1000}4721c0b58d6421bff09d13ade097f71af24d0752c2a9d69021f53e2726c76b5b.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25836"
"*4743ea0bcead6c3d7e8444711f627c0ee495cb651d3490960ec8b6fb742ae9db*",".{0,1000}4743ea0bcead6c3d7e8444711f627c0ee495cb651d3490960ec8b6fb742ae9db.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25839"
"*4749831085b1c88950bff5d47d87409a05018597224f4149a22844163e6e1b75*",".{0,1000}4749831085b1c88950bff5d47d87409a05018597224f4149a22844163e6e1b75.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","25841"
"*47532247f32b7a9f42b0dfe5a1314a674e92deef79eaab647af34507a677d375*",".{0,1000}47532247f32b7a9f42b0dfe5a1314a674e92deef79eaab647af34507a677d375.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#filehash","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","25843"
"*475F1C8A-F70D-45C0-95E5-EB783935277D*",".{0,1000}475F1C8A\-F70D\-45C0\-95E5\-EB783935277D.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#GUIDproject","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","25847"
"*4773c4275d0b56d5b80953003dc9956a6a7aa8c4a016480986fb409aef9b161c*",".{0,1000}4773c4275d0b56d5b80953003dc9956a6a7aa8c4a016480986fb409aef9b161c.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","25852"
"*47740183a3e2ffdb4acc17a97456de9406f158ec4c964d9d6627fd6711032a86*",".{0,1000}47740183a3e2ffdb4acc17a97456de9406f158ec4c964d9d6627fd6711032a86.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25853"
"*478256ef0c35f13ada15baea0dd8a7e09c40ef2ff2e0a54a83681d920b93ba8a*",".{0,1000}478256ef0c35f13ada15baea0dd8a7e09c40ef2ff2e0a54a83681d920b93ba8a.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","25859"
"*4794997fffc632dd8d357e9d00ca616e9efb2741e0f0acd1599f90be6281b9e6*",".{0,1000}4794997fffc632dd8d357e9d00ca616e9efb2741e0f0acd1599f90be6281b9e6.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","25863"
"*4796c4183abeeb96966e3eb03493345cd7e148688e9fe5613c5bda26692063b7*",".{0,1000}4796c4183abeeb96966e3eb03493345cd7e148688e9fe5613c5bda26692063b7.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","25864"
"*47a4c440be07a166b6b89e56bff1ed3df43f4398838037c50e2c8c937db92498*",".{0,1000}47a4c440be07a166b6b89e56bff1ed3df43f4398838037c50e2c8c937db92498.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","25866"
"*47a5be9f74f89fe03ee5f7db50e5efaf858629e992cfc78c99562bcd888753f2*",".{0,1000}47a5be9f74f89fe03ee5f7db50e5efaf858629e992cfc78c99562bcd888753f2.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","25867"
"*47ab8cf4c8a99b270634aae6b5bdbf49ba75aedc09ca04e0fd43a7be9108c27a*",".{0,1000}47ab8cf4c8a99b270634aae6b5bdbf49ba75aedc09ca04e0fd43a7be9108c27a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25870"
"*47b8e0993b997e7f465802945187521ba8c68592af990215cdf43bef121f8df7*",".{0,1000}47b8e0993b997e7f465802945187521ba8c68592af990215cdf43bef121f8df7.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","25873"
"*47c3345b1bb58e7f984c41831bbc845f1c61a6add5cbf5b3a52a691c78e83c9a*",".{0,1000}47c3345b1bb58e7f984c41831bbc845f1c61a6add5cbf5b3a52a691c78e83c9a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25874"
"*47d38c5f263c1372cb9ce16e921c06cf34911ba15639f6151e07fb47abb296fd*",".{0,1000}47d38c5f263c1372cb9ce16e921c06cf34911ba15639f6151e07fb47abb296fd.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","25878"
"*47e0483c22d1a0554dfa2b9b51895e866932b4c7269dee4ccc6ad41b3e433abc*",".{0,1000}47e0483c22d1a0554dfa2b9b51895e866932b4c7269dee4ccc6ad41b3e433abc.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","25882"
"*47e3c8363e117bc8712d431f05e7041f313629dd27efb004a369bf24b07c6908*",".{0,1000}47e3c8363e117bc8712d431f05e7041f313629dd27efb004a369bf24b07c6908.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25883"
"*47e4818c3db3471c950cdb4c4732232bafc584997098c92ada8a0f720e2ad448*",".{0,1000}47e4818c3db3471c950cdb4c4732232bafc584997098c92ada8a0f720e2ad448.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","25884"
"*47e484261a88ba1a895699d8ff0239e1f5089b4a96128e8e610e2b41a9bd4605*",".{0,1000}47e484261a88ba1a895699d8ff0239e1f5089b4a96128e8e610e2b41a9bd4605.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","#filehash","N/A","7","10","N/A","N/A","N/A","N/A","25885"
"*47ebf0df8afd0a6c51d8f213169f8e9b214514f0f2a615188ffdf534f9c8968a*",".{0,1000}47ebf0df8afd0a6c51d8f213169f8e9b214514f0f2a615188ffdf534f9c8968a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25887"
"*47fd3fa87768d26e5e71cd73d507d5faf8ec898ead1ec46487e54c8e0ed63838*",".{0,1000}47fd3fa87768d26e5e71cd73d507d5faf8ec898ead1ec46487e54c8e0ed63838.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","25892"
"*48103d949e2b72562259d42401462ba19589a2e31676396d4fb631325e12501b*",".{0,1000}48103d949e2b72562259d42401462ba19589a2e31676396d4fb631325e12501b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25897"
"*4811c2fc85e4397ae7670768608a717c044928138d1238e58bd28c038b7178ff*",".{0,1000}4811c2fc85e4397ae7670768608a717c044928138d1238e58bd28c038b7178ff.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25899"
"*48174210fbafbc975cb8774bc4fa277aceb5a1ba565deef2df244173a21ecc0a*",".{0,1000}48174210fbafbc975cb8774bc4fa277aceb5a1ba565deef2df244173a21ecc0a.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","25900"
"*481e17864e25d9acaca14aefd04e0794d310b080474f34d8dad849fd64f4f8ac*",".{0,1000}481e17864e25d9acaca14aefd04e0794d310b080474f34d8dad849fd64f4f8ac.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25902"
"*48282c20b9dc641bf52f79d0312bfb3c4d676ec1b084b4cf6d43ebbffa5d7041*",".{0,1000}48282c20b9dc641bf52f79d0312bfb3c4d676ec1b084b4cf6d43ebbffa5d7041.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25906"
"*482e5f220835c0ed0bad7c5823a7aab0e3c04fbe020d13f403400ddb368ab705*",".{0,1000}482e5f220835c0ed0bad7c5823a7aab0e3c04fbe020d13f403400ddb368ab705.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25908"
"*482f372f9e30c5d31eb06c3ca96f4ae58df4aee2e714b1a613f21d99f478dfcf*",".{0,1000}482f372f9e30c5d31eb06c3ca96f4ae58df4aee2e714b1a613f21d99f478dfcf.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","25909"
"*484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384*",".{0,1000}484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384.{0,1000}","greyware_tool_keyword","adfind","adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers are abusing it to gather valuable information about the network environment","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://www.virustotal.com/gui/file/484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384/behavior","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","25917"
"*485911ecec88451f4e4272a732526b5024b815630d0d238c452d7faa097f39de*",".{0,1000}485911ecec88451f4e4272a732526b5024b815630d0d238c452d7faa097f39de.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","25920"
"*486bb5da7eacdbf2778cf31594f38ba458b4cc47076d7014e20e92dc4e74df6f*",".{0,1000}486bb5da7eacdbf2778cf31594f38ba458b4cc47076d7014e20e92dc4e74df6f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25923"
"*487413ff39c7aa044e1b5ab8a0047d6ef7c9c25550fec4d91e8a0a97fd1282ac*",".{0,1000}487413ff39c7aa044e1b5ab8a0047d6ef7c9c25550fec4d91e8a0a97fd1282ac.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","25927"
"*4876b52e363af1705a6c5ccc1c6be930dd47226f4b2835ec827bf8e4de33c40f*",".{0,1000}4876b52e363af1705a6c5ccc1c6be930dd47226f4b2835ec827bf8e4de33c40f.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","25928"
"*487a53f4e4f82f5d0789f4cc7b942bd2accddcd2eb296669afbf7d8cf91c421b*",".{0,1000}487a53f4e4f82f5d0789f4cc7b942bd2accddcd2eb296669afbf7d8cf91c421b.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","25930"
"*489b3873fd79e99feae45e5953ccca3fd21a84eb68a99654ca0a6ac1b2dcd255*",".{0,1000}489b3873fd79e99feae45e5953ccca3fd21a84eb68a99654ca0a6ac1b2dcd255.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25935"
"*48a3acd3b29c436bb696a1486128fa509bd08323eadafb8c7dad54882b45b8f4*",".{0,1000}48a3acd3b29c436bb696a1486128fa509bd08323eadafb8c7dad54882b45b8f4.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","25938"
"*48a3b1707d22b65890d7feae45f45dff52faa7234ea5fb6f8c738eb0ad265246*",".{0,1000}48a3b1707d22b65890d7feae45f45dff52faa7234ea5fb6f8c738eb0ad265246.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25939"
"*48adf2450c4a087c1c4982a2a789d8f1b1e88b8b8d959fb273a76f8b1888*",".{0,1000}48adf2450c4a087c1c4982a2a789d8f1b1e88b8b8d959fb273a76f8b1888.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","0","#filehash","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","25945"
"*48c45f037e2d32fa7f55d0c1e9957bba8cf9bce467437c389c5630d00dd46e10*",".{0,1000}48c45f037e2d32fa7f55d0c1e9957bba8cf9bce467437c389c5630d00dd46e10.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","25951"
"*48ca8e0be856ea824d915079a443f1aeca29ec805290d8605066f7ab59401abe*",".{0,1000}48ca8e0be856ea824d915079a443f1aeca29ec805290d8605066f7ab59401abe.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","25955"
"*48e04bc2e7edc9c057767539cb7c4a8b71e8196242e2cb8e461536902884692c*",".{0,1000}48e04bc2e7edc9c057767539cb7c4a8b71e8196242e2cb8e461536902884692c.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","25959"
"*48ef85a7f6eea1b650affacb62f046eca8a965f134482ff808e4a148a69e72b5*",".{0,1000}48ef85a7f6eea1b650affacb62f046eca8a965f134482ff808e4a148a69e72b5.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","25961"
"*48faaec738d9bba59f0451dba768acb7af36e25f01690accb1f057efcfe97af0*",".{0,1000}48faaec738d9bba59f0451dba768acb7af36e25f01690accb1f057efcfe97af0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25967"
"*491301f6b3bc5074f978eb8ad5629923be5e5a750f43d7df96fc9c48612a0016*",".{0,1000}491301f6b3bc5074f978eb8ad5629923be5e5a750f43d7df96fc9c48612a0016.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","#filehash","N/A","7","10","N/A","N/A","N/A","N/A","25973"
"*49191e1156cf0c41d9e6af35bd31cf2a2884107483823e17671323717905e771*",".{0,1000}49191e1156cf0c41d9e6af35bd31cf2a2884107483823e17671323717905e771.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25975"
"*491c9767bdd4c5b94794d52caa0d2e4c50239b235adbc0e2b4b12a15639ec4c0*",".{0,1000}491c9767bdd4c5b94794d52caa0d2e4c50239b235adbc0e2b4b12a15639ec4c0.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","25976"
"*491d4081df6962b019e8f011c1b33bc09cbe8d53b9e12a7aba908518474b27bf*",".{0,1000}491d4081df6962b019e8f011c1b33bc09cbe8d53b9e12a7aba908518474b27bf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","25978"
"*492387572bb2c4de904fa400636e05492e7200b331335743d46f2f2874150162*",".{0,1000}492387572bb2c4de904fa400636e05492e7200b331335743d46f2f2874150162.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","25979"
"*4973faa197eedbe906929425c2f85a2f29411fd84e1b0599e4951c07fe5f37be*",".{0,1000}4973faa197eedbe906929425c2f85a2f29411fd84e1b0599e4951c07fe5f37be.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","25990"
"*498244e2fa32092cfd4b6f2d0b62a8f963724738cd01ed9f623369ff55a309f8*",".{0,1000}498244e2fa32092cfd4b6f2d0b62a8f963724738cd01ed9f623369ff55a309f8.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","25995"
"*4988a9006fef04ca8ccba9ea08e63a8e960863a4106179c65d445cd71c3ea48a*",".{0,1000}4988a9006fef04ca8ccba9ea08e63a8e960863a4106179c65d445cd71c3ea48a.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","25998"
"*49a093e97e5091456452d7e8edc9450cb0028ba777b62711b209b9db12317cdd*",".{0,1000}49a093e97e5091456452d7e8edc9450cb0028ba777b62711b209b9db12317cdd.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26001"
"*49a48e879f7480238d2fe17520ac19afe83685aac0b886719f9e1eac818b75cc*",".{0,1000}49a48e879f7480238d2fe17520ac19afe83685aac0b886719f9e1eac818b75cc.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","26004"
"*49a78cb4a08364e9c56e6d5771f27a93c3dd70b633cc272b9ca35aaac4b89513*",".{0,1000}49a78cb4a08364e9c56e6d5771f27a93c3dd70b633cc272b9ca35aaac4b89513.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26005"
"*49b63459ce22867bee13f2589aba38a51ed5bc728fd6f38f9ab107c7a4f00471*",".{0,1000}49b63459ce22867bee13f2589aba38a51ed5bc728fd6f38f9ab107c7a4f00471.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26007"
"*49e7c86340e6930402911320150a14e5aad183efafb8b56747d97a8a5469a187*",".{0,1000}49e7c86340e6930402911320150a14e5aad183efafb8b56747d97a8a5469a187.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","26016"
"*49f65f132fc76bb1eeebe13b06b87de99018be5be3cc8873af778359d17756c3*",".{0,1000}49f65f132fc76bb1eeebe13b06b87de99018be5be3cc8873af778359d17756c3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26018"
"*4a0231a6f5ccb7f5908a9d7f12987efa1b45ff2148214360b4a205f15e77075f*",".{0,1000}4a0231a6f5ccb7f5908a9d7f12987efa1b45ff2148214360b4a205f15e77075f.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","26019"
"*4a0b0a80a93836b02dea026b0c8277066e78ab1a73bba2793ee0ca11609846d1*",".{0,1000}4a0b0a80a93836b02dea026b0c8277066e78ab1a73bba2793ee0ca11609846d1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26021"
"*4a144263cc2ecadea15182ecfca96ab398f5a1c8ee7b2f6ce6cb35b595ec9e9c*",".{0,1000}4a144263cc2ecadea15182ecfca96ab398f5a1c8ee7b2f6ce6cb35b595ec9e9c.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","26022"
"*4a181ee46f5d2407b4993a051cd293457df643e6394048fbf70cef6b06c1c254*",".{0,1000}4a181ee46f5d2407b4993a051cd293457df643e6394048fbf70cef6b06c1c254.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26023"
"*4a1a3fdcfd575e328785cb4d09f88998fe2c3b1b0f07e77252ca28ca002be687*",".{0,1000}4a1a3fdcfd575e328785cb4d09f88998fe2c3b1b0f07e77252ca28ca002be687.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26025"
"*4a302071d7fc21367f31e0d9c5f77ef1eb41ec097eaeadb8d65472b6be55ab99*",".{0,1000}4a302071d7fc21367f31e0d9c5f77ef1eb41ec097eaeadb8d65472b6be55ab99.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","26030"
"*4a3173e22289cfa77a5bfbe2563b895f3ac736c902debc9b95a9c46d1d5eb658*",".{0,1000}4a3173e22289cfa77a5bfbe2563b895f3ac736c902debc9b95a9c46d1d5eb658.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26031"
"*4a3ee8b921c12d1184de02df355ad0b69fde2dd0c220bfe9af0610e4fa0b3e8b*",".{0,1000}4a3ee8b921c12d1184de02df355ad0b69fde2dd0c220bfe9af0610e4fa0b3e8b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26034"
"*4a45903123dc54041be3142c9736129aad4a5a440d1f0388e0b8875808cc3d56*",".{0,1000}4a45903123dc54041be3142c9736129aad4a5a440d1f0388e0b8875808cc3d56.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26035"
"*4a505e5ba3cb162eaee14fe99e0340b1477d79f8b3ba9d9cf756847a5d8c6f47*",".{0,1000}4a505e5ba3cb162eaee14fe99e0340b1477d79f8b3ba9d9cf756847a5d8c6f47.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26039"
"*4a5635751d0b33ed9473bee0c056269d17d33aa3c4a5019d9bb5947a61cb081a*",".{0,1000}4a5635751d0b33ed9473bee0c056269d17d33aa3c4a5019d9bb5947a61cb081a.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26042"
"*4a641858ba780c2ebe714eb7a29f3c254c1ca77cc38bcb91c326f2b7fdb04e93*",".{0,1000}4a641858ba780c2ebe714eb7a29f3c254c1ca77cc38bcb91c326f2b7fdb04e93.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26045"
"*4a97ad649c31411528694fdd8751bc6521f535f57022e6a6c0a39988df20d7b0*",".{0,1000}4a97ad649c31411528694fdd8751bc6521f535f57022e6a6c0a39988df20d7b0.{0,1000}","greyware_tool_keyword","rsocks","reverse socks5 client & server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/brimstone/rsocks","1","0","#filehash","N/A","10","10","85","29","2020-01-09T20:45:32Z","2018-01-05T03:09:07Z","26055"
"*4aa58ab0200ea5d75c2256933eeb1da1939fe741ded667c97809a2f64e3dd545*",".{0,1000}4aa58ab0200ea5d75c2256933eeb1da1939fe741ded667c97809a2f64e3dd545.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26060"
"*4aa6c882ba3b5d8a4a62f183f4ea878a9d86dda8e6713c44f0bb16528bc124df*",".{0,1000}4aa6c882ba3b5d8a4a62f183f4ea878a9d86dda8e6713c44f0bb16528bc124df.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","26061"
"*4ac568db513a2f768797b6e0567c6158c518badf907493a7567191ac7e5daff3*",".{0,1000}4ac568db513a2f768797b6e0567c6158c518badf907493a7567191ac7e5daff3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26084"
"*4acadcd4e74a40bb798d207b3d25b4b5f43cfddc39f9beb78fe5badf428b47a6*",".{0,1000}4acadcd4e74a40bb798d207b3d25b4b5f43cfddc39f9beb78fe5badf428b47a6.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","26085"
"*4acb4274db08c54c943eef6f456c6913557163d203cbd8be63a6780e5dcf7a42*",".{0,1000}4acb4274db08c54c943eef6f456c6913557163d203cbd8be63a6780e5dcf7a42.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","26087"
"*4acda13c308d3fd2b892ddf6fe210b8438c7a97abe88797315d06600fcfcbcc6*",".{0,1000}4acda13c308d3fd2b892ddf6fe210b8438c7a97abe88797315d06600fcfcbcc6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26088"
"*4acdeafa77e33da7c65fe87f23e52b5d1e7768fc307bca5da1bc1c4af1f25612*",".{0,1000}4acdeafa77e33da7c65fe87f23e52b5d1e7768fc307bca5da1bc1c4af1f25612.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26089"
"*4ad31603e4c12ec939ad7cc0c64f0545644e256b5180d458cb20461a82646fd0*",".{0,1000}4ad31603e4c12ec939ad7cc0c64f0545644e256b5180d458cb20461a82646fd0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26090"
"*4ad8bca8939396f8a99252e096891b064472e3abd9b8fdd1b7c2e4c80cc74348*",".{0,1000}4ad8bca8939396f8a99252e096891b064472e3abd9b8fdd1b7c2e4c80cc74348.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26092"
"*4adeaf8287ac71363bb2c5ccd6b67b8c973f783702c18c444741875375772be1*",".{0,1000}4adeaf8287ac71363bb2c5ccd6b67b8c973f783702c18c444741875375772be1.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#filehash","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","26095"
"*4ae725aa9632f0b441ae858c378c5b97322315cfea4445c2b03c58363a58fe37*",".{0,1000}4ae725aa9632f0b441ae858c378c5b97322315cfea4445c2b03c58363a58fe37.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26098"
"*4aed98c21ef4534951b6faeab4982376695ae1e10ca90aedd27a9bfcf6caea2e*",".{0,1000}4aed98c21ef4534951b6faeab4982376695ae1e10ca90aedd27a9bfcf6caea2e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26100"
"*4af2dc16619d3a9da05be6220a9b160433d5b0fc37bd6b679afbdd6e73a79a4f*",".{0,1000}4af2dc16619d3a9da05be6220a9b160433d5b0fc37bd6b679afbdd6e73a79a4f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26102"
"*4af6b42eb79a5290d1e24e534a0ec34521dc2d30ef60898abd092ddb2e1cd55c*",".{0,1000}4af6b42eb79a5290d1e24e534a0ec34521dc2d30ef60898abd092ddb2e1cd55c.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26103"
"*4b01df48ff3611b58680b8671c5371fed09b18333fe608187470666cb5c906ce*",".{0,1000}4b01df48ff3611b58680b8671c5371fed09b18333fe608187470666cb5c906ce.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","26105"
"*4b1a9bf186122958ed2d540c0c182057421d0caf9ede82514fe9905705bd49ee*",".{0,1000}4b1a9bf186122958ed2d540c0c182057421d0caf9ede82514fe9905705bd49ee.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26109"
"*4b2335364a62f3268581e6343b3b9243fa89ef6a48ca9b24ea2db1a949e91156*",".{0,1000}4b2335364a62f3268581e6343b3b9243fa89ef6a48ca9b24ea2db1a949e91156.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26112"
"*4b237151154d322c14c5075688d9553c99b5076db50eaa114cf04e302d07b4a7*",".{0,1000}4b237151154d322c14c5075688d9553c99b5076db50eaa114cf04e302d07b4a7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26113"
"*4b24ad142d1a16975056d11b6ea348fb49e150109422e04c78b7b934c420a679*",".{0,1000}4b24ad142d1a16975056d11b6ea348fb49e150109422e04c78b7b934c420a679.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26115"
"*4b25db2797b029ea009c3a5267c2e7e91ad6857cd2a8603df19cb8d94e5aaa5c*",".{0,1000}4b25db2797b029ea009c3a5267c2e7e91ad6857cd2a8603df19cb8d94e5aaa5c.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26118"
"*4b32d5e7e01617675e41032f6285dd2334ce5143cc1457c06eabe5bba0a1657f*",".{0,1000}4b32d5e7e01617675e41032f6285dd2334ce5143cc1457c06eabe5bba0a1657f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26121"
"*4b33c31207212855998ef003cbe8fac7d6ced944f89f56cca6f152c706eedfb6*",".{0,1000}4b33c31207212855998ef003cbe8fac7d6ced944f89f56cca6f152c706eedfb6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26122"
"*4b4cbc201cc169fe490db4a53cf034b28592ea33a14bf38c9a422c1ab4650159*",".{0,1000}4b4cbc201cc169fe490db4a53cf034b28592ea33a14bf38c9a422c1ab4650159.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26125"
"*4b6f076b8a518a49444b774e06d814026f85678e5a9139b88e533ded60d03672*",".{0,1000}4b6f076b8a518a49444b774e06d814026f85678e5a9139b88e533ded60d03672.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26132"
"*4b7786288011e1255695cdae0c2199353203fd94c2c6fa57bc3be3d332344c6a*",".{0,1000}4b7786288011e1255695cdae0c2199353203fd94c2c6fa57bc3be3d332344c6a.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","26133"
"*4b7c2e0e6e2491b55ca2bfc8d7198fa7e750afb8a5e779fa50623fa718fd7827*",".{0,1000}4b7c2e0e6e2491b55ca2bfc8d7198fa7e750afb8a5e779fa50623fa718fd7827.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26135"
"*4B9C98F6-AF30-4280-873D-B45C7A7B89EB*",".{0,1000}4B9C98F6\-AF30\-4280\-873D\-B45C7A7B89EB.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","0","#GUIDproject","N/A","5","10","N/A","N/A","N/A","N/A","26141"
"*4ba042e8f3a3f5cf7e01e64461d27f5733c505b8a0f221fb91ed44e93627cd91*",".{0,1000}4ba042e8f3a3f5cf7e01e64461d27f5733c505b8a0f221fb91ed44e93627cd91.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","26144"
"*4babb86918876772a6370e0e08a2640186971a1124728616289a9bda68ddc434*",".{0,1000}4babb86918876772a6370e0e08a2640186971a1124728616289a9bda68ddc434.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","26146"
"*4bb2a508148f1895c0371293b6430f18a4083e753e0901dc6257b9d16114f28e*",".{0,1000}4bb2a508148f1895c0371293b6430f18a4083e753e0901dc6257b9d16114f28e.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","26147"
"*4bb56ba1129679c1f8ad298151de05396a2962b970f98062dc85edcabb7070e1*",".{0,1000}4bb56ba1129679c1f8ad298151de05396a2962b970f98062dc85edcabb7070e1.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26149"
"*4bbad7d145fa96ea1255c3f3457c2ca621993be429095cea398e98625c59a640*",".{0,1000}4bbad7d145fa96ea1255c3f3457c2ca621993be429095cea398e98625c59a640.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","26154"
"*4bbfb1e757467a2601bd97984990f52183623293f20e2c03bfe4a744af2742e3*",".{0,1000}4bbfb1e757467a2601bd97984990f52183623293f20e2c03bfe4a744af2742e3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26157"
"*4bc1b107cd497c88dfbc262ff7bcae4e85874848df0435bb7ecb8334f23b19b3*",".{0,1000}4bc1b107cd497c88dfbc262ff7bcae4e85874848df0435bb7ecb8334f23b19b3.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","26159"
"*4bc74cda62178ccf38917109af3b74d7612ac1fbc234d9c69f0be49e5b7425ce*",".{0,1000}4bc74cda62178ccf38917109af3b74d7612ac1fbc234d9c69f0be49e5b7425ce.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","26161"
"*4bcce7c204dc4ce408bfb2a127ff17294b845d435d6f5f3cb3ab6064d9d3188d*",".{0,1000}4bcce7c204dc4ce408bfb2a127ff17294b845d435d6f5f3cb3ab6064d9d3188d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26163"
"*4bd934b1beb4ce52cad55ccdbb7528fe449e372125352f2ca4b6ce4cc7f489d6*",".{0,1000}4bd934b1beb4ce52cad55ccdbb7528fe449e372125352f2ca4b6ce4cc7f489d6.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26167"
"*4be299e6a3466a6306d4ead72959aafa4a6c05618ddabc47d67dd0efd34281d7*",".{0,1000}4be299e6a3466a6306d4ead72959aafa4a6c05618ddabc47d67dd0efd34281d7.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","26169"
"*4be713f2b888f93d3b271f35d699e027da7bf23e7e79caa8281a856465381441*",".{0,1000}4be713f2b888f93d3b271f35d699e027da7bf23e7e79caa8281a856465381441.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26170"
"*4beb7f83d9996c45b7d2f0b504400ad6b87c93793c231d629c47733e8275323c*",".{0,1000}4beb7f83d9996c45b7d2f0b504400ad6b87c93793c231d629c47733e8275323c.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26173"
"*4bec505b55c8b2271556dee2b689b05586c54cf1ba32a581bb5ebaaa4f42f580*",".{0,1000}4bec505b55c8b2271556dee2b689b05586c54cf1ba32a581bb5ebaaa4f42f580.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26174"
"*4bf552065bb179e2da10c1e65463ccc68f451faae21468ebc91ec83308ebbe36*",".{0,1000}4bf552065bb179e2da10c1e65463ccc68f451faae21468ebc91ec83308ebbe36.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26175"
"*4bf8d88abad30daff8751a1c3a82769901969db2691ba8047cca09641410fca3*",".{0,1000}4bf8d88abad30daff8751a1c3a82769901969db2691ba8047cca09641410fca3.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","26177"
"*4bfa481a7c9e0aeb73be8680893e5c56f3b44966993b0bd5f1e603dfdd4e2214*",".{0,1000}4bfa481a7c9e0aeb73be8680893e5c56f3b44966993b0bd5f1e603dfdd4e2214.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26179"
"*4c12c1e287a1fcf28bb7a542fc5c355c42bd8e65db20f7a8b77d58edae502af4*",".{0,1000}4c12c1e287a1fcf28bb7a542fc5c355c42bd8e65db20f7a8b77d58edae502af4.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26187"
"*4c1725016b58ea1a8ae96c842321a2d9ec1f91563e278961c8b3cbe2dcda4a40*",".{0,1000}4c1725016b58ea1a8ae96c842321a2d9ec1f91563e278961c8b3cbe2dcda4a40.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26189"
"*4c26c5aeb6a516fd5292a51d2360b059ef4ada958c0d9d2040e3221cc438c825*",".{0,1000}4c26c5aeb6a516fd5292a51d2360b059ef4ada958c0d9d2040e3221cc438c825.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26198"
"*4c3e156680341f87566f7534124d9fc6ef687a86873eee9f8214049cb5588242*",".{0,1000}4c3e156680341f87566f7534124d9fc6ef687a86873eee9f8214049cb5588242.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26206"
"*4c407a3b4aac3656e8da10f6234c8daa48a7eea7e92220660c8f92595fa05a7f*",".{0,1000}4c407a3b4aac3656e8da10f6234c8daa48a7eea7e92220660c8f92595fa05a7f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26208"
"*4c4685aec2af6e71912d9d29a9692e0ac6bbb1926f17e6b6ed680cf4e9ad8e5d*",".{0,1000}4c4685aec2af6e71912d9d29a9692e0ac6bbb1926f17e6b6ed680cf4e9ad8e5d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26211"
"*4c4a26fc3bb0cebf08ecf55e88eb1a2bc25e11fedebc7407198e84439fe20075*",".{0,1000}4c4a26fc3bb0cebf08ecf55e88eb1a2bc25e11fedebc7407198e84439fe20075.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","26213"
"*4c4a26fc3bb0cebf08ecf55e88eb1a2bc25e11fedebc7407198e84439fe20075*",".{0,1000}4c4a26fc3bb0cebf08ecf55e88eb1a2bc25e11fedebc7407198e84439fe20075.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","26214"
"*4c4a26fc3bb0cebf08ecf55e88eb1a2bc25e11fedebc7407198e84439fe20075*",".{0,1000}4c4a26fc3bb0cebf08ecf55e88eb1a2bc25e11fedebc7407198e84439fe20075.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","26215"
"*4c517113f22937a313921b73c9b25463cc7ed0b77d9cf42b08b6443184e52e90*",".{0,1000}4c517113f22937a313921b73c9b25463cc7ed0b77d9cf42b08b6443184e52e90.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","26217"
"*4c67141acad76f0a686c78d5723be5d395b51ac6f323e2ca8788f4678c9df1aa*",".{0,1000}4c67141acad76f0a686c78d5723be5d395b51ac6f323e2ca8788f4678c9df1aa.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26223"
"*4c71870eebb79a989ecd6c6f62ea23433ac2b5ea50dcd445464742e51b3c03cd*",".{0,1000}4c71870eebb79a989ecd6c6f62ea23433ac2b5ea50dcd445464742e51b3c03cd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26224"
"*4c77daadff57f64045bb324c78424a543c7703055d8e1827862e8b9920d541de*",".{0,1000}4c77daadff57f64045bb324c78424a543c7703055d8e1827862e8b9920d541de.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","26228"
"*4c8a17db253b2eb5af4596e93f8f766f815546c3b40700e8d88baac680a579a9*",".{0,1000}4c8a17db253b2eb5af4596e93f8f766f815546c3b40700e8d88baac680a579a9.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","26231"
"*4c90633d523f467384a424bbfce211f737becbc7c4ac637e10e6c91fda8a6a26*",".{0,1000}4c90633d523f467384a424bbfce211f737becbc7c4ac637e10e6c91fda8a6a26.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26233"
"*4c908414d885dbe8b105b4c794931bcaf649a8184e1addda4785cef8307bc3e7*",".{0,1000}4c908414d885dbe8b105b4c794931bcaf649a8184e1addda4785cef8307bc3e7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26234"
"*4c9a5de428ce8e34b37f5cee75622f4a681cb3306edfd44e6068b9ecd2d68939*",".{0,1000}4c9a5de428ce8e34b37f5cee75622f4a681cb3306edfd44e6068b9ecd2d68939.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26235"
"*4c9aad477ebdd6bbc57a746b43db4fa1398f4f998e8ebf6e26e10ec5dccb9e68*",".{0,1000}4c9aad477ebdd6bbc57a746b43db4fa1398f4f998e8ebf6e26e10ec5dccb9e68.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","26236"
"*4cafe6451efd64e50a28f2533055b1f68fc59426838214d20341acba515b0eb5*",".{0,1000}4cafe6451efd64e50a28f2533055b1f68fc59426838214d20341acba515b0eb5.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26244"
"*4cc0452dbc2770d13549c1a1ed707e5b11851a18a2dcae80c98d211ca9bb5c22*",".{0,1000}4cc0452dbc2770d13549c1a1ed707e5b11851a18a2dcae80c98d211ca9bb5c22.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26246"
"*4ccf381a687d001906f0ee5896e6c66cd9a0139d326ea18cea02968a62b06160*",".{0,1000}4ccf381a687d001906f0ee5896e6c66cd9a0139d326ea18cea02968a62b06160.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26248"
"*4cd912755e503c2010ab1f436128165f1f899c384bffce49f183c0663ba5da22*",".{0,1000}4cd912755e503c2010ab1f436128165f1f899c384bffce49f183c0663ba5da22.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","26251"
"*4cdca1cc3d298a5e6628ec40e174882e26039d953492eaef6c0d25cef065ace5*",".{0,1000}4cdca1cc3d298a5e6628ec40e174882e26039d953492eaef6c0d25cef065ace5.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26252"
"*4ce2100f0e9907d9dc152f94f56bf33bc44d029b2f83efde32b586a57bf55809*",".{0,1000}4ce2100f0e9907d9dc152f94f56bf33bc44d029b2f83efde32b586a57bf55809.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26253"
"*4ce2ba1b4eabaf58b763ac456397b43ece17e9803e806bf405b28c386a484f6a*",".{0,1000}4ce2ba1b4eabaf58b763ac456397b43ece17e9803e806bf405b28c386a484f6a.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","#filehash","N/A","7","10","N/A","N/A","N/A","N/A","26254"
"*4ce340c17289861ff5e21249624acbe0450b8490a88595a33da6456737231567*",".{0,1000}4ce340c17289861ff5e21249624acbe0450b8490a88595a33da6456737231567.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26255"
"*4ceb965f166bdf4d8d16d081d24ad0488cbd67c955d9817b0832a0b70e38db3f*",".{0,1000}4ceb965f166bdf4d8d16d081d24ad0488cbd67c955d9817b0832a0b70e38db3f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26257"
"*4d07c284d462bb31ea9fdcea2b6682b33dca1e9e8c19570965095c79b80adc82*",".{0,1000}4d07c284d462bb31ea9fdcea2b6682b33dca1e9e8c19570965095c79b80adc82.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26263"
"*4d13675c330ca07d532f7a2ebc72fdc011487fe318f2ee645842a3fa4b23c966*",".{0,1000}4d13675c330ca07d532f7a2ebc72fdc011487fe318f2ee645842a3fa4b23c966.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26264"
"*4d14248e2743086512dd2af95259ca2085bf495ad5a09a8d37ede040eff5fb3d*",".{0,1000}4d14248e2743086512dd2af95259ca2085bf495ad5a09a8d37ede040eff5fb3d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26265"
"*4d149ac8e1f4c181ccd0aaaf5d9271a695775869c9fe2fa24593bf61acb0e7eb*",".{0,1000}4d149ac8e1f4c181ccd0aaaf5d9271a695775869c9fe2fa24593bf61acb0e7eb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26267"
"*4d1d50a5b4888aa8eca10624073759ab8376c8b1acb38a238831d40074792524*",".{0,1000}4d1d50a5b4888aa8eca10624073759ab8376c8b1acb38a238831d40074792524.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26271"
"*4d31231f9468824107afb6c11e99630e80c98fb347658677cf2c1111d00771c3*",".{0,1000}4d31231f9468824107afb6c11e99630e80c98fb347658677cf2c1111d00771c3.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26279"
"*4d33f49c7729f8959d49cbf5399c8bc6236274e6342f39398a903a9779f1dddc*",".{0,1000}4d33f49c7729f8959d49cbf5399c8bc6236274e6342f39398a903a9779f1dddc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26281"
"*4d3c48917973daaf7e31aeab167e4611c60feed29bae25303c053824bef027c*",".{0,1000}4d3c48917973daaf7e31aeab167e4611c60feed29bae25303c053824bef027c.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","0","#filehash","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","26284"
"*4d4ca15944e2f75e8b86ee2bf92c458a40ed625bdc71e6d7d24d218c370c595b*",".{0,1000}4d4ca15944e2f75e8b86ee2bf92c458a40ed625bdc71e6d7d24d218c370c595b.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","26285"
"*4d66ce63e4917a7e2749a851733faca18a04ab2a289aa5650ca99a7f806a3c7f*",".{0,1000}4d66ce63e4917a7e2749a851733faca18a04ab2a289aa5650ca99a7f806a3c7f.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","26294"
"*4d75006597652c67dc56aa9a078eeca3a52634bf1bf591b68c926bd01ad53d25*",".{0,1000}4d75006597652c67dc56aa9a078eeca3a52634bf1bf591b68c926bd01ad53d25.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","26299"
"*4d797b16f3aa81a13bc1736b37e783336bcfb9a538148810b3d1ec8fe592e50c*",".{0,1000}4d797b16f3aa81a13bc1736b37e783336bcfb9a538148810b3d1ec8fe592e50c.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","26302"
"*4d7fa7fbfca88ec9adb9e227f4049a544acd312dd5c3a4d4f936e053497b7d65*",".{0,1000}4d7fa7fbfca88ec9adb9e227f4049a544acd312dd5c3a4d4f936e053497b7d65.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","26305"
"*4d8811ff14a7bb842fc02825314f76f7484264ae753814af74fc2412f17b1a75*",".{0,1000}4d8811ff14a7bb842fc02825314f76f7484264ae753814af74fc2412f17b1a75.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26307"
"*4d95694b73357e0e304b68cdbb00bd65da3ffcaa7e2148141dbc4e29357b5a52*",".{0,1000}4d95694b73357e0e304b68cdbb00bd65da3ffcaa7e2148141dbc4e29357b5a52.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26310"
"*4d9ec99ceec71df88f47c5ebae5fdd15474f7d36e9685a655830c2fc89ad9153*",".{0,1000}4d9ec99ceec71df88f47c5ebae5fdd15474f7d36e9685a655830c2fc89ad9153.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26313"
"*4daa7e8e607567451a1db6eb4c297c60a028263756b460c75bc5a31c39bc968b*",".{0,1000}4daa7e8e607567451a1db6eb4c297c60a028263756b460c75bc5a31c39bc968b.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26316"
"*4dbcad57d73bd7245c37f330719add5e842b4c8dd7830039ce50ca2d615ffe16*",".{0,1000}4dbcad57d73bd7245c37f330719add5e842b4c8dd7830039ce50ca2d615ffe16.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26319"
"*4dc6142aea78bb86f1236fe38e570b715990503c09733418c0cd2300e45651e4*",".{0,1000}4dc6142aea78bb86f1236fe38e570b715990503c09733418c0cd2300e45651e4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26322"
"*4de5606b62d1fe9200c6a473f4d04ebe7a492172e36e8387ec9647c3d399cfd9*",".{0,1000}4de5606b62d1fe9200c6a473f4d04ebe7a492172e36e8387ec9647c3d399cfd9.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26330"
"*4de829c7a5e19e8578b398793c952c1ea1a3a1df54f354f46ff140a4932da53f*",".{0,1000}4de829c7a5e19e8578b398793c952c1ea1a3a1df54f354f46ff140a4932da53f.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","26333"
"*4df132ced0bbdbe4965bea528bb11385426a938fcdec3a2905b92d800c9c8fba*",".{0,1000}4df132ced0bbdbe4965bea528bb11385426a938fcdec3a2905b92d800c9c8fba.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","26337"
"*4e021eda86591c657ec781b77472518ecbf51b4f2a1b63e2ab53ac7289e59428*",".{0,1000}4e021eda86591c657ec781b77472518ecbf51b4f2a1b63e2ab53ac7289e59428.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26338"
"*4e07de6f89b7dd371735d0360afc61ac21d19ea7c4b3f020e2e1a6b17b61432c*",".{0,1000}4e07de6f89b7dd371735d0360afc61ac21d19ea7c4b3f020e2e1a6b17b61432c.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","26340"
"*4e155fcf4f0c7e186ccd2be94a2e036bb62790c9bc00d9145a2999b5e3f38717*",".{0,1000}4e155fcf4f0c7e186ccd2be94a2e036bb62790c9bc00d9145a2999b5e3f38717.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26348"
"*4e18982beb557529c90acdc5701f4b11d4d8d310872e06565927d0e902316df2*",".{0,1000}4e18982beb557529c90acdc5701f4b11d4d8d310872e06565927d0e902316df2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26349"
"*4e1e3123dd85d3ac65a0803b08dd89b9b12b5a00b9f566782855332d03e5fe26*",".{0,1000}4e1e3123dd85d3ac65a0803b08dd89b9b12b5a00b9f566782855332d03e5fe26.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","#filehash","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","26352"
"*4e1e3123dd85d3ac65a0803b08dd89b9b12b5a00b9f566782855332d03e5fe26*",".{0,1000}4e1e3123dd85d3ac65a0803b08dd89b9b12b5a00b9f566782855332d03e5fe26.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","26353"
"*4e278396d6ca4d2eb560f7cac6c7aebc0d729ffa3af3423668b5f30275aa2b51*",".{0,1000}4e278396d6ca4d2eb560f7cac6c7aebc0d729ffa3af3423668b5f30275aa2b51.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26355"
"*4e2acdb55e74ee0525f6614436674560388b36b8316552fdae32b44398e56ef2*",".{0,1000}4e2acdb55e74ee0525f6614436674560388b36b8316552fdae32b44398e56ef2.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26357"
"*4e2b06bd978472dd092c166b43ec56ab22c1347710fd77616283d2c27ee9ae56*",".{0,1000}4e2b06bd978472dd092c166b43ec56ab22c1347710fd77616283d2c27ee9ae56.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26358"
"*4e55db9ef3e258914860532610cc37db12e2f875f9bd8fd5b789c4a55f7b4f6c*",".{0,1000}4e55db9ef3e258914860532610cc37db12e2f875f9bd8fd5b789c4a55f7b4f6c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26366"
"*4e5d34573206efd1a545796a8c2c233a80fe5301c11eee3024e978b0977a4521*",".{0,1000}4e5d34573206efd1a545796a8c2c233a80fe5301c11eee3024e978b0977a4521.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26367"
"*4e694c7eb85dcf55d7642f3504a5d63493e46ebd711735c57a45569ef2a7b88a*",".{0,1000}4e694c7eb85dcf55d7642f3504a5d63493e46ebd711735c57a45569ef2a7b88a.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","26369"
"*4e703495f3616dd936afdfa2c32958189ae5e90328d9389b86e49a50654e6393*",".{0,1000}4e703495f3616dd936afdfa2c32958189ae5e90328d9389b86e49a50654e6393.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","26373"
"*4e815350382249ffb6d9520262bbce81f45f63126134a0c365eb648a4d27e6ea*",".{0,1000}4e815350382249ffb6d9520262bbce81f45f63126134a0c365eb648a4d27e6ea.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26374"
"*4e9929b68f2e9f3df50e4b320ee85357134efde38986d25983b8fcf50e19cd22*",".{0,1000}4e9929b68f2e9f3df50e4b320ee85357134efde38986d25983b8fcf50e19cd22.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26376"
"*4eb752de605ffcacb6aaf1e613bef1596b6a4583811d1b2fc6b0948df4febddd*",".{0,1000}4eb752de605ffcacb6aaf1e613bef1596b6a4583811d1b2fc6b0948df4febddd.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26380"
"*4eb7ebda84217bc575fff510a5534f5750772915d6efa435a9ce49ef5eb0b075*",".{0,1000}4eb7ebda84217bc575fff510a5534f5750772915d6efa435a9ce49ef5eb0b075.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26381"
"*4ee1ee85ab16e36d6dbc5b4d8795375bb10edab50e451eed5adf69ddd4792575*",".{0,1000}4ee1ee85ab16e36d6dbc5b4d8795375bb10edab50e451eed5adf69ddd4792575.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","26388"
"*4eecced7aa167279bda23afe2be0f3dd9b61080531fdbae5137bd257c334992a*",".{0,1000}4eecced7aa167279bda23afe2be0f3dd9b61080531fdbae5137bd257c334992a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26392"
"*4ef082c1788e972f016f00286a2054c82189cec3a1a3e2af8123240c2888b6ff*",".{0,1000}4ef082c1788e972f016f00286a2054c82189cec3a1a3e2af8123240c2888b6ff.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26393"
"*4ef3458f9635baf5cfd25a793486b612df7f4904c91eb2e4558d9713fcd34912*",".{0,1000}4ef3458f9635baf5cfd25a793486b612df7f4904c91eb2e4558d9713fcd34912.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26395"
"*4effd67edbd0e9e5894223df9ce97c635e2056db54bd0cf602fa00a99c27eef3*",".{0,1000}4effd67edbd0e9e5894223df9ce97c635e2056db54bd0cf602fa00a99c27eef3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26398"
"*4f0d1578a3f8a5fedbba8f32cbe54455250307616c0cf29c062b76d081806268*",".{0,1000}4f0d1578a3f8a5fedbba8f32cbe54455250307616c0cf29c062b76d081806268.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26401"
"*4f2088aff3460c9bd278121de7781985734969399d408f0c9e3f794165e0a407*",".{0,1000}4f2088aff3460c9bd278121de7781985734969399d408f0c9e3f794165e0a407.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26409"
"*4f21a1d0e7caa97018e4d0b8c7e63fbc54d081976dfda9409f57a3ead24074a7*",".{0,1000}4f21a1d0e7caa97018e4d0b8c7e63fbc54d081976dfda9409f57a3ead24074a7.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","#filehash","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","26410"
"*4f29beec80237718a80f87d4afc2a8d79dd8e5b680b2490653a3cacc9856be83*",".{0,1000}4f29beec80237718a80f87d4afc2a8d79dd8e5b680b2490653a3cacc9856be83.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26413"
"*4f30ed7899506d15974d12e428f4647660f97a52cc21da06a6a295a06197bbd8*",".{0,1000}4f30ed7899506d15974d12e428f4647660f97a52cc21da06a6a295a06197bbd8.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","#filehash","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","26416"
"*4f3adf3695bebc9fbe10e01ab17ac24f71b146ace019a808aba29f8e8ffdecb8*",".{0,1000}4f3adf3695bebc9fbe10e01ab17ac24f71b146ace019a808aba29f8e8ffdecb8.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","26420"
"*4f3bc75be8df0f82b7b79041715ed30cf1a0e658fe2be024825da74c7a8a37c1*",".{0,1000}4f3bc75be8df0f82b7b79041715ed30cf1a0e658fe2be024825da74c7a8a37c1.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","26421"
"*4f3dda32302104fc37f7c6dbb7d8683b4a18a08de2848539cc86e08dad2ea82f*",".{0,1000}4f3dda32302104fc37f7c6dbb7d8683b4a18a08de2848539cc86e08dad2ea82f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26422"
"*4f3e5adb0523a6811d21570838c9f061b7c9bb01264be518d0ed55039ac42547*",".{0,1000}4f3e5adb0523a6811d21570838c9f061b7c9bb01264be518d0ed55039ac42547.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26423"
"*4f42773bb9fa283dc34d4c54347b197b95176024cf3fc6c1e11932f2a56188da*",".{0,1000}4f42773bb9fa283dc34d4c54347b197b95176024cf3fc6c1e11932f2a56188da.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","26424"
"*4f4a7ad2eedc23ab3b6127a704fe66efbbda6bc654b98741aa2aadb8293d5864*",".{0,1000}4f4a7ad2eedc23ab3b6127a704fe66efbbda6bc654b98741aa2aadb8293d5864.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26426"
"*4f54cf83a83c4c3b2468f606d9e2ae3cfd2149072cdd6fa00d25c7956ced0613*",".{0,1000}4f54cf83a83c4c3b2468f606d9e2ae3cfd2149072cdd6fa00d25c7956ced0613.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26428"
"*4f6a58fe1d179d2c9811e76d2cc469b5843bb5fddf9a5561b2b257810ae9416c*",".{0,1000}4f6a58fe1d179d2c9811e76d2cc469b5843bb5fddf9a5561b2b257810ae9416c.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","26432"
"*4f6dab3a4ee7ab3b41766af778e54cef4a7e140c5fea5df81ed7ae625fbaaf45*",".{0,1000}4f6dab3a4ee7ab3b41766af778e54cef4a7e140c5fea5df81ed7ae625fbaaf45.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26433"
"*4f6e2bc4765bab597dd391900bed4320b958a1435c5a6ef24e291afa18b929a4*",".{0,1000}4f6e2bc4765bab597dd391900bed4320b958a1435c5a6ef24e291afa18b929a4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26434"
"*4F748D41-5BE1-4626-A0AB-9EA15CDC2074*",".{0,1000}4F748D41\-5BE1\-4626\-A0AB\-9EA15CDC2074.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#GUIDproject","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26436"
"*4f8be171615906969f1393b450924f0afe3458ff88f7fb8be89f5c02837b4026*",".{0,1000}4f8be171615906969f1393b450924f0afe3458ff88f7fb8be89f5c02837b4026.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26440"
"*4f8c65b3b3f90219d93517f3f1535fd8790d8c8e9fdf3ae1aecafeb1ff6cefee*",".{0,1000}4f8c65b3b3f90219d93517f3f1535fd8790d8c8e9fdf3ae1aecafeb1ff6cefee.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26441"
"*4f8dc1238de611812f0965d1e1d70b45700ad30d7ed7abec4c44a2de0c72eb44*",".{0,1000}4f8dc1238de611812f0965d1e1d70b45700ad30d7ed7abec4c44a2de0c72eb44.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26442"
"*4f91e07aba2c4e94121f45cfb8252d2e173d565a4a15faacd7b3fa3f78b0d978*",".{0,1000}4f91e07aba2c4e94121f45cfb8252d2e173d565a4a15faacd7b3fa3f78b0d978.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","26445"
"*4f932e61afb6bd1dd8b5c4c25c715f1623d3f574637d8154256531b4ef5000ac*",".{0,1000}4f932e61afb6bd1dd8b5c4c25c715f1623d3f574637d8154256531b4ef5000ac.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","26447"
"*4faed559dc80bc2bf43b6c3da60e19f86c42ab8ed2b19e3ff0d3f4e4cca6c50c*",".{0,1000}4faed559dc80bc2bf43b6c3da60e19f86c42ab8ed2b19e3ff0d3f4e4cca6c50c.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26451"
"*4fb15611c3facf046b2f52178d939e5c7b9fbba79320bd0329e129c4f179cd3d*",".{0,1000}4fb15611c3facf046b2f52178d939e5c7b9fbba79320bd0329e129c4f179cd3d.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","26453"
"*4fd9e503868b34bf6c0de86423afd252160aec8f3218458f2a4d3d774b84a99d*",".{0,1000}4fd9e503868b34bf6c0de86423afd252160aec8f3218458f2a4d3d774b84a99d.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26456"
"*4fe0b0a017cedf51e40742e6460ddd479eb4a25e31356c02885dd4e7c5b65b17*",".{0,1000}4fe0b0a017cedf51e40742e6460ddd479eb4a25e31356c02885dd4e7c5b65b17.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","26457"
"*4fe9647d6a8bf4790df0277283f9874385e0cd05f3008406ca5624aba8d78924*",".{0,1000}4fe9647d6a8bf4790df0277283f9874385e0cd05f3008406ca5624aba8d78924.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","#filehash","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","26458"
"*4fe9718a0aeb5f9a05f662647a12781ea44b3640526615e62b389e76682a5d2f*",".{0,1000}4fe9718a0aeb5f9a05f662647a12781ea44b3640526615e62b389e76682a5d2f.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","26459"
"*4ff03132d760141bc5f6e4ad0469be9081f179cf65e8f632c5c2c1eea1ed57ce*",".{0,1000}4ff03132d760141bc5f6e4ad0469be9081f179cf65e8f632c5c2c1eea1ed57ce.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","26461"
"*4shared.com/*upload*",".{0,1000}4shared\.com\/.{0,1000}upload.{0,1000}","greyware_tool_keyword","4shared.com","Uploading on 4shared.com","T1105 - T1567 - T1071","TA0010 ","N/A","Turla","Data Exfiltration","4shared.com","1","1","#filehostingservice","N/A","9","8","N/A","N/A","N/A","N/A","26469"
"*500a0ba45a24b5ddcffc791bb90fa837cb2308bebc08ae647951d9f63f8ff49b*",".{0,1000}500a0ba45a24b5ddcffc791bb90fa837cb2308bebc08ae647951d9f63f8ff49b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26474"
"*501555b3f33f3591deab2ab1b070502b45d63cf3c744661b7a32edc8f498e6ed*",".{0,1000}501555b3f33f3591deab2ab1b070502b45d63cf3c744661b7a32edc8f498e6ed.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","26478"
"*50362f6c4c2d91cf0edc750c578b73605fdbb79443874110cc0a64913553f76b*",".{0,1000}50362f6c4c2d91cf0edc750c578b73605fdbb79443874110cc0a64913553f76b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26483"
"*503c58501ddb578dd5ee825bdacde7e5e416210276ec7e6688c8556dfca9ae26*",".{0,1000}503c58501ddb578dd5ee825bdacde7e5e416210276ec7e6688c8556dfca9ae26.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","26487"
"*5041dad585a35ab841cf44028ee5318b61ce73b97f2ff90757a8ce609e620a63*",".{0,1000}5041dad585a35ab841cf44028ee5318b61ce73b97f2ff90757a8ce609e620a63.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","26491"
"*50455d300e96d1d186ff81c97bb45d4697bd057c6a4fa92b280ff8782121ef86*",".{0,1000}50455d300e96d1d186ff81c97bb45d4697bd057c6a4fa92b280ff8782121ef86.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26493"
"*504764d19a025b282b230491d91abbc551f1b9887ee669bbb7211b6dd86b1038*",".{0,1000}504764d19a025b282b230491d91abbc551f1b9887ee669bbb7211b6dd86b1038.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","26494"
"*507a32af5f58e47f635053b3ff0605db2e819cd63d31709e40cb1d98364b015b*",".{0,1000}507a32af5f58e47f635053b3ff0605db2e819cd63d31709e40cb1d98364b015b.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","26510"
"*507fb6f358381291fe987336263b35ab8c49b42abfa44f4b3f159b92ac54c521*",".{0,1000}507fb6f358381291fe987336263b35ab8c49b42abfa44f4b3f159b92ac54c521.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","26512"
"*5088a7aeb3f0ebeee5ce2825791f72abaa1595757fa7908869e43ec6a81825ea*",".{0,1000}5088a7aeb3f0ebeee5ce2825791f72abaa1595757fa7908869e43ec6a81825ea.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26516"
"*508e9b2199a8c36668fe48520c2d2ba6ee30db5fca04c7ca3e7cd42e5ce20097*",".{0,1000}508e9b2199a8c36668fe48520c2d2ba6ee30db5fca04c7ca3e7cd42e5ce20097.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26517"
"*5099b8acb17c0681301d82362c9c37bb9a579bf0580ab7362ab7cae2b7bb5f68*",".{0,1000}5099b8acb17c0681301d82362c9c37bb9a579bf0580ab7362ab7cae2b7bb5f68.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26519"
"*509cd53e52ba513aa2ca1198018a52a117b87cc451fdd62a0556d1128d389216*",".{0,1000}509cd53e52ba513aa2ca1198018a52a117b87cc451fdd62a0556d1128d389216.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26520"
"*50a8e58ad1cda3eaabbd812d064b7cb40e7119b6c4838ef5c1c74b8f6db8a5cc*",".{0,1000}50a8e58ad1cda3eaabbd812d064b7cb40e7119b6c4838ef5c1c74b8f6db8a5cc.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26524"
"*50addce2b6170aae470a9d692f444825991e3c1b6208d141c17ae5909c6c2cc9*",".{0,1000}50addce2b6170aae470a9d692f444825991e3c1b6208d141c17ae5909c6c2cc9.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26525"
"*50c178847f0454a84f85bc765699c1180ea1b49f91e7d70b5b9113845d008387*",".{0,1000}50c178847f0454a84f85bc765699c1180ea1b49f91e7d70b5b9113845d008387.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","0","#filehash","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","26529"
"*50d81308031ff4cd24705d157d6c5cf7d6e8afe7bec4bb2bbbadbd6699ad7a3f*",".{0,1000}50d81308031ff4cd24705d157d6c5cf7d6e8afe7bec4bb2bbbadbd6699ad7a3f.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","26535"
"*50dae26eefa5516f7a4a02832fa065d971ca9feebbee519f2a2ab1bcb3dedd12*",".{0,1000}50dae26eefa5516f7a4a02832fa065d971ca9feebbee519f2a2ab1bcb3dedd12.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26538"
"*50f0408d2544a0660a23acfcb9f2ef1a5883adc11861bc9f810367e45aad054d*",".{0,1000}50f0408d2544a0660a23acfcb9f2ef1a5883adc11861bc9f810367e45aad054d.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26541"
"*50f914c195773487957cbdf262fa8e866e17e715bee3418e9591b2f161a16269*",".{0,1000}50f914c195773487957cbdf262fa8e866e17e715bee3418e9591b2f161a16269.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26542"
"*50fd26b82963fe0813a7cc5a5d1b4c2adb75cac715c498176e8bfc5aba7e5307*",".{0,1000}50fd26b82963fe0813a7cc5a5d1b4c2adb75cac715c498176e8bfc5aba7e5307.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26543"
"*51077d58b8a21e5387ab74037c547bd62e990ccd4923a0abe2983d5225b3290e*",".{0,1000}51077d58b8a21e5387ab74037c547bd62e990ccd4923a0abe2983d5225b3290e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26547"
"*510a833bdd0f896cc398eaae4ff475f5b7cfe37649efbf647b50d21e442394b9*",".{0,1000}510a833bdd0f896cc398eaae4ff475f5b7cfe37649efbf647b50d21e442394b9.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","26551"
"*5129b1b4b402350d6a7ff85b511dc2c8c94148e8fdb25d57c368d47cbe5d6703*",".{0,1000}5129b1b4b402350d6a7ff85b511dc2c8c94148e8fdb25d57c368d47cbe5d6703.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26559"
"*512f4208d0376a5c5b555930b8c4a3fc3a5a12680655b3d3a167888e6ef202b0*",".{0,1000}512f4208d0376a5c5b555930b8c4a3fc3a5a12680655b3d3a167888e6ef202b0.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26562"
"*512fba960ac745dbb62576225ee9dd7f65bf83261c8d1364f50101c8e3fd55bf*",".{0,1000}512fba960ac745dbb62576225ee9dd7f65bf83261c8d1364f50101c8e3fd55bf.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","26563"
"*5141adc9e35e695f849f9f2a7749a428263d1a02e1efdf24547f53596be97a25*",".{0,1000}5141adc9e35e695f849f9f2a7749a428263d1a02e1efdf24547f53596be97a25.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","26566"
"*514d0711317427f45d3ca23e66cf66e9f98caef660314d843f59b38511e94a2c*",".{0,1000}514d0711317427f45d3ca23e66cf66e9f98caef660314d843f59b38511e94a2c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26569"
"*514e482dab807fa09c219ed32c4899ed0783f4b040bbee4168959024707ed8e4*",".{0,1000}514e482dab807fa09c219ed32c4899ed0783f4b040bbee4168959024707ed8e4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26570"
"*515983df3a9aad4aae1e5e37cdf489686b4d7daed5610a75d75ebba006c4ddc9*",".{0,1000}515983df3a9aad4aae1e5e37cdf489686b4d7daed5610a75d75ebba006c4ddc9.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","26572"
"*5170878a45097dd423d7ab4ec48724b4ef046ea5d990e763d18eee67af881e74*",".{0,1000}5170878a45097dd423d7ab4ec48724b4ef046ea5d990e763d18eee67af881e74.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26580"
"*51921c04f725490abfce3611cef91f602314bb272240d7d4a252bf16a2199154*",".{0,1000}51921c04f725490abfce3611cef91f602314bb272240d7d4a252bf16a2199154.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","26586"
"*51a5737c2b51190507d47557023264299f8de0b2152e89e093e0e61f64807986*",".{0,1000}51a5737c2b51190507d47557023264299f8de0b2152e89e093e0e61f64807986.{0,1000}","greyware_tool_keyword","rsocks","reverse socks5 client & server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/brimstone/rsocks","1","0","#filehash","N/A","10","10","85","29","2020-01-09T20:45:32Z","2018-01-05T03:09:07Z","26591"
"*51a6e79cd5c7e100116719a73c4f005f8b5dc59027adfe75e77d154af938d698*",".{0,1000}51a6e79cd5c7e100116719a73c4f005f8b5dc59027adfe75e77d154af938d698.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","26593"
"*51ae744086e74f4266459e4fec04b65386dce95598a87b961398f85119bbf701*",".{0,1000}51ae744086e74f4266459e4fec04b65386dce95598a87b961398f85119bbf701.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","26597"
"*51b8d39b8fd419868d91ed5d0d0a22fb80d943f3fd3bab645c5498a3ad8b3dd9*",".{0,1000}51b8d39b8fd419868d91ed5d0d0a22fb80d943f3fd3bab645c5498a3ad8b3dd9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26600"
"*51dd805d2d76208788ad35688d34005c4494d2aa28f7ea7f848c94975798ab11*",".{0,1000}51dd805d2d76208788ad35688d34005c4494d2aa28f7ea7f848c94975798ab11.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26629"
"*51e63f127dfc4804bec4dc1e5bc19034d50953c246417203b95ddba89bbfe082*",".{0,1000}51e63f127dfc4804bec4dc1e5bc19034d50953c246417203b95ddba89bbfe082.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","26631"
"*51f4ff1014c223e9f936e13e8d053dddb16678c65e87b2cfa63cad36564d243c*",".{0,1000}51f4ff1014c223e9f936e13e8d053dddb16678c65e87b2cfa63cad36564d243c.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","26637"
"*51fffad6f5e6f4a431c08cc28c25297e62f85f97dca246fecb6f3c5d3ca22cbb*",".{0,1000}51fffad6f5e6f4a431c08cc28c25297e62f85f97dca246fecb6f3c5d3ca22cbb.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","26640"
"*52067f237835fbb545249f2fe8a05ed32cbeea63b7d0f8ee05fe4ec7411b04c1*",".{0,1000}52067f237835fbb545249f2fe8a05ed32cbeea63b7d0f8ee05fe4ec7411b04c1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26644"
"*522304b37a88a2c916a5aa39eb10a66f1cf5b4cff84acc42f0a9e86b2c924518*",".{0,1000}522304b37a88a2c916a5aa39eb10a66f1cf5b4cff84acc42f0a9e86b2c924518.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26648"
"*52431af4c26b941b8f6cc502f60658365b541e1cf4f184edf061b6954e68af72*",".{0,1000}52431af4c26b941b8f6cc502f60658365b541e1cf4f184edf061b6954e68af72.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26653"
"*5252ae734d3bc191efdb95074830509a7ae4293fa25ce866b9fe35c455e61058*",".{0,1000}5252ae734d3bc191efdb95074830509a7ae4293fa25ce866b9fe35c455e61058.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","26657"
"*526336cdc3fddd60a43255912e954c4703e60f180d128525e0691e0e254664ec*",".{0,1000}526336cdc3fddd60a43255912e954c4703e60f180d128525e0691e0e254664ec.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26662"
"*5273cd88fcbbafe3921dbb88f330a09b4b00c6bbad7d4bc0bf897558a24bb5eb*",".{0,1000}5273cd88fcbbafe3921dbb88f330a09b4b00c6bbad7d4bc0bf897558a24bb5eb.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26668"
"*527ddd722d4629f835321d6b8cb25f28d4b55fb7b7e946e95c1e2098b88f86ef*",".{0,1000}527ddd722d4629f835321d6b8cb25f28d4b55fb7b7e946e95c1e2098b88f86ef.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26671"
"*52820d7c8b0fad129a6d4d4e631d627dbf63263c0c720569afbc43da085198cb*",".{0,1000}52820d7c8b0fad129a6d4d4e631d627dbf63263c0c720569afbc43da085198cb.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","26673"
"*52a8249970f72966d7fae76ffc7fd4009ce4100e92ece3fd6c409c61943af492*",".{0,1000}52a8249970f72966d7fae76ffc7fd4009ce4100e92ece3fd6c409c61943af492.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","26679"
"*52aca841486eaf4fe6422b059aa05bbf20db94b957de1d3fca019ed2af8192b7*",".{0,1000}52aca841486eaf4fe6422b059aa05bbf20db94b957de1d3fca019ed2af8192b7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26680"
"*52BBA3C2-A74E-4096-B65F-B88C38F92120*",".{0,1000}52BBA3C2\-A74E\-4096\-B65F\-B88C38F92120.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#GUIDproject","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","26686"
"*52be14d6204dd665dc3ccf2eb50179111a28cc0d8d473c7eef3b218f94e36b6d*",".{0,1000}52be14d6204dd665dc3ccf2eb50179111a28cc0d8d473c7eef3b218f94e36b6d.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#filehash","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","26688"
"*52c57ccd01efae71adb244f5867b879e14b486478681b04a1bc89d92417697d7*",".{0,1000}52c57ccd01efae71adb244f5867b879e14b486478681b04a1bc89d92417697d7.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","26692"
"*52ca645cfcf80cfa3278dc9ec47105cd22995f39028082ba209a4ebcbb7844fe*",".{0,1000}52ca645cfcf80cfa3278dc9ec47105cd22995f39028082ba209a4ebcbb7844fe.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","26693"
"*52d8411745d949cc0cfd878f2e14f5f570d8a8d794eba6c3cf985a4aa51a1240*",".{0,1000}52d8411745d949cc0cfd878f2e14f5f570d8a8d794eba6c3cf985a4aa51a1240.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26695"
"*52e9a87377d0237b7c1a1c8247898ec1a41bfa2a52af411694ff62b70b64917b*",".{0,1000}52e9a87377d0237b7c1a1c8247898ec1a41bfa2a52af411694ff62b70b64917b.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26696"
"*52f5d95236e0d5eb73651af96e99d1da201164bfb63cea329aa25e01e2609463*",".{0,1000}52f5d95236e0d5eb73651af96e99d1da201164bfb63cea329aa25e01e2609463.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","26698"
"*52f61a3c39aa3f8498648436cb20602f6ddacd0b245ad611cec68057793fb360*",".{0,1000}52f61a3c39aa3f8498648436cb20602f6ddacd0b245ad611cec68057793fb360.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","26699"
"*52fabafac257ef8ca28e53cc4f210789cfd882946d0f9d2f9457d63f0344a602*",".{0,1000}52fabafac257ef8ca28e53cc4f210789cfd882946d0f9d2f9457d63f0344a602.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26700"
"*5315025fbefc69c96b6e0637a33dc04bcfc09f552729f8076e195d862f9f342a*",".{0,1000}5315025fbefc69c96b6e0637a33dc04bcfc09f552729f8076e195d862f9f342a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26705"
"*531be6e910202087c61e10e57e28eee9a079fee380b8a42432de55d570bb25cb*",".{0,1000}531be6e910202087c61e10e57e28eee9a079fee380b8a42432de55d570bb25cb.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26709"
"*53242fd2bad1e6b3039fdef38df6219710864d1c9e639208a2106326921d15fd*",".{0,1000}53242fd2bad1e6b3039fdef38df6219710864d1c9e639208a2106326921d15fd.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26711"
"*532c94a27dc1bae87411516b1253b2dddf14b7b976eea8f1deb01b248d6c3fda*",".{0,1000}532c94a27dc1bae87411516b1253b2dddf14b7b976eea8f1deb01b248d6c3fda.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26714"
"*532f05083cc5b4ef33e473ca5d956da9d9e372673bd3803d20193b879a083487*",".{0,1000}532f05083cc5b4ef33e473ca5d956da9d9e372673bd3803d20193b879a083487.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26715"
"*532f68e5acaadb28368f0e7f034e132a82e5b8e0aa1288cce4d71f8c4ef3bbba*",".{0,1000}532f68e5acaadb28368f0e7f034e132a82e5b8e0aa1288cce4d71f8c4ef3bbba.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","26716"
"*533285c177f817601c35476ccbb9698e431dd750bb73204b51d01bf629846fac*",".{0,1000}533285c177f817601c35476ccbb9698e431dd750bb73204b51d01bf629846fac.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26717"
"*5334aa63bb61e334a71e158f7baa7a068aeab0dafab61705b2e2113cfb8b979b*",".{0,1000}5334aa63bb61e334a71e158f7baa7a068aeab0dafab61705b2e2113cfb8b979b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26719"
"*5343c3e7100eac4771f00f0b66e26a821be87ae8e8694815d168ad4dd5cd4352*",".{0,1000}5343c3e7100eac4771f00f0b66e26a821be87ae8e8694815d168ad4dd5cd4352.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26723"
"*5370c48e778806b0676a70e133a32a7ed674ad22545bb61e120198236504245a*",".{0,1000}5370c48e778806b0676a70e133a32a7ed674ad22545bb61e120198236504245a.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","26731"
"*53774723cd9aa6a4a815ad002dd8be8535611237463240767ef3821f0d9e14b4*",".{0,1000}53774723cd9aa6a4a815ad002dd8be8535611237463240767ef3821f0d9e14b4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26733"
"*53a53833d6191071e399d93a26ac14d3de37230307d39b212b9b559166570137*",".{0,1000}53a53833d6191071e399d93a26ac14d3de37230307d39b212b9b559166570137.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26742"
"*53afadaca917c0192ff3c2bae061516c6b14e6befe1d2d5c0cbb5f96de2eb74b*",".{0,1000}53afadaca917c0192ff3c2bae061516c6b14e6befe1d2d5c0cbb5f96de2eb74b.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","26745"
"*53b2e9c017c4c1d1f093b138c33eb4164ecea8d144880beca5702235e0665e54*",".{0,1000}53b2e9c017c4c1d1f093b138c33eb4164ecea8d144880beca5702235e0665e54.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26746"
"*53b3f89f8d660c19c4c5952d4c24d283b5c3f55d0925a2fa787142c9598a5fb4*",".{0,1000}53b3f89f8d660c19c4c5952d4c24d283b5c3f55d0925a2fa787142c9598a5fb4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26747"
"*53b7392e1f6973680579aa054458531886ef6d359868bcb2a4a52f7ffa5cf8f3*",".{0,1000}53b7392e1f6973680579aa054458531886ef6d359868bcb2a4a52f7ffa5cf8f3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26749"
"*53c4b484b2e364b02eeb3c44214a583d6fb0d052a4cd2896e0c1f5c40dba7478*",".{0,1000}53c4b484b2e364b02eeb3c44214a583d6fb0d052a4cd2896e0c1f5c40dba7478.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26752"
"*53cb0a4c9d99d9fa9ceb83bc5fe6ac1f8f7100130b1597d9eb71b3a9fdb01fcd*",".{0,1000}53cb0a4c9d99d9fa9ceb83bc5fe6ac1f8f7100130b1597d9eb71b3a9fdb01fcd.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","26754"
"*53cbc5aa0c6be1872b867ca98c4eddbb422dcedb3f2c117952a1ebf29eea797e*",".{0,1000}53cbc5aa0c6be1872b867ca98c4eddbb422dcedb3f2c117952a1ebf29eea797e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26755"
"*53ce7b5352a21cee0659ff9fbe71cd553cce35e1f72cb5db10975263fccebd47*",".{0,1000}53ce7b5352a21cee0659ff9fbe71cd553cce35e1f72cb5db10975263fccebd47.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26756"
"*53d0b11932ca6402d75e8ace78625dac6599573d8e783001faf161dc8bccf063*",".{0,1000}53d0b11932ca6402d75e8ace78625dac6599573d8e783001faf161dc8bccf063.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26758"
"*53ea72dc5887ad00512cccb7991fd7e7a3116390d87ddb45af322f50fee469a7*",".{0,1000}53ea72dc5887ad00512cccb7991fd7e7a3116390d87ddb45af322f50fee469a7.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26760"
"*53eb02c62b6ce83e8656eb978259cd26923613d545eb2d63ebba017997b2d672*",".{0,1000}53eb02c62b6ce83e8656eb978259cd26923613d545eb2d63ebba017997b2d672.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26761"
"*53f3f97e369c874277a38fec36f2d533a865ad22c4ff8f06e4335f682c36b65a*",".{0,1000}53f3f97e369c874277a38fec36f2d533a865ad22c4ff8f06e4335f682c36b65a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26765"
"*540199cba6c77f452c01d554ca2e9d5e1203896f81695182f76e703595d2ed0a*",".{0,1000}540199cba6c77f452c01d554ca2e9d5e1203896f81695182f76e703595d2ed0a.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","26768"
"*54093af487e6bfbe0ac27b0470a11ff5144130b3340bd5ade5c307cd9a2d2456*",".{0,1000}54093af487e6bfbe0ac27b0470a11ff5144130b3340bd5ade5c307cd9a2d2456.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","26770"
"*542fd8635fa9784837b4adc0baf96ec514ed347c30603db9bc953ecce68399e4*",".{0,1000}542fd8635fa9784837b4adc0baf96ec514ed347c30603db9bc953ecce68399e4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","26779"
"*5434f4040ed0c1d4d786ace61ce8044f2b4a260255fd507f572e253caf72dddc*",".{0,1000}5434f4040ed0c1d4d786ace61ce8044f2b4a260255fd507f572e253caf72dddc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26781"
"*545291fd6c9ab6766c7997e4e8869a1f09597c8a6947414142b68223c6f9776f*",".{0,1000}545291fd6c9ab6766c7997e4e8869a1f09597c8a6947414142b68223c6f9776f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26788"
"*54538a9a0676b8d5bb23c42250df271b736052c1f5b7168a73c14bc65aa017dc*",".{0,1000}54538a9a0676b8d5bb23c42250df271b736052c1f5b7168a73c14bc65aa017dc.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","26789"
"*546505f3c8cb7cbe041b77cafa77a673bd38285e3de9918825f2f7f4fa773299*",".{0,1000}546505f3c8cb7cbe041b77cafa77a673bd38285e3de9918825f2f7f4fa773299.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","26793"
"*54686bfabdfc31cb280a9030fc646b3d147d6021d9d798b637259fcc88a752e9*",".{0,1000}54686bfabdfc31cb280a9030fc646b3d147d6021d9d798b637259fcc88a752e9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26795"
"*5469da4765d2a07fa3cb198ee9d2332862a9b270af4960e22d149cafd8f97c3f*",".{0,1000}5469da4765d2a07fa3cb198ee9d2332862a9b270af4960e22d149cafd8f97c3f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26796"
"*546c3dfd281f8f06aaf64a0fedc31096e2af287e2fbaeffd4c431ed6a6c4d28a*",".{0,1000}546c3dfd281f8f06aaf64a0fedc31096e2af287e2fbaeffd4c431ed6a6c4d28a.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","26798"
"*546d13242dd655fc2d405892c30adad1a6cc071b77a5779fc8f4bb0614595d85*",".{0,1000}546d13242dd655fc2d405892c30adad1a6cc071b77a5779fc8f4bb0614595d85.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26799"
"*546f10834f36cb9596b23e7ed2551c6ea485f3bdef9dd2475b840eb95894e1d8*",".{0,1000}546f10834f36cb9596b23e7ed2551c6ea485f3bdef9dd2475b840eb95894e1d8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26800"
"*54709655b001aa4d02b8040574970decd2e185a1ca4effbf87eb94574b9c87a0*",".{0,1000}54709655b001aa4d02b8040574970decd2e185a1ca4effbf87eb94574b9c87a0.{0,1000}","greyware_tool_keyword","adaudit","Powershell script to do domain auditing automation","T1482 - T1087","TA0007","N/A","N/A","Discovery","https://github.com/phillips321/adaudit","1","0","#filehash","N/A","8","4","389","106","2025-04-08T06:17:54Z","2018-04-20T11:29:06Z","26801"
"*5472468e92c54af495a753b9feb24fa90aa0e0d321bebb9c688fe5c9210a1ae7*",".{0,1000}5472468e92c54af495a753b9feb24fa90aa0e0d321bebb9c688fe5c9210a1ae7.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","26802"
"*5490ece8bcd8e5f083b72bd48614d6945e460f8dc8c9aa8e9db0cac54f8568f0*",".{0,1000}5490ece8bcd8e5f083b72bd48614d6945e460f8dc8c9aa8e9db0cac54f8568f0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26810"
"*54b3370eb307a1b726f60f1c1accfb1159feb6e38d6dfda1fe1c6c1d09f79446*",".{0,1000}54b3370eb307a1b726f60f1c1accfb1159feb6e38d6dfda1fe1c6c1d09f79446.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","26819"
"*54ba4f0b5b5211e027f2e97eca9b534a7e937b23e50f8db93ed573b2a3db9670*",".{0,1000}54ba4f0b5b5211e027f2e97eca9b534a7e937b23e50f8db93ed573b2a3db9670.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26822"
"*54bcac89bc7735d425b3b86f8fee042566e6f02ab69feba29bafcffeec072b20*",".{0,1000}54bcac89bc7735d425b3b86f8fee042566e6f02ab69feba29bafcffeec072b20.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26823"
"*54d32b6689f4ae55b5402f89cca28cdd4889798022d1aee11674a4e506cfc7e5*",".{0,1000}54d32b6689f4ae55b5402f89cca28cdd4889798022d1aee11674a4e506cfc7e5.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","26831"
"*54d84eaf8b6d8d6d0b865c39b39a8253c079d571e066d02b50c5d0dd50d1be74*",".{0,1000}54d84eaf8b6d8d6d0b865c39b39a8253c079d571e066d02b50c5d0dd50d1be74.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26834"
"*54e364bf382cc987a962fa5db328ce8bc375bff74ff7b8afcaeb1905a295e027*",".{0,1000}54e364bf382cc987a962fa5db328ce8bc375bff74ff7b8afcaeb1905a295e027.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26837"
"*54ef26ef5847752d4acc732de7e294cb02766d89fc5eb30ead4de42cea331d79*",".{0,1000}54ef26ef5847752d4acc732de7e294cb02766d89fc5eb30ead4de42cea331d79.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26840"
"*54f11fb39afb17eeaa9c68482cf68e415ed87c3eb80f2fa9ead6431ddcf25bcc*",".{0,1000}54f11fb39afb17eeaa9c68482cf68e415ed87c3eb80f2fa9ead6431ddcf25bcc.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","26841"
"*54f263712d02bf2345eb5a3444aa4f07b990f5b4c6d02f1de892d1ff8028b50c*",".{0,1000}54f263712d02bf2345eb5a3444aa4f07b990f5b4c6d02f1de892d1ff8028b50c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26842"
"*550e7d04aa4d00fb81b1cd566c58b056a3da8bcfd05631e5f4edd673232b9062*",".{0,1000}550e7d04aa4d00fb81b1cd566c58b056a3da8bcfd05631e5f4edd673232b9062.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","26852"
"*551acd5364dcb82cadc68a6b1dd317b182fd797c0d6f170ce2ca922ad293fd1d*",".{0,1000}551acd5364dcb82cadc68a6b1dd317b182fd797c0d6f170ce2ca922ad293fd1d.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","26856"
"*552d20cf969e7b8503c12566552a70c2956e1476a8b6a24f31056ae3ec6eb2b2*",".{0,1000}552d20cf969e7b8503c12566552a70c2956e1476a8b6a24f31056ae3ec6eb2b2.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","26860"
"*55639c41a6ce5640182e63fbada1460f4d5eb77d7ca28cd03b5f81326a5ffd08*",".{0,1000}55639c41a6ce5640182e63fbada1460f4d5eb77d7ca28cd03b5f81326a5ffd08.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","26875"
"*5571e24e95485116507bad42b229ca77a98da4ab7ce161d45f35ddacab12a3d6*",".{0,1000}5571e24e95485116507bad42b229ca77a98da4ab7ce161d45f35ddacab12a3d6.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","26879"
"*557366669af1df330ca6a7f7488ff60b77ac3f99cfc8568a9759ce24d55563e5*",".{0,1000}557366669af1df330ca6a7f7488ff60b77ac3f99cfc8568a9759ce24d55563e5.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","26880"
"*5575c76987333427f74263e090910eae45817f0ede6b452d645fd5f9951210c9*",".{0,1000}5575c76987333427f74263e090910eae45817f0ede6b452d645fd5f9951210c9.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","#filehash","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","26881"
"*5579149600842ad916cf87ca07c8b8fd81b4a5737d28ba2c66b1e2c72a8cf036*",".{0,1000}5579149600842ad916cf87ca07c8b8fd81b4a5737d28ba2c66b1e2c72a8cf036.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","26883"
"*557e0390116d12a493e6c474e572a61856510ce0b697edbcfa69f47ca4658bc2*",".{0,1000}557e0390116d12a493e6c474e572a61856510ce0b697edbcfa69f47ca4658bc2.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#filehash","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","26884"
"*55a0a2935fd0577e16c3e6f2b17a29839a6c58e6057830fa0c125945759cf397*",".{0,1000}55a0a2935fd0577e16c3e6f2b17a29839a6c58e6057830fa0c125945759cf397.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","26894"
"*55ab03a0f7e3ce2c13664db76e5e0b6768cb66d88971b6bc6caf577831a77a23*",".{0,1000}55ab03a0f7e3ce2c13664db76e5e0b6768cb66d88971b6bc6caf577831a77a23.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","#filehash","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","26897"
"*55af645a3111f2f9ecf35df965f709378a72e216d1963c134cade7391c24f563*",".{0,1000}55af645a3111f2f9ecf35df965f709378a72e216d1963c134cade7391c24f563.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","26902"
"*55af8b379dafa474233959948f4daf6bcdf49c03dff322c2e4032e2db394fad0*",".{0,1000}55af8b379dafa474233959948f4daf6bcdf49c03dff322c2e4032e2db394fad0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26903"
"*55c11ee0078d85ed35d7df237458e40b6ad687f46fc78b1886f30c197e1683c1*",".{0,1000}55c11ee0078d85ed35d7df237458e40b6ad687f46fc78b1886f30c197e1683c1.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","26910"
"*561304bd23f13aa9185257fb0f055e8790dc64e8cf95287e2bfc9fec160eecf8*",".{0,1000}561304bd23f13aa9185257fb0f055e8790dc64e8cf95287e2bfc9fec160eecf8.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","26927"
"*56408aa221735b093510a8ea124b7b54df6054c70e8970f833373515595c3c8d*",".{0,1000}56408aa221735b093510a8ea124b7b54df6054c70e8970f833373515595c3c8d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26935"
"*564a0f3db972920e005a53d22f8062e10652bcb9fa9e2ec4218fa16446c2c344*",".{0,1000}564a0f3db972920e005a53d22f8062e10652bcb9fa9e2ec4218fa16446c2c344.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","26940"
"*564d2db592127c85b801082955d3af40a9e0a485a2dc5c9d960e8d685621b943*",".{0,1000}564d2db592127c85b801082955d3af40a9e0a485a2dc5c9d960e8d685621b943.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26941"
"*565bb9fd10eabae3f557cd29ee48b29054f98aa3934c2c3c2a6e6e528d06b5fb*",".{0,1000}565bb9fd10eabae3f557cd29ee48b29054f98aa3934c2c3c2a6e6e528d06b5fb.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26945"
"*5664616dada91457f2e4241e69105952b97e4ffce83b030ac1c0f459799e76e9*",".{0,1000}5664616dada91457f2e4241e69105952b97e4ffce83b030ac1c0f459799e76e9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26949"
"*56754f477bd8f5415c5b0f26346928a698bcc7c6665d72fe2fe746c3b36bccb0*",".{0,1000}56754f477bd8f5415c5b0f26346928a698bcc7c6665d72fe2fe746c3b36bccb0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26953"
"*567d6614d077fa3fb569dd7a3d8fec5c0b3f6b09b0f82528f55337c637e76652*",".{0,1000}567d6614d077fa3fb569dd7a3d8fec5c0b3f6b09b0f82528f55337c637e76652.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","26955"
"*568be7e64dc6dd20516910fe1cd2db611fee2b3051b2ff81ca1ef092bf3bbd91*",".{0,1000}568be7e64dc6dd20516910fe1cd2db611fee2b3051b2ff81ca1ef092bf3bbd91.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","26959"
"*568ec361aa33903f8cf1678a5b35592887ea6e3de3fae6a1f752730ca2e8e82c*",".{0,1000}568ec361aa33903f8cf1678a5b35592887ea6e3de3fae6a1f752730ca2e8e82c.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","26960"
"*56930110ad5e21a3b7c69008bdb3efd368c0ebafc1d0d97b48a76a3563ec8e24*",".{0,1000}56930110ad5e21a3b7c69008bdb3efd368c0ebafc1d0d97b48a76a3563ec8e24.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","26961"
"*56976a6b2d3b62ef3e46626df51eb20a4e849e346a5292bf923481f4efb5da4a*",".{0,1000}56976a6b2d3b62ef3e46626df51eb20a4e849e346a5292bf923481f4efb5da4a.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26965"
"*569b8925a41bd1426fc9f88a4d00aa93da747ed4a5ec1c638678ac62ae1a7114*",".{0,1000}569b8925a41bd1426fc9f88a4d00aa93da747ed4a5ec1c638678ac62ae1a7114.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","26967"
"*56a728c930af1ddb0583940149de58fa36b2d02cd318e6c437583f121dbcfb6a*",".{0,1000}56a728c930af1ddb0583940149de58fa36b2d02cd318e6c437583f121dbcfb6a.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26973"
"*56af38e429f5b4ddb7e23875122dac06e86f71414251f989bd096cbbc836c3e8*",".{0,1000}56af38e429f5b4ddb7e23875122dac06e86f71414251f989bd096cbbc836c3e8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26976"
"*56affb1b7a635c42aa5009f45a7f2e7a1bf7fcbe6c19a4c66a89872c2f2a991f*",".{0,1000}56affb1b7a635c42aa5009f45a7f2e7a1bf7fcbe6c19a4c66a89872c2f2a991f.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","26977"
"*56be52735563e73f0cdf9d4e8b52f86ccc5313495eec99c69c6f2bfeb0a08317*",".{0,1000}56be52735563e73f0cdf9d4e8b52f86ccc5313495eec99c69c6f2bfeb0a08317.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#filehash","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","26981"
"*56bf15ccd413e54239dde9103fa9e0bdbdfd5f3788855dbfec3fbe0e6a003b98*",".{0,1000}56bf15ccd413e54239dde9103fa9e0bdbdfd5f3788855dbfec3fbe0e6a003b98.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","26982"
"*56c158d1060d6306a404027a06868c0c9475fec5d218d3e3746b1bddfe76c115*",".{0,1000}56c158d1060d6306a404027a06868c0c9475fec5d218d3e3746b1bddfe76c115.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","26983"
"*56c68e08402096d11585592005d9eae985cf0d248e2f8103da15ad351eafae58*",".{0,1000}56c68e08402096d11585592005d9eae985cf0d248e2f8103da15ad351eafae58.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26987"
"*56ca2194c2c1dae9900e4d9e5def115af7c7f6376fffeaaef08e00ed95b81934*",".{0,1000}56ca2194c2c1dae9900e4d9e5def115af7c7f6376fffeaaef08e00ed95b81934.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26990"
"*56ccaa3297c8004543544b5d56c801a9c7ac1e40bc8b9e7258634ef4dc95a44b*",".{0,1000}56ccaa3297c8004543544b5d56c801a9c7ac1e40bc8b9e7258634ef4dc95a44b.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","26991"
"*56d615c6338475744a0259e928f7f20aa88f8bd4889d7a3db3e5a0e5a55a5fb8*",".{0,1000}56d615c6338475744a0259e928f7f20aa88f8bd4889d7a3db3e5a0e5a55a5fb8.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","26997"
"*56dfd0968ae9298d36c94c063639d5c33ae44224a4a51fe4da9c3596dea16d10*",".{0,1000}56dfd0968ae9298d36c94c063639d5c33ae44224a4a51fe4da9c3596dea16d10.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","26999"
"*56eae0c5b8a8607a8f25aecae5069fe0555333beef9333cd44a2e8846740529a*",".{0,1000}56eae0c5b8a8607a8f25aecae5069fe0555333beef9333cd44a2e8846740529a.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27003"
"*56f4432c2a798eb5b37fb6d93bbd2b0dfaf40e73b82e3fbf5e40e8e23cb24411*",".{0,1000}56f4432c2a798eb5b37fb6d93bbd2b0dfaf40e73b82e3fbf5e40e8e23cb24411.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27006"
"*56f939d7b5513df64ad63f7bf2da6cafa98778872aecfbce5f55161648ca4231*",".{0,1000}56f939d7b5513df64ad63f7bf2da6cafa98778872aecfbce5f55161648ca4231.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","27009"
"*5721a43731c1472216f3005efaf5a9e298ac2c9d40c4b55e68fe9ae5692c48b3*",".{0,1000}5721a43731c1472216f3005efaf5a9e298ac2c9d40c4b55e68fe9ae5692c48b3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27016"
"*572872fec378f423b141faa205b44faa07bbf06f7272b0a6a3235c7992a69998*",".{0,1000}572872fec378f423b141faa205b44faa07bbf06f7272b0a6a3235c7992a69998.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27020"
"*572a3066b441a61d177c6858322547d508fcbeca9111bcc5db3087d426d9b687*",".{0,1000}572a3066b441a61d177c6858322547d508fcbeca9111bcc5db3087d426d9b687.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27021"
"*57384f36febc695b32b0fd2910643ddaad6770898cf63a9f97a2f76e9faed5a8*",".{0,1000}57384f36febc695b32b0fd2910643ddaad6770898cf63a9f97a2f76e9faed5a8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27022"
"*573af5ccab4dccb4c9eb1f21b5e65d18c0b3a4e2b262c426b6bebc24243904f1*",".{0,1000}573af5ccab4dccb4c9eb1f21b5e65d18c0b3a4e2b262c426b6bebc24243904f1.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","27024"
"*574583d2e4b8f71d7aa57ed24c4015e37bdfe937bcd7f0d708f300eac9bc33e2*",".{0,1000}574583d2e4b8f71d7aa57ed24c4015e37bdfe937bcd7f0d708f300eac9bc33e2.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","27028"
"*574aeb6cb673aa96cab6fa82656126f1ece4079edf89f68de09a3fce708ad47e*",".{0,1000}574aeb6cb673aa96cab6fa82656126f1ece4079edf89f68de09a3fce708ad47e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27031"
"*57556703267587c0017816c99be4a8a9b7ddead80a45dfce31b2fdab2a0304a5*",".{0,1000}57556703267587c0017816c99be4a8a9b7ddead80a45dfce31b2fdab2a0304a5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27033"
"*5757b774c407cc8a6ce5f9601b244730635a30efcb0015fe454610850b14d38d*",".{0,1000}5757b774c407cc8a6ce5f9601b244730635a30efcb0015fe454610850b14d38d.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","27034"
"*575a6a7a4c23274aefb4eff8c0614036cc1999f108142741ce5296e4ce00811b*",".{0,1000}575a6a7a4c23274aefb4eff8c0614036cc1999f108142741ce5296e4ce00811b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27035"
"*575d5c5a96d166ad29c143689914c8879e3b221f77a6394401572857d4c47a1f*",".{0,1000}575d5c5a96d166ad29c143689914c8879e3b221f77a6394401572857d4c47a1f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27037"
"*575e1d6d536f108f69b6819153087396e08464cfb316fe6caadfb85fcbd79d13*",".{0,1000}575e1d6d536f108f69b6819153087396e08464cfb316fe6caadfb85fcbd79d13.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27038"
"*575fa9f32f88855c0e945bc076061933bbd0991f640b12da69e3a209b307decb*",".{0,1000}575fa9f32f88855c0e945bc076061933bbd0991f640b12da69e3a209b307decb.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","27039"
"*5764a26b8264e91df0c05734703091f170a3b54b91c75e759144477b992f6d5b*",".{0,1000}5764a26b8264e91df0c05734703091f170a3b54b91c75e759144477b992f6d5b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27041"
"*57686610f48447abf26f273f9a45fd26b76072d0894eabe073c1fe41dce4b5d4*",".{0,1000}57686610f48447abf26f273f9a45fd26b76072d0894eabe073c1fe41dce4b5d4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27045"
"*576a8db5b58802c8e1e345992fc348cedbf88e6c1fbe73733a5c7b5ad15b6179*",".{0,1000}576a8db5b58802c8e1e345992fc348cedbf88e6c1fbe73733a5c7b5ad15b6179.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27047"
"*5772da1ce34daccb2ff7854cc83c6f37321041b8b103d047bdb77e4ecc031113*",".{0,1000}5772da1ce34daccb2ff7854cc83c6f37321041b8b103d047bdb77e4ecc031113.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","27048"
"*57732d0896ef1f328a07db06da39b1fae33ed0357a2003d662b2293f500bd956*",".{0,1000}57732d0896ef1f328a07db06da39b1fae33ed0357a2003d662b2293f500bd956.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27049"
"*5785f21245163c072e0f3acc39f86e5d105bf54c0245bbfcba5d2d21d1d6f301*",".{0,1000}5785f21245163c072e0f3acc39f86e5d105bf54c0245bbfcba5d2d21d1d6f301.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27055"
"*57944ea45f77ef9b4757a95c077b30af638ed72c1399e75356f08cae37a3965f*",".{0,1000}57944ea45f77ef9b4757a95c077b30af638ed72c1399e75356f08cae37a3965f.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","27060"
"*57b5c5dbb54b9438aec465b9112ff4936876172c09f35746ddaa8792b52eb347*",".{0,1000}57b5c5dbb54b9438aec465b9112ff4936876172c09f35746ddaa8792b52eb347.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27067"
"*57d460230411f7d23ab6cd3463c737c657c0225df3a1aac75e049ca9d66f5763*",".{0,1000}57d460230411f7d23ab6cd3463c737c657c0225df3a1aac75e049ca9d66f5763.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","27073"
"*57ec0021464f26379ee9242f6b517b4276fb7e431cd963df8950dcec8c83d6ba*",".{0,1000}57ec0021464f26379ee9242f6b517b4276fb7e431cd963df8950dcec8c83d6ba.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","27079"
"*57f265c72747a75c914118d2f69550b534d661f49bf8684c81f7ef75c952f97a*",".{0,1000}57f265c72747a75c914118d2f69550b534d661f49bf8684c81f7ef75c952f97a.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","27082"
"*5805e0f064ce3aa72e5a0b4dd00c0bf4150995cb1f1b7b80f2b3a78da78d1d27*",".{0,1000}5805e0f064ce3aa72e5a0b4dd00c0bf4150995cb1f1b7b80f2b3a78da78d1d27.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#filehash","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","27087"
"*58170b311be68a8149d51edce1c837bc1feb49b0f6b95b64a0bf76c2a7820a52*",".{0,1000}58170b311be68a8149d51edce1c837bc1feb49b0f6b95b64a0bf76c2a7820a52.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27092"
"*581f25669bf62fbf90100987fc62d36c31e6781f1dd89e155e45e79c17fda0bf*",".{0,1000}581f25669bf62fbf90100987fc62d36c31e6781f1dd89e155e45e79c17fda0bf.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27093"
"*5828751f5c11d3f77fbae66a616adf3a46fe1e09c130d282830597718769b869*",".{0,1000}5828751f5c11d3f77fbae66a616adf3a46fe1e09c130d282830597718769b869.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27096"
"*5829a7b027c1fe0c12ba6e6fa4e53e8d21c94de346c0c3919a73da2565561979*",".{0,1000}5829a7b027c1fe0c12ba6e6fa4e53e8d21c94de346c0c3919a73da2565561979.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","27098"
"*582b8f96d51ff83c2daf3970faa3c141a18dc8b1af0b23a3dc40aee1d04c6702*",".{0,1000}582b8f96d51ff83c2daf3970faa3c141a18dc8b1af0b23a3dc40aee1d04c6702.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","27099"
"*5852511a70f384dcf32e29b3ec2f3d10d2704fdaae504d07d3876a887ca05cf4*",".{0,1000}5852511a70f384dcf32e29b3ec2f3d10d2704fdaae504d07d3876a887ca05cf4.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","27107"
"*58553520765d913785914cb41570a76668b07e43c40d313841f7c03fddc899cd*",".{0,1000}58553520765d913785914cb41570a76668b07e43c40d313841f7c03fddc899cd.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27108"
"*58574690db6cfff0ffa7864a0a13265ae1bd37d5fc3b0d9e0c88a1f7d69c193d*",".{0,1000}58574690db6cfff0ffa7864a0a13265ae1bd37d5fc3b0d9e0c88a1f7d69c193d.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","27109"
"*585ed5d6cb415cd94af39825a85dfec415f92249a8d57b5a6159537720958f42*",".{0,1000}585ed5d6cb415cd94af39825a85dfec415f92249a8d57b5a6159537720958f42.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","27113"
"*586553898cc1e9e1f3198d7a0c5d84a34ca4709a35013954a3e648f09e65aa37*",".{0,1000}586553898cc1e9e1f3198d7a0c5d84a34ca4709a35013954a3e648f09e65aa37.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27115"
"*58656a39bbc9b0783409bf1bb86c17591e16b49158deac844de7ddddeea1374f*",".{0,1000}58656a39bbc9b0783409bf1bb86c17591e16b49158deac844de7ddddeea1374f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27116"
"*5868fed5581f3fb186c94b6be63f8b056c571159edb65cc5dafb84553e888d39*",".{0,1000}5868fed5581f3fb186c94b6be63f8b056c571159edb65cc5dafb84553e888d39.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","27118"
"*587f5b4be33a2f66eb23329d57ebf8383de3b5ab30096b048bcc0eaf3b9ae310*",".{0,1000}587f5b4be33a2f66eb23329d57ebf8383de3b5ab30096b048bcc0eaf3b9ae310.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","27121"
"*588883f038421d2b273d9c10da1b195a75ca107c274645cf620934d8ee037e9e*",".{0,1000}588883f038421d2b273d9c10da1b195a75ca107c274645cf620934d8ee037e9e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27123"
"*58905c69879fe708108827034d276893c207432decd282a1495e8752a392fa58*",".{0,1000}58905c69879fe708108827034d276893c207432decd282a1495e8752a392fa58.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","27128"
"*589472bbf12e3f53c7cf3447a6b280dd9931600441c8251472c01b3ff5b36c8f*",".{0,1000}589472bbf12e3f53c7cf3447a6b280dd9931600441c8251472c01b3ff5b36c8f.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","27130"
"*589f0861ae990113c24fed3527dc6b15d3b9108bfbda358ed10503800820508a*",".{0,1000}589f0861ae990113c24fed3527dc6b15d3b9108bfbda358ed10503800820508a.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","27133"
"*58a1d3e8d51cc32760153418672a3a0a7d81b2996895fa533614842ca0a75c98*",".{0,1000}58a1d3e8d51cc32760153418672a3a0a7d81b2996895fa533614842ca0a75c98.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27134"
"*58cea3ee018d8f72239d639b012df07d9b0d22e49ecbe2522461db439643fb11*",".{0,1000}58cea3ee018d8f72239d639b012df07d9b0d22e49ecbe2522461db439643fb11.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","27153"
"*58d81810dda7c93466ab675fb3429d65f4b658ee9c1c1c7113276906abc31de2*",".{0,1000}58d81810dda7c93466ab675fb3429d65f4b658ee9c1c1c7113276906abc31de2.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27155"
"*58edc63c43a77b5d217b081b9597824ff4831de52ce2491bcff4c62ce6888e2f*",".{0,1000}58edc63c43a77b5d217b081b9597824ff4831de52ce2491bcff4c62ce6888e2f.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","27161"
"*58f05a0c076f117a861b408411b8c4f1d1e6e3a9f15fdc0501a99a423f80f6bc*",".{0,1000}58f05a0c076f117a861b408411b8c4f1d1e6e3a9f15fdc0501a99a423f80f6bc.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27162"
"*5905b6c9baf13f679341eacf487f13d70d49b43e71c3d9dde099fb0f21bfe02a*",".{0,1000}5905b6c9baf13f679341eacf487f13d70d49b43e71c3d9dde099fb0f21bfe02a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27167"
"*590d4460b86bb3ce31fbe5b9089ba75315062f7ba0cb018edd14f3a694e80d2e*",".{0,1000}590d4460b86bb3ce31fbe5b9089ba75315062f7ba0cb018edd14f3a694e80d2e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27170"
"*5952611ae5f32afa4649c7414dab74436554ca71518ec8bf941041673818a639*",".{0,1000}5952611ae5f32afa4649c7414dab74436554ca71518ec8bf941041673818a639.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27183"
"*5953e84b6a1590568b6d77a0b75093552577aa61484aff41b3ad0fb35c68719f*",".{0,1000}5953e84b6a1590568b6d77a0b75093552577aa61484aff41b3ad0fb35c68719f.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27186"
"*59554c5966d4d1c5d8d16235cca887de9c96211e5080766642f67081856f8453*",".{0,1000}59554c5966d4d1c5d8d16235cca887de9c96211e5080766642f67081856f8453.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27187"
"*59606376cabc50a19af3732cddbbcda40c59e0c85aa6bc0320420a6a19abca49*",".{0,1000}59606376cabc50a19af3732cddbbcda40c59e0c85aa6bc0320420a6a19abca49.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","27190"
"*59b2d72c684e869bb6d4a5d37bb1c165c0c4432f20a6f4204ae6e7de1e632587*",".{0,1000}59b2d72c684e869bb6d4a5d37bb1c165c0c4432f20a6f4204ae6e7de1e632587.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27205"
"*59b97a0dd632d3cb6741d58d315bab9e1407bacd3c5129554cc3a61770ece321*",".{0,1000}59b97a0dd632d3cb6741d58d315bab9e1407bacd3c5129554cc3a61770ece321.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","27207"
"*59d935b141966f1706eaf690c8937ef1f4a75303b2852f3fcbd6b77d1287d744*",".{0,1000}59d935b141966f1706eaf690c8937ef1f4a75303b2852f3fcbd6b77d1287d744.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","27214"
"*59ffde09a3efbb8259e3f5523aa1a87802c3db701f050cc411ee3774cd78d050*",".{0,1000}59ffde09a3efbb8259e3f5523aa1a87802c3db701f050cc411ee3774cd78d050.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","27223"
"*5a0e13e12f2c0091e1705f652a830e95b733b3d9c111b2765728d77d8e1044cb*",".{0,1000}5a0e13e12f2c0091e1705f652a830e95b733b3d9c111b2765728d77d8e1044cb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27227"
"*5a1790facd6c8aea4b8c49a0e8d4aaa2f65e367a5d15c8f58014d62a8668b4df*",".{0,1000}5a1790facd6c8aea4b8c49a0e8d4aaa2f65e367a5d15c8f58014d62a8668b4df.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","27230"
"*5a19b174e1c46c7f3591c79dc5264d43bb68c9537393a8cecd6269567b821778",".{0,1000}5a19b174e1c46c7f3591c79dc5264d43bb68c9537393a8cecd6269567b821778","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","27231"
"*5a2a70b546bff92253c289e56d19746ee64a3944d14b6afa833e9991035ca18c*",".{0,1000}5a2a70b546bff92253c289e56d19746ee64a3944d14b6afa833e9991035ca18c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27236"
"*5a57e519ca408107e53cc361cc237e3e57929721bc3eabebc5ab5b1275adca6d*",".{0,1000}5a57e519ca408107e53cc361cc237e3e57929721bc3eabebc5ab5b1275adca6d.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","27248"
"*5a5cbc0b756cbda7a9ac64ca5a0ad33899bd3ea9ae42113389c230a164900b74*",".{0,1000}5a5cbc0b756cbda7a9ac64ca5a0ad33899bd3ea9ae42113389c230a164900b74.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","27250"
"*5a65d7c3fda43337fd1422f92403901a460c12a37f89da6cb70833802a2f1c9b*",".{0,1000}5a65d7c3fda43337fd1422f92403901a460c12a37f89da6cb70833802a2f1c9b.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","27251"
"*5a6e7d5c10789763b0b06442dbc7f723f8ea9aec1402abedf439c6801a8d86f2*",".{0,1000}5a6e7d5c10789763b0b06442dbc7f723f8ea9aec1402abedf439c6801a8d86f2.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","#filehash","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","27253"
"*5a7cd4fcf7cecb7d346af8e28b49ad66c43d5bb34610485dde2210cadba3d8c2*",".{0,1000}5a7cd4fcf7cecb7d346af8e28b49ad66c43d5bb34610485dde2210cadba3d8c2.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","27256"
"*5a93f69793e4cc75fc1670a79d91a52fe5f10386e355e14593df0322e70436e9*",".{0,1000}5a93f69793e4cc75fc1670a79d91a52fe5f10386e355e14593df0322e70436e9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27261"
"*5aa6d23a262a238dbddddf45fa06d182673142a416002dc70e4c893f9aee723f*",".{0,1000}5aa6d23a262a238dbddddf45fa06d182673142a416002dc70e4c893f9aee723f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","27266"
"*5ab3fd2f7133bb9d297ebdfda1c2cf7af45baf3149b7d29932202e2ccb79c21f*",".{0,1000}5ab3fd2f7133bb9d297ebdfda1c2cf7af45baf3149b7d29932202e2ccb79c21f.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","27269"
"*5abf08594b53850df4821a89755c9578b357577b1f356b2346b0eda7f1e47ba4*",".{0,1000}5abf08594b53850df4821a89755c9578b357577b1f356b2346b0eda7f1e47ba4.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27271"
"*5ad396bc221aefa47d1192d6df11193240891ea3a88d0f0b941e1cb2967e2a01*",".{0,1000}5ad396bc221aefa47d1192d6df11193240891ea3a88d0f0b941e1cb2967e2a01.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27276"
"*5ad984e4bc9cf2b67a414f99c48b2f5621b12efaa1c838e4a6a13a7333641dc7*",".{0,1000}5ad984e4bc9cf2b67a414f99c48b2f5621b12efaa1c838e4a6a13a7333641dc7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27277"
"*5adb4c5fe0675627461000a63156001301ec7cade966c55c8c4ebcfaeb62c5ae*",".{0,1000}5adb4c5fe0675627461000a63156001301ec7cade966c55c8c4ebcfaeb62c5ae.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27279"
"*5aeed3259b4eb939caaa942220100f05e3f52ca92eb24eb5e3afbba02dc702d9*",".{0,1000}5aeed3259b4eb939caaa942220100f05e3f52ca92eb24eb5e3afbba02dc702d9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27285"
"*5afe89b3106bcaeff0d314414f4e06de24643dd161b2ecf5a72a602115d2404d*",".{0,1000}5afe89b3106bcaeff0d314414f4e06de24643dd161b2ecf5a72a602115d2404d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27290"
"*5aff1db3460b4328a757445d54833c5f89b7a38725982e0f7c84ce0975cc60d4*",".{0,1000}5aff1db3460b4328a757445d54833c5f89b7a38725982e0f7c84ce0975cc60d4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27291"
"*5b036a1f20522f45ddfe9956f4014efe311daed29a6888959f0822ff72da948f*",".{0,1000}5b036a1f20522f45ddfe9956f4014efe311daed29a6888959f0822ff72da948f.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","27294"
"*5b0b491a401d5031b75aaa1bfe8ab32d55befb03d7cb627de72409fce0b5a103*",".{0,1000}5b0b491a401d5031b75aaa1bfe8ab32d55befb03d7cb627de72409fce0b5a103.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","27299"
"*5b0df831f2bc06c6eaed5c6fd4d109044aa74463465dfce792c64962f2512ac2*",".{0,1000}5b0df831f2bc06c6eaed5c6fd4d109044aa74463465dfce792c64962f2512ac2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27300"
"*5b17f4c89bc1da1563f8d8f68383de6e80b43fc71c57ea97ba27530536592f6e*",".{0,1000}5b17f4c89bc1da1563f8d8f68383de6e80b43fc71c57ea97ba27530536592f6e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27302"
"*5b26b766b18f4373017a3c7fb5f771673d00e793eedfad822d4cefb7e736fe59*",".{0,1000}5b26b766b18f4373017a3c7fb5f771673d00e793eedfad822d4cefb7e736fe59.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","27304"
"*5b27422ee31eae2baaae829f40587c82342d6539aa84886b24af48c33fb1724a*",".{0,1000}5b27422ee31eae2baaae829f40587c82342d6539aa84886b24af48c33fb1724a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27305"
"*5b3ae3dde66a377dec786323215a45d10f55ada626d29a2890d2f4915111b7a7*",".{0,1000}5b3ae3dde66a377dec786323215a45d10f55ada626d29a2890d2f4915111b7a7.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","27312"
"*5b4204056ae94aa8281218656a1b3566eaaea2ddf4874eccb4a9c23cf9bc0fd0*",".{0,1000}5b4204056ae94aa8281218656a1b3566eaaea2ddf4874eccb4a9c23cf9bc0fd0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27313"
"*5b46612254dcaec09a6f7ddae70e116f77c0f87ac7988dc379b34d0fd4bbc4c4*",".{0,1000}5b46612254dcaec09a6f7ddae70e116f77c0f87ac7988dc379b34d0fd4bbc4c4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27316"
"*5b5327952836163d6a5c2a9ae0d300daebcae8b8066fd2cebf1e3907ccb0b3fd*",".{0,1000}5b5327952836163d6a5c2a9ae0d300daebcae8b8066fd2cebf1e3907ccb0b3fd.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","27320"
"*5b550c4dc2a7eb2591bd6a2fb4f6b17ea9853ca704c688684f48cc8d32a99f2a*",".{0,1000}5b550c4dc2a7eb2591bd6a2fb4f6b17ea9853ca704c688684f48cc8d32a99f2a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27321"
"*5b65d6f452aacc65b9282a842c5c327bf27bb92c11d73ed5466ba29f582bea07*",".{0,1000}5b65d6f452aacc65b9282a842c5c327bf27bb92c11d73ed5466ba29f582bea07.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","27344"
"*5b79752442c96dcf99703efaf74cdf828a4c2fbc805f5352ab77c9ccd40ae47a*",".{0,1000}5b79752442c96dcf99703efaf74cdf828a4c2fbc805f5352ab77c9ccd40ae47a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27348"
"*5b7c15f9e14042a99c38515ddfa694f188f59d72bde10ce341d86cbf7f801b19*",".{0,1000}5b7c15f9e14042a99c38515ddfa694f188f59d72bde10ce341d86cbf7f801b19.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27349"
"*5b8d4fddcbe0c9e1e82bf8ca30b97bde3fff668741e49a260d6c13c55584bbc9*",".{0,1000}5b8d4fddcbe0c9e1e82bf8ca30b97bde3fff668741e49a260d6c13c55584bbc9.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27350"
"*5b8d5d644183b44b2b7387394d321875fb49da9dc333f8489d22d8f792189538*",".{0,1000}5b8d5d644183b44b2b7387394d321875fb49da9dc333f8489d22d8f792189538.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27351"
"*5b91ee887762007cd9fef64003a70c496f855602d1bbb1c32a364008611f98ff*",".{0,1000}5b91ee887762007cd9fef64003a70c496f855602d1bbb1c32a364008611f98ff.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27352"
"*5b9244ba79420f46fc1a1cf762c3497767bc93b863f0224ce7d5051f81a6120e*",".{0,1000}5b9244ba79420f46fc1a1cf762c3497767bc93b863f0224ce7d5051f81a6120e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27353"
"*5b94b821a76615c0557b5c98c66253e72f86a1b1ed18c908cf370b603fa10c3f*",".{0,1000}5b94b821a76615c0557b5c98c66253e72f86a1b1ed18c908cf370b603fa10c3f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27354"
"*5b992399231bc699bda60ec893e9c5af0ccded956ebfe5d02eaa41cb91fea9c8*",".{0,1000}5b992399231bc699bda60ec893e9c5af0ccded956ebfe5d02eaa41cb91fea9c8.{0,1000}","greyware_tool_keyword","ChromeCookiesView","displays the list of all cookies stored by Google Chrome Web browser - abused by attackers","T1539 - T1005 - T1070.004 - T1552.001","TA0006 - TA0008 - TA0009","N/A","Evilnum - MuddyWater","Credential Access","https://www.nirsoft.net/utils/chrome_cookies_view.html","1","0","#filehash","https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf","8","10","N/A","N/A","N/A","N/A","27356"
"*5ba980906682ff6eb47a50cb6208901518e62d013ff46075e96a919331dc23b4*",".{0,1000}5ba980906682ff6eb47a50cb6208901518e62d013ff46075e96a919331dc23b4.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","27363"
"*5babcba4005adce8f620995f2a56e5d6bdcf6695f52a539bdaeaff889d47e8b5*",".{0,1000}5babcba4005adce8f620995f2a56e5d6bdcf6695f52a539bdaeaff889d47e8b5.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27364"
"*5bb545bf51618a253b1ccc145bf97c8ab29d9118d6ac5e90b9bfc33bb988c3d7*",".{0,1000}5bb545bf51618a253b1ccc145bf97c8ab29d9118d6ac5e90b9bfc33bb988c3d7.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","27366"
"*5bcc7e32569cd90fa4b7d1f076b0d3a52da1623234bdca585c4bd54bcaf2bb31*",".{0,1000}5bcc7e32569cd90fa4b7d1f076b0d3a52da1623234bdca585c4bd54bcaf2bb31.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27371"
"*5bd03e78eb4874efb664163998e6aca949efc7f67d415daac30f4b706430d23b*",".{0,1000}5bd03e78eb4874efb664163998e6aca949efc7f67d415daac30f4b706430d23b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27372"
"*5bd0bc535d1ea4a5e64268411c217992b00550ddf125c03830bbdbbc4a568756*",".{0,1000}5bd0bc535d1ea4a5e64268411c217992b00550ddf125c03830bbdbbc4a568756.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27373"
"*5bd56a5da478c542e8265d5fd15fe8ba90f720bbb6a2649ea6c4ddd5acb77d85*",".{0,1000}5bd56a5da478c542e8265d5fd15fe8ba90f720bbb6a2649ea6c4ddd5acb77d85.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27374"
"*5bdbde8744cb35a016a5af05c34df1e709d8c731dfc4206e5725e2dead801e9b*",".{0,1000}5bdbde8744cb35a016a5af05c34df1e709d8c731dfc4206e5725e2dead801e9b.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27376"
"*5be16e35f6b1f8339af50531e3c165d3287f2bba9d1ad27a9c4e601364a0eb5c*",".{0,1000}5be16e35f6b1f8339af50531e3c165d3287f2bba9d1ad27a9c4e601364a0eb5c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27377"
"*5bf7ab659ccc836dc47a5c60a8bc653aaed5ff945334f4f1af0ed596c23523c6*",".{0,1000}5bf7ab659ccc836dc47a5c60a8bc653aaed5ff945334f4f1af0ed596c23523c6.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27382"
"*5bf8796898cefcaced122d5188653d74ccf4412a3686f84cbcc312ebc1bd74ea*",".{0,1000}5bf8796898cefcaced122d5188653d74ccf4412a3686f84cbcc312ebc1bd74ea.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27383"
"*5bfbd898b6368c600e44b9cdff5ec284e4ca7131c2eb0c281c5d641a325b632b*",".{0,1000}5bfbd898b6368c600e44b9cdff5ec284e4ca7131c2eb0c281c5d641a325b632b.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","27384"
"*5bfc3639ab04d2456ed2e69be163a1b0734f14518b46ab711bac4c23e74585b0*",".{0,1000}5bfc3639ab04d2456ed2e69be163a1b0734f14518b46ab711bac4c23e74585b0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27385"
"*5c07c9629ef48531f27c2fc5307c43123beb162408187c52ab1ca08018b24420*",".{0,1000}5c07c9629ef48531f27c2fc5307c43123beb162408187c52ab1ca08018b24420.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27387"
"*5c089eabdf1c1446168d69c1efad0fae0d0217d8a671539bf859fe823248850d*",".{0,1000}5c089eabdf1c1446168d69c1efad0fae0d0217d8a671539bf859fe823248850d.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27388"
"*5c0c101aa1f0e6a4ed5a67831b13a88ed9c678aaa8c2860dcdc191a8a073c153*",".{0,1000}5c0c101aa1f0e6a4ed5a67831b13a88ed9c678aaa8c2860dcdc191a8a073c153.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","27389"
"*5c0f7d058401e664d0c6f244a0c928a8cc4dcf4db038896118f7b94e35cc6c46*",".{0,1000}5c0f7d058401e664d0c6f244a0c928a8cc4dcf4db038896118f7b94e35cc6c46.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27391"
"*5c216f9f08efbdf84977ccdba2af0c7772f64050fe6b2db47648fbd1cce8bb9d*",".{0,1000}5c216f9f08efbdf84977ccdba2af0c7772f64050fe6b2db47648fbd1cce8bb9d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27395"
"*5c247bb774e29eb43ef20279ae9d8cee98cd0ec4028dd282a09f0bb84f379976*",".{0,1000}5c247bb774e29eb43ef20279ae9d8cee98cd0ec4028dd282a09f0bb84f379976.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","27396"
"*5c2d0b397de15a471cf79a465abbd2e3f64e058f6e51c095ede53623f7df73b6*",".{0,1000}5c2d0b397de15a471cf79a465abbd2e3f64e058f6e51c095ede53623f7df73b6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27399"
"*5c3128dfd3f4d604afa6e602aca4a346d758d889400eb74584c88f1e40fe9bac*",".{0,1000}5c3128dfd3f4d604afa6e602aca4a346d758d889400eb74584c88f1e40fe9bac.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","27400"
"*5c3e73cd1ce2876596cad9dccb83f6243d0d6720b1059a663a36b084be5108d3*",".{0,1000}5c3e73cd1ce2876596cad9dccb83f6243d0d6720b1059a663a36b084be5108d3.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","27404"
"*5c4247c201d5bfb98cd4021c4cf0dd732c4fa47daeb4c70fcb29f7ddfe1b5760*",".{0,1000}5c4247c201d5bfb98cd4021c4cf0dd732c4fa47daeb4c70fcb29f7ddfe1b5760.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","27405"
"*5c470be4bbc5ffc24dfbde00aba320a8eb66a4bd2889a02e4e97a5c12117e061*",".{0,1000}5c470be4bbc5ffc24dfbde00aba320a8eb66a4bd2889a02e4e97a5c12117e061.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","27407"
"*5c4828f6e89b6f2479b671d3e7644b34b6968a6017cac402144c844b48dcc621*",".{0,1000}5c4828f6e89b6f2479b671d3e7644b34b6968a6017cac402144c844b48dcc621.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27408"
"*5c4bcebb1782c9cf6c993a076f306555f62b1c8b14e149478ab2358d5a6ca517*",".{0,1000}5c4bcebb1782c9cf6c993a076f306555f62b1c8b14e149478ab2358d5a6ca517.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","27409"
"*5c57f75dbcf90f4c266cb0014be4ca76d97cff330c575709bd5e3d3635602dda*",".{0,1000}5c57f75dbcf90f4c266cb0014be4ca76d97cff330c575709bd5e3d3635602dda.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27413"
"*5c5f9caf38211a475f8ac568a647057bbfb8d7d60476bc04bcbff91107c88c1e*",".{0,1000}5c5f9caf38211a475f8ac568a647057bbfb8d7d60476bc04bcbff91107c88c1e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27417"
"*5c706aa708b87098f372add5b7c1693e4255462da1cd0f08ce60918e030a6085*",".{0,1000}5c706aa708b87098f372add5b7c1693e4255462da1cd0f08ce60918e030a6085.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27420"
"*5c719ef1f9879116c9713a26e57c7afb318d99e5a8417c6b168a63f71baee5e4*",".{0,1000}5c719ef1f9879116c9713a26e57c7afb318d99e5a8417c6b168a63f71baee5e4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27421"
"*5c80fae298c7042c21a46ba76985ab79303001af8b26ea073712d5bff68c7215*",".{0,1000}5c80fae298c7042c21a46ba76985ab79303001af8b26ea073712d5bff68c7215.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27425"
"*5c89234b305a4a87b77598e6c4490a789cf9312575e3490f226a301bbe76d3e9*",".{0,1000}5c89234b305a4a87b77598e6c4490a789cf9312575e3490f226a301bbe76d3e9.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27429"
"*5ca2f9a346f1354af9a7adcfbf04107fb21395fbc37515686ce6c45b07d4c4b3*",".{0,1000}5ca2f9a346f1354af9a7adcfbf04107fb21395fbc37515686ce6c45b07d4c4b3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27439"
"*5cedb2be0214c177fd47bf230b841ede60a2a6f688ffbc11bae03bac311c4e97*",".{0,1000}5cedb2be0214c177fd47bf230b841ede60a2a6f688ffbc11bae03bac311c4e97.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27451"
"*5cf4ae2ea95c4c56eda8749f2175fe9afa9242421ce25bf75dece792e62225c6*",".{0,1000}5cf4ae2ea95c4c56eda8749f2175fe9afa9242421ce25bf75dece792e62225c6.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#filehash","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","27454"
"*5d0ecf49504bea4cf3f58d59114d1e0e5de95765ed98e903ffb81f144685bce6*",".{0,1000}5d0ecf49504bea4cf3f58d59114d1e0e5de95765ed98e903ffb81f144685bce6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27464"
"*5d18beee77287ecec07f1f285f8840deabbf3f559012eb0ca9152551c55442c7*",".{0,1000}5d18beee77287ecec07f1f285f8840deabbf3f559012eb0ca9152551c55442c7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27468"
"*5d1cf73d662aa8ef604855576ba9fa9cec217c18b4afa0794ab659b386112030*",".{0,1000}5d1cf73d662aa8ef604855576ba9fa9cec217c18b4afa0794ab659b386112030.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","27469"
"*5d218a0f83fc6ce4ff5018178e2f5af92a211b026391b76c9649c7d0ddb11ca1*",".{0,1000}5d218a0f83fc6ce4ff5018178e2f5af92a211b026391b76c9649c7d0ddb11ca1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27470"
"*5d276ca132df392f3d1c47154ac4c72f984d8c8800bdcd28c3491340304efac6*",".{0,1000}5d276ca132df392f3d1c47154ac4c72f984d8c8800bdcd28c3491340304efac6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27487"
"*5d2fec2dafb0fd853fa2ff9d4b1314fe47470b59ce0b4d2f3e004d8f4b2bb339*",".{0,1000}5d2fec2dafb0fd853fa2ff9d4b1314fe47470b59ce0b4d2f3e004d8f4b2bb339.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27490"
"*5d80f05f43ad9ed6f6e2ed7ec55dbac0a987e58eac50129772a27ac2ad5ebeff*",".{0,1000}5d80f05f43ad9ed6f6e2ed7ec55dbac0a987e58eac50129772a27ac2ad5ebeff.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27507"
"*5d86a4eb9a7178bb95ce83bf687929a433c9a4aaa2ba92b6330b393709acf745*",".{0,1000}5d86a4eb9a7178bb95ce83bf687929a433c9a4aaa2ba92b6330b393709acf745.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27509"
"*5d898cf2240a260db3594fa1f059961987fecbc042d50d27910bf291e4461281*",".{0,1000}5d898cf2240a260db3594fa1f059961987fecbc042d50d27910bf291e4461281.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27510"
"*5db5f0645d51e2e7c8a2a3ee4c66b65f3c4e483716e8106220ff2c3358415596*",".{0,1000}5db5f0645d51e2e7c8a2a3ee4c66b65f3c4e483716e8106220ff2c3358415596.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","27522"
"*5dbe659f612640086d3a7dc05b397f4e444c92d784951c49bfe4020b934cb559*",".{0,1000}5dbe659f612640086d3a7dc05b397f4e444c92d784951c49bfe4020b934cb559.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27524"
"*5dc1924bef12ac4d6b3a428b16f92545e54a4f2a53ccf416f327cab35eed20b5*",".{0,1000}5dc1924bef12ac4d6b3a428b16f92545e54a4f2a53ccf416f327cab35eed20b5.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","27526"
"*5dc863dba915a904465b9da951175ecc957fe3e016d1a026b3688a5c1cfadd80*",".{0,1000}5dc863dba915a904465b9da951175ecc957fe3e016d1a026b3688a5c1cfadd80.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27527"
"*5dd33ccba1c352f77d7578c5360c6f913092ea2f43ecbf919baf95b563902e2d*",".{0,1000}5dd33ccba1c352f77d7578c5360c6f913092ea2f43ecbf919baf95b563902e2d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27529"
"*5ddc8f41b610fd28ff2a50d363f3085640b3af7278103524bff3075ca2dd993d*",".{0,1000}5ddc8f41b610fd28ff2a50d363f3085640b3af7278103524bff3075ca2dd993d.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","27530"
"*5de51fda0577a049945e42f386df70a8e9eb2769af96bb6b7471cb5072605be0*",".{0,1000}5de51fda0577a049945e42f386df70a8e9eb2769af96bb6b7471cb5072605be0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27531"
"*5e041b19ba9ca6a5255679b353099946065edfdf951d807db2587fa8c95b1447*",".{0,1000}5e041b19ba9ca6a5255679b353099946065edfdf951d807db2587fa8c95b1447.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27543"
"*5e0426cef7b6c07eb8844af83c77aed5deae6b05e380690f83acbcead46cfe99*",".{0,1000}5e0426cef7b6c07eb8844af83c77aed5deae6b05e380690f83acbcead46cfe99.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27544"
"*5e08786b4e4cf505b679ee2e3e03922b9886d6876aa406b123b791cd94497ee0*",".{0,1000}5e08786b4e4cf505b679ee2e3e03922b9886d6876aa406b123b791cd94497ee0.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27547"
"*5e2b755a50d007fc6f5807bae412ea3d35ca448bda47423e0f80a3692e3455a6*",".{0,1000}5e2b755a50d007fc6f5807bae412ea3d35ca448bda47423e0f80a3692e3455a6.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","27557"
"*5e396778b4dddc94afa030aa8cb23e4c2de4b9f2a9bc3a8ee5d43c0567c8c4eb*",".{0,1000}5e396778b4dddc94afa030aa8cb23e4c2de4b9f2a9bc3a8ee5d43c0567c8c4eb.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","27560"
"*5e3df2bbf690bb6e9c58ac2ca4a1ae825d5242159846e5b712c89afd839f6f0c*",".{0,1000}5e3df2bbf690bb6e9c58ac2ca4a1ae825d5242159846e5b712c89afd839f6f0c.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27562"
"*5e47aac7b50d8ac6ce9ebba6c28ca58ef1332493fba47ab47ec1d2da61c7f6e2*",".{0,1000}5e47aac7b50d8ac6ce9ebba6c28ca58ef1332493fba47ab47ec1d2da61c7f6e2.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","27564"
"*5e4ebdeae037d0b3320d9793e91c6fe838a8436047ba030d54a13937a0c195a6*",".{0,1000}5e4ebdeae037d0b3320d9793e91c6fe838a8436047ba030d54a13937a0c195a6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27566"
"*5e71e62bfed96e5af56135c13f5e0c8ea26e589f8a7b74838d346954455cbbe0*",".{0,1000}5e71e62bfed96e5af56135c13f5e0c8ea26e589f8a7b74838d346954455cbbe0.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","27575"
"*5e7401fba3d86958c0efddc44addbba7dd34e629ba47501445f1bb9db88eb52a*",".{0,1000}5e7401fba3d86958c0efddc44addbba7dd34e629ba47501445f1bb9db88eb52a.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","27576"
"*5e793d7d56ba10e446a23ee4523ade87336e1eff95cdded4312800bf3997e548*",".{0,1000}5e793d7d56ba10e446a23ee4523ade87336e1eff95cdded4312800bf3997e548.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","27579"
"*5e7d3bce04b582aea59098cb2b11082a63d900c521775d962528564d258f7110*",".{0,1000}5e7d3bce04b582aea59098cb2b11082a63d900c521775d962528564d258f7110.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","27580"
"*5e7f65847b489875621d1732cfe4e2c46b7ddf3b0ced8e4d5b4e56a4a4a3f2f8*",".{0,1000}5e7f65847b489875621d1732cfe4e2c46b7ddf3b0ced8e4d5b4e56a4a4a3f2f8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27581"
"*5e993a83d506ed23eb4296fb718b1c2ed0dedeb5d3d65cc7860d6176cf0a0ee9*",".{0,1000}5e993a83d506ed23eb4296fb718b1c2ed0dedeb5d3d65cc7860d6176cf0a0ee9.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27588"
"*5e99f3186a99ec653ec3dcc9d6b4e3b1cfd5993ee0a33692bdf571e3e54309a2*",".{0,1000}5e99f3186a99ec653ec3dcc9d6b4e3b1cfd5993ee0a33692bdf571e3e54309a2.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","27589"
"*5ea16e19f72ef48bae23711ec666f2bc8e791ff51e3abf6158afb4f5997ceb0e*",".{0,1000}5ea16e19f72ef48bae23711ec666f2bc8e791ff51e3abf6158afb4f5997ceb0e.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","27590"
"*5eb942ba9ed0d45d2ac1ea6ed02fbff802a69c408c8eb68155dd2fb7c6fabb0e*",".{0,1000}5eb942ba9ed0d45d2ac1ea6ed02fbff802a69c408c8eb68155dd2fb7c6fabb0e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27599"
"*5eefcfc824818b2cdefcdf6719f5db13a4800434146f0b90ca3a30e2ad6e737f*",".{0,1000}5eefcfc824818b2cdefcdf6719f5db13a4800434146f0b90ca3a30e2ad6e737f.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","27608"
"*5ef00c89ac391313af63b02f4f8a1fa5509c6a6bddf98c2299a765548cae5ff8*",".{0,1000}5ef00c89ac391313af63b02f4f8a1fa5509c6a6bddf98c2299a765548cae5ff8.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27609"
"*5ety7tpkim5me6eszuwcje7bmy25pbtrjtue7zkqqgziljwqy3rrikqd.onion*",".{0,1000}5ety7tpkim5me6eszuwcje7bmy25pbtrjtue7zkqqgziljwqy3rrikqd\.onion.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","1","#filehostingservice #P2P","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","27610"
"*5f1660b704a8b580082b81e14a41d2da9ff1edeebc59b885acb92f1ab1f46838*",".{0,1000}5f1660b704a8b580082b81e14a41d2da9ff1edeebc59b885acb92f1ab1f46838.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27617"
"*5f1e553e2e9c1d7979f5a8eb99d701099a0f79dd0537a9c3fae283b225f50bba*",".{0,1000}5f1e553e2e9c1d7979f5a8eb99d701099a0f79dd0537a9c3fae283b225f50bba.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27618"
"*5f2b814295bd21c4480661eac4a9c57b50030d7bf7a7fa4c6f9b0640feb5eb9c*",".{0,1000}5f2b814295bd21c4480661eac4a9c57b50030d7bf7a7fa4c6f9b0640feb5eb9c.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27620"
"*5f2cab7fc38140b2cc11a54ab687ab4fb8966ca4965822b8c85025d45a47c0fd*",".{0,1000}5f2cab7fc38140b2cc11a54ab687ab4fb8966ca4965822b8c85025d45a47c0fd.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","27622"
"*5f36bb51a099a20c72d69123aa5b17558fa78ba37b5d340b8db9877e4055ad0e*",".{0,1000}5f36bb51a099a20c72d69123aa5b17558fa78ba37b5d340b8db9877e4055ad0e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27625"
"*5f3f60a71fa040a36be5de818e6f95c48e8a2ba368b700a079b593f0e281dbd8*",".{0,1000}5f3f60a71fa040a36be5de818e6f95c48e8a2ba368b700a079b593f0e281dbd8.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27626"
"*5f43060bb9404309475297ee50dfe456863be25e3e4fc2e8c31300f471d3cc48*",".{0,1000}5f43060bb9404309475297ee50dfe456863be25e3e4fc2e8c31300f471d3cc48.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","27627"
"*5f4e2217fe4e88c926dbe4d002e5bfaa47591a6e53b93df88596a654aaeae78d*",".{0,1000}5f4e2217fe4e88c926dbe4d002e5bfaa47591a6e53b93df88596a654aaeae78d.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","27630"
"*5f523d5a29283d1581a3444d2bdfcab0afd70cb8e2991f1931e70f89e6d8b271*",".{0,1000}5f523d5a29283d1581a3444d2bdfcab0afd70cb8e2991f1931e70f89e6d8b271.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","27631"
"*5f5e1f211a29008034519f43427e42b2e24a19a3ce0068e9fe3083efe8303b3f*",".{0,1000}5f5e1f211a29008034519f43427e42b2e24a19a3ce0068e9fe3083efe8303b3f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27633"
"*5f6ea6654bdf44865cba30a5cb6286407d0362936dbc8a8ea2b6e7859881f99d*",".{0,1000}5f6ea6654bdf44865cba30a5cb6286407d0362936dbc8a8ea2b6e7859881f99d.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27636"
"*5f712eb517e8d795f053d28f443cddea953a0bfa339f78eed68a1c01566d84d3*",".{0,1000}5f712eb517e8d795f053d28f443cddea953a0bfa339f78eed68a1c01566d84d3.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","27637"
"*5f7c9ad77e37a5921450c013b9792dac4ea5ef5d3114ea9276585f62e2318a79*",".{0,1000}5f7c9ad77e37a5921450c013b9792dac4ea5ef5d3114ea9276585f62e2318a79.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27640"
"*5f87b4ab00f09c64f4d30fcfbf19e9e6945971c74d28370c720e52b83f7decf3*",".{0,1000}5f87b4ab00f09c64f4d30fcfbf19e9e6945971c74d28370c720e52b83f7decf3.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","27642"
"*5f9832e49d35fa40dd007cdb3cdddfea38ea63079cce124a01b43d7b47d4c6be*",".{0,1000}5f9832e49d35fa40dd007cdb3cdddfea38ea63079cce124a01b43d7b47d4c6be.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","27647"
"*5f9ea43593ac996fc08651431bfbce6408c6dabd0ea01881c56ef6d083e8b0bc*",".{0,1000}5f9ea43593ac996fc08651431bfbce6408c6dabd0ea01881c56ef6d083e8b0bc.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","27649"
"*5fa64857a76906be355e08a22e0183096bc92e63747a216217356daec482bb7d*",".{0,1000}5fa64857a76906be355e08a22e0183096bc92e63747a216217356daec482bb7d.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27652"
"*5faec32114bf886341011597013896080abbcf823609e523fbdb61aed05a0839*",".{0,1000}5faec32114bf886341011597013896080abbcf823609e523fbdb61aed05a0839.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27656"
"*5fbee208e22c036434bb65f38e01529922e5b09ea0fc55f5d870198e8330ad39*",".{0,1000}5fbee208e22c036434bb65f38e01529922e5b09ea0fc55f5d870198e8330ad39.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","27660"
"*5fc4a7caff50594c717e7d8e5929d4cb3e1674d81fd345a29abadce0a86d22f3*",".{0,1000}5fc4a7caff50594c717e7d8e5929d4cb3e1674d81fd345a29abadce0a86d22f3.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27662"
"*5fd16aba9217f23c9bf91eb92f870f9b368f2a0da3b2799a88ac63454f2a0559*",".{0,1000}5fd16aba9217f23c9bf91eb92f870f9b368f2a0da3b2799a88ac63454f2a0559.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","#filehash","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","27664"
"*5fd97de0dbdb19233855fdef90e308f9817fbbe142ef1dbdf277858751ebe0fa*",".{0,1000}5fd97de0dbdb19233855fdef90e308f9817fbbe142ef1dbdf277858751ebe0fa.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27667"
"*5fec32c0fd6dae3b84bd2533e69916a65066176439e8b8481dffc2c565ac70cd*",".{0,1000}5fec32c0fd6dae3b84bd2533e69916a65066176439e8b8481dffc2c565ac70cd.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27673"
"*5feca5a4d601ed393a3cc04d8bf3c41194ef56af155c326cf1e7fdfd130ef17a*",".{0,1000}5feca5a4d601ed393a3cc04d8bf3c41194ef56af155c326cf1e7fdfd130ef17a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27674"
"*5ff6757d8544719b70bfa25c08f13781421e260b60c9351c88a4898be159dff8*",".{0,1000}5ff6757d8544719b70bfa25c08f13781421e260b60c9351c88a4898be159dff8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27679"
"*602b348fd6e3407423330d761b04dfdcd8094e552c1184db100c07058343f8d4*",".{0,1000}602b348fd6e3407423330d761b04dfdcd8094e552c1184db100c07058343f8d4.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","27694"
"*60376b01b334a0cee3a59016f44dde8b336de2b6aa44f1e6e403d307990c47a0*",".{0,1000}60376b01b334a0cee3a59016f44dde8b336de2b6aa44f1e6e403d307990c47a0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27698"
"*608149be78874ce1aced2a953d0df644c00e30449bff7b27e061ad40fe780b7b*",".{0,1000}608149be78874ce1aced2a953d0df644c00e30449bff7b27e061ad40fe780b7b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27708"
"*608b6b396eed970d75d8030e8f54c5aa06ba7b2b368ddcd80f114da24a62f6de*",".{0,1000}608b6b396eed970d75d8030e8f54c5aa06ba7b2b368ddcd80f114da24a62f6de.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27710"
"*60b349d6dd8d95be5dbc2e14da14573951ab1610e0e0e55a1b03d216fe15f8e2*",".{0,1000}60b349d6dd8d95be5dbc2e14da14573951ab1610e0e0e55a1b03d216fe15f8e2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27718"
"*60cd72287033962ecbbe8c27c7cb84dd7aeabd183a338ca4195a5b5275138076*",".{0,1000}60cd72287033962ecbbe8c27c7cb84dd7aeabd183a338ca4195a5b5275138076.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27723"
"*60d86368165d01d88709d304757abcc642b0c165379438023fb3bc791a5b749f*",".{0,1000}60d86368165d01d88709d304757abcc642b0c165379438023fb3bc791a5b749f.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","27725"
"*60e0928a261b230fb6fffc711348a4acc1a73a00d95a0060eecd96e9c7c16a82*",".{0,1000}60e0928a261b230fb6fffc711348a4acc1a73a00d95a0060eecd96e9c7c16a82.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","27729"
"*60e6f67d6d09c7986ee9b2683a77eb28d2004ef5c1fa45ef9b9358bca170fc16*",".{0,1000}60e6f67d6d09c7986ee9b2683a77eb28d2004ef5c1fa45ef9b9358bca170fc16.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","27730"
"*60e8a9e19b34ca6d9f1847504b7689b3f46b029ab07b4d13c6ccde026d78a0a4*",".{0,1000}60e8a9e19b34ca6d9f1847504b7689b3f46b029ab07b4d13c6ccde026d78a0a4.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","#filehash","N/A","9","8","N/A","N/A","N/A","N/A","27731"
"*60ed1672e90d8b25e01b2cba8fc4879821c23386c62f203961a08f7bb58c8708*",".{0,1000}60ed1672e90d8b25e01b2cba8fc4879821c23386c62f203961a08f7bb58c8708.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27732"
"*60ee29ebb3683135c815b4e9b6681c92a445ac3f40e9302a70b65fca68ff5116*",".{0,1000}60ee29ebb3683135c815b4e9b6681c92a445ac3f40e9302a70b65fca68ff5116.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27733"
"*60f5f94a3dd286eb0339e370e3a1e09af4f183b6b1aeefa3489eb6ff3e9d9983*",".{0,1000}60f5f94a3dd286eb0339e370e3a1e09af4f183b6b1aeefa3489eb6ff3e9d9983.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27735"
"*611db45c564ffb1b67a85b2249f30e5a95f2b7ab2ceec403cb22555a708c61d9",".{0,1000}611db45c564ffb1b67a85b2249f30e5a95f2b7ab2ceec403cb22555a708c61d9","greyware_tool_keyword","Powertool","tool abused by threat actors to desactive Antivirus","T1562.001 - T1089 - T1562.009","TA0005","N/A","Play - Dispossessor","Defense Evasion","https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","27743"
"*612691d7e5100f1714fd4ce7c2ecee2c5b0447d68b480278d54ec58f6c7e2e29*",".{0,1000}612691d7e5100f1714fd4ce7c2ecee2c5b0447d68b480278d54ec58f6c7e2e29.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27746"
"*612cce3091efba8b0094059435a5b58571bc2fff3b4bdb9936c16318c4ad7f2a*",".{0,1000}612cce3091efba8b0094059435a5b58571bc2fff3b4bdb9936c16318c4ad7f2a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27749"
"*612e83530d894d3caee578b5f78c8627f168d9848ccc54bce7f7113c6dd79b56*",".{0,1000}612e83530d894d3caee578b5f78c8627f168d9848ccc54bce7f7113c6dd79b56.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27751"
"*6130adcd3415141a87525d6a511d996d1b17afd3f9876e48b36f866c86a9f7c6*",".{0,1000}6130adcd3415141a87525d6a511d996d1b17afd3f9876e48b36f866c86a9f7c6.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","27752"
"*6132e4428af9ea0647ad20d9044c6fc26b80e96471bc267ca78e7595cf1267a2*",".{0,1000}6132e4428af9ea0647ad20d9044c6fc26b80e96471bc267ca78e7595cf1267a2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27753"
"*6133e8d04f789d3810b1c9fe24b0454ee821d809bae82e26642baa6f7a5312b6*",".{0,1000}6133e8d04f789d3810b1c9fe24b0454ee821d809bae82e26642baa6f7a5312b6.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","27754"
"*613428c4c54093ada2ee1b5c9fe1cccf8bf781bc07fc64071d0e21e55f99a0c1*",".{0,1000}613428c4c54093ada2ee1b5c9fe1cccf8bf781bc07fc64071d0e21e55f99a0c1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27755"
"*613882f89a0dd563ae2f6aae3e14229d110bea4b1fa8e540f4581f93c927cb1c*",".{0,1000}613882f89a0dd563ae2f6aae3e14229d110bea4b1fa8e540f4581f93c927cb1c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27756"
"*61482ef4ebfebd390cc8409ac09b486c61bc71295cdda882e1f9b5b3cd1cea4d*",".{0,1000}61482ef4ebfebd390cc8409ac09b486c61bc71295cdda882e1f9b5b3cd1cea4d.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","27760"
"*614ad91e4364a92b3a011d2024f2d7098dfc661c9929268d24e8f3a258cc6d09*",".{0,1000}614ad91e4364a92b3a011d2024f2d7098dfc661c9929268d24e8f3a258cc6d09.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27762"
"*616bcf6f1ebc84ce6c2f0469f6c38b08eabef2339dfca03d0782a54ae6cc6024*",".{0,1000}616bcf6f1ebc84ce6c2f0469f6c38b08eabef2339dfca03d0782a54ae6cc6024.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","27774"
"*618b1a0d2bfebc9bc3e59b4c39e67082a445e5aeaaaa0fec9eded436dd64a2d4*",".{0,1000}618b1a0d2bfebc9bc3e59b4c39e67082a445e5aeaaaa0fec9eded436dd64a2d4.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27781"
"*61924a52c149b6ad50e462cebbdfc14c570293abdf1c97bddfe7c0c7580ada31*",".{0,1000}61924a52c149b6ad50e462cebbdfc14c570293abdf1c97bddfe7c0c7580ada31.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","27784"
"*61b4d21b669ceb671b298a4ed4aa3c70b33d6e3e4281f7417336a76f684424ca*",".{0,1000}61b4d21b669ceb671b298a4ed4aa3c70b33d6e3e4281f7417336a76f684424ca.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27788"
"*61c8c29cf73fe8fa440d5c051371bef924d969f95be3da8013bad867a778922c*",".{0,1000}61c8c29cf73fe8fa440d5c051371bef924d969f95be3da8013bad867a778922c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27795"
"*61dc49f7c5b09a72e96329e43bb3a896c428da449bb67c7803d21eaabd7591b6*",".{0,1000}61dc49f7c5b09a72e96329e43bb3a896c428da449bb67c7803d21eaabd7591b6.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","27800"
"*61ff953579f1bd83798d1038df66aafbccb8baa85cc8049efb78a280c09d9768*",".{0,1000}61ff953579f1bd83798d1038df66aafbccb8baa85cc8049efb78a280c09d9768.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27805"
"*6201141bf2fccd95737f27ca957b2b5a6700b5d0ef478c26636b975c4b41ef57*",".{0,1000}6201141bf2fccd95737f27ca957b2b5a6700b5d0ef478c26636b975c4b41ef57.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27806"
"*6202bf76f1aa853d1b5172902fba67901aa3f00719f3ca5e8c8a57f5819b5797*",".{0,1000}6202bf76f1aa853d1b5172902fba67901aa3f00719f3ca5e8c8a57f5819b5797.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","27807"
"*62044b03a7bccb7e8f8f4f691f34838cd1160a643c0bb06ca8489e78d2d65897*",".{0,1000}62044b03a7bccb7e8f8f4f691f34838cd1160a643c0bb06ca8489e78d2d65897.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27808"
"*62170484c4d450fa47d86ed8b1dd20659b22cd7bc5a36caab330f244d6ea4d97*",".{0,1000}62170484c4d450fa47d86ed8b1dd20659b22cd7bc5a36caab330f244d6ea4d97.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27816"
"*6242bea4f6d634bf9e3b0d336fbae5d993154086040e7633e928a75c4848c761*",".{0,1000}6242bea4f6d634bf9e3b0d336fbae5d993154086040e7633e928a75c4848c761.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27823"
"*62440D3B8BE22B9353AC1374CC6ED1FAF4476908FE6D8E9FBD3AA62004EFEF3E*",".{0,1000}62440D3B8BE22B9353AC1374CC6ED1FAF4476908FE6D8E9FBD3AA62004EFEF3E.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#filehash","manually compiled","10","10","N/A","N/A","N/A","N/A","27824"
"*625ae9460120.ngrok.io*",".{0,1000}625ae9460120\.ngrok\.io.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","27826"
"*62613da1a6ac28989c8b3a7076bb90af9c9361cacd76c695c381140c1d9182db*",".{0,1000}62613da1a6ac28989c8b3a7076bb90af9c9361cacd76c695c381140c1d9182db.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","27828"
"*62655adaad7e6118fde3fff73cfc07f73ecd898900b9518c3b7aec5b2ac7623e*",".{0,1000}62655adaad7e6118fde3fff73cfc07f73ecd898900b9518c3b7aec5b2ac7623e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27830"
"*626ca456089857683c1ab8a5e3eda282837f7ed466ecf1a3c2cdd30e1b309c35*",".{0,1000}626ca456089857683c1ab8a5e3eda282837f7ed466ecf1a3c2cdd30e1b309c35.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27831"
"*626d14d508afc1bcbed6e013d531d64a1c5fac529790857ad2730f6ca864aece*",".{0,1000}626d14d508afc1bcbed6e013d531d64a1c5fac529790857ad2730f6ca864aece.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","27832"
"*62700c23ce8560628d8eb07ab2adcf863ad901c9f631bb45ed4b4f801f35b2a5*",".{0,1000}62700c23ce8560628d8eb07ab2adcf863ad901c9f631bb45ed4b4f801f35b2a5.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","27833"
"*62734d219f14a942986e62d6c0fef0c2315bc84acd963430aed788c36e67e1ff*",".{0,1000}62734d219f14a942986e62d6c0fef0c2315bc84acd963430aed788c36e67e1ff.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","27834"
"*62786ba330d6b4969906b297fbb26c3f9a9ad36672b4600938d3b607e9b3c980*",".{0,1000}62786ba330d6b4969906b297fbb26c3f9a9ad36672b4600938d3b607e9b3c980.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","27835"
"*629d2edde798217cc664abb52610531e8bfd089b54879139c66a148429897e11*",".{0,1000}629d2edde798217cc664abb52610531e8bfd089b54879139c66a148429897e11.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27844"
"*62b74a688d22bfdf20f673a351580029d7b9de67c6facc9a5613b22b3f798968*",".{0,1000}62b74a688d22bfdf20f673a351580029d7b9de67c6facc9a5613b22b3f798968.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","27854"
"*62ba75131d011310d74fe68be4e8757fb0d8bc373ecbb4112ead7dd031545ef0*",".{0,1000}62ba75131d011310d74fe68be4e8757fb0d8bc373ecbb4112ead7dd031545ef0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27857"
"*62d7b075905119d8ab637df0f4348aca30ede58adacfe6d05cd3951db128ba91*",".{0,1000}62d7b075905119d8ab637df0f4348aca30ede58adacfe6d05cd3951db128ba91.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27862"
"*62dca9e606b8d8c2a1379e791210dece010cd801912d588dbbf3859d00a821da*",".{0,1000}62dca9e606b8d8c2a1379e791210dece010cd801912d588dbbf3859d00a821da.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","27865"
"*62e55a960987a0eb3501b0e0ee2e764b8ba349da1d3f8f0b8756c8a60a465233*",".{0,1000}62e55a960987a0eb3501b0e0ee2e764b8ba349da1d3f8f0b8756c8a60a465233.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27868"
"*62ec1cf50d9485956704274b698e0bfc6cf090650794b8d6cc9a0d7b75638bdf*",".{0,1000}62ec1cf50d9485956704274b698e0bfc6cf090650794b8d6cc9a0d7b75638bdf.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27871"
"*62fe7d29d8b013efa5b599313a50713b285473514819ed4b427d910211c53d24*",".{0,1000}62fe7d29d8b013efa5b599313a50713b285473514819ed4b427d910211c53d24.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","27876"
"*630206b6d7b631b431907ab292ab6576e73bee49a3da3456b9caaf2ab8c027d0*",".{0,1000}630206b6d7b631b431907ab292ab6576e73bee49a3da3456b9caaf2ab8c027d0.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27877"
"*63035108f37cc80d6043c1fcac50f8e856791a4fb8bcef0e792d97c88d8e35c5*",".{0,1000}63035108f37cc80d6043c1fcac50f8e856791a4fb8bcef0e792d97c88d8e35c5.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27880"
"*630e1c6d86454094a675e05ec9b7891452f21129a72a285e57669a4b2ffd4b63*",".{0,1000}630e1c6d86454094a675e05ec9b7891452f21129a72a285e57669a4b2ffd4b63.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27884"
"*632e9fb9eca80662e59afecf7eac6fb83026efdfe3f6e7d8ffbb06ca49dce4a7*",".{0,1000}632e9fb9eca80662e59afecf7eac6fb83026efdfe3f6e7d8ffbb06ca49dce4a7.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","27890"
"*633add8af3d5bde70aeb20247a4d5fa4f19a93f12764e216155a94e026937f6d*",".{0,1000}633add8af3d5bde70aeb20247a4d5fa4f19a93f12764e216155a94e026937f6d.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","27895"
"*635c9083e14310cee41e7f5caaa91249130280aca25911346a82e5edbbbeebf9*",".{0,1000}635c9083e14310cee41e7f5caaa91249130280aca25911346a82e5edbbbeebf9.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","27902"
"*6364d746c3f1f0329fd67cec0f6a1f09ae3e521f3ef37b0ab728009cf55c4a5c*",".{0,1000}6364d746c3f1f0329fd67cec0f6a1f09ae3e521f3ef37b0ab728009cf55c4a5c.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","27904"
"*6364d746c3f1f0329fd67cec0f6a1f09ae3e521f3ef37b0ab728009cf55c4a5c*",".{0,1000}6364d746c3f1f0329fd67cec0f6a1f09ae3e521f3ef37b0ab728009cf55c4a5c.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","27905"
"*6387e119ac3d0e3ec269a4f6569372a57f78b0545d5af71a70c42e546b2d6dc0*",".{0,1000}6387e119ac3d0e3ec269a4f6569372a57f78b0545d5af71a70c42e546b2d6dc0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","27912"
"*63916d22e904aeae13bc1fb08cc8a6f3f2e165fbf63f348dacdd6acffb780491*",".{0,1000}63916d22e904aeae13bc1fb08cc8a6f3f2e165fbf63f348dacdd6acffb780491.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","27914"
"*6394fd312c4f2c53185734aa67af7bf30e68a586c58b09c3e72e71dde8919176*",".{0,1000}6394fd312c4f2c53185734aa67af7bf30e68a586c58b09c3e72e71dde8919176.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27915"
"*639d2a5d5cab0b60d2f2d22c835f997db1b16cf5ac4a8d88f3c91d43247d359d*",".{0,1000}639d2a5d5cab0b60d2f2d22c835f997db1b16cf5ac4a8d88f3c91d43247d359d.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","27917"
"*63a5a0894a0b043b9e92dd13a66bf55d3fe793eb261455fbd22c01162243b4c5*",".{0,1000}63a5a0894a0b043b9e92dd13a66bf55d3fe793eb261455fbd22c01162243b4c5.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#filehash","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","27919"
"*63ccc3e608d3225793b40e643af2115811668731a2b43cbf5217bfb3d7e01d84*",".{0,1000}63ccc3e608d3225793b40e643af2115811668731a2b43cbf5217bfb3d7e01d84.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","27931"
"*63d13d53834ea8aa4d461f0bfe32a89c70ec47e239b91f029ed10bd88b8f4b80*",".{0,1000}63d13d53834ea8aa4d461f0bfe32a89c70ec47e239b91f029ed10bd88b8f4b80.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27934"
"*63e95d8caa59cde784f3d41b11363ca017dfc5c7612196284310a5d9530e8d8f*",".{0,1000}63e95d8caa59cde784f3d41b11363ca017dfc5c7612196284310a5d9530e8d8f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27939"
"*63f982006a02f5dd1b521e16cf203e42bf9a479deab3e89fa88b99e49cb03364*",".{0,1000}63f982006a02f5dd1b521e16cf203e42bf9a479deab3e89fa88b99e49cb03364.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27946"
"*640ab98dba4d07fc0cfd6ecbab07244bbefb0d69575ce43a14ebb4f589de016b*",".{0,1000}640ab98dba4d07fc0cfd6ecbab07244bbefb0d69575ce43a14ebb4f589de016b.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","27951"
"*6410bf4446b371c8cc9dab16e0cdc1d0e5f21cfd3750a3a20f4c07c36befd5bc*",".{0,1000}6410bf4446b371c8cc9dab16e0cdc1d0e5f21cfd3750a3a20f4c07c36befd5bc.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","27953"
"*6417ce2a5997efaef09522d3a6f961e535857753700b66fdb351c2f8b75cdee5*",".{0,1000}6417ce2a5997efaef09522d3a6f961e535857753700b66fdb351c2f8b75cdee5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27955"
"*6419610ef4957f7d62fdd16b22764a68ff694a612449195b932d169f523ffe20*",".{0,1000}6419610ef4957f7d62fdd16b22764a68ff694a612449195b932d169f523ffe20.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27958"
"*641baf9a4a2bba8174395d76d675682a8d9471ff722d84c1892e9bdd8a03d15d*",".{0,1000}641baf9a4a2bba8174395d76d675682a8d9471ff722d84c1892e9bdd8a03d15d.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","27960"
"*642aad896feb5dad407faf2d4c863afcf715eec4f51b21768cd484867c215031*",".{0,1000}642aad896feb5dad407faf2d4c863afcf715eec4f51b21768cd484867c215031.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","27962"
"*643433c960c261ea697d35970cbeac38e8a66889cff754a613eeb790368e6f37*",".{0,1000}643433c960c261ea697d35970cbeac38e8a66889cff754a613eeb790368e6f37.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#filehash","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","27963"
"*643ea58cd70903f9569918c2ebd1da696b714fb42d98bb4a972f746fc1e586b0*",".{0,1000}643ea58cd70903f9569918c2ebd1da696b714fb42d98bb4a972f746fc1e586b0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27968"
"*6440ef1a2fab83dfb27e976067134eb5767fbdcf20e7ad73f217b37ce3014eed*",".{0,1000}6440ef1a2fab83dfb27e976067134eb5767fbdcf20e7ad73f217b37ce3014eed.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","27969"
"*64601caa675146be542b3e4c658019f9c443c8fa64a898985aa691eab5c5037d*",".{0,1000}64601caa675146be542b3e4c658019f9c443c8fa64a898985aa691eab5c5037d.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","27979"
"*6471c5190a99e3d1f337fcfef1fc410e8d487b66e093f924700e186cbd398dc0*",".{0,1000}6471c5190a99e3d1f337fcfef1fc410e8d487b66e093f924700e186cbd398dc0.{0,1000}","greyware_tool_keyword","PortQry","Microsoft port scanning tool abused by threat actors","T1046 - T1016 - T1049","TA0007","N/A","APT15","Discovery","https://www.microsoft.com/en-us/download/details.aspx?id=17148","1","0","#filehash","N/A","6","7","N/A","N/A","N/A","N/A","27982"
"*647b01731dc9debad04d365d4157ef666ca9804e73bec5438463f638fb71351b*",".{0,1000}647b01731dc9debad04d365d4157ef666ca9804e73bec5438463f638fb71351b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27984"
"*6486fce494f85803b4abd3c18cadd14aa65cda411ed3511a598a7628ef2fd1de*",".{0,1000}6486fce494f85803b4abd3c18cadd14aa65cda411ed3511a598a7628ef2fd1de.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","27988"
"*648eaadf2d81af9ea6792d48740aa3ef4787303f95a0e2abaf23b87b13758eb7*",".{0,1000}648eaadf2d81af9ea6792d48740aa3ef4787303f95a0e2abaf23b87b13758eb7.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","0","#filehash","N/A","8","10","N/A","N/A","N/A","N/A","27990"
"*6493890ba8faaac76aa5e27f95f9c69774e6ce89d7c2849e1532d950de5cad60*",".{0,1000}6493890ba8faaac76aa5e27f95f9c69774e6ce89d7c2849e1532d950de5cad60.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27991"
"*6498c00b9c204284606c7dabe24845409c7d90e923cfb03731abe9813160339d*",".{0,1000}6498c00b9c204284606c7dabe24845409c7d90e923cfb03731abe9813160339d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","27993"
"*64b63a013561fd18af1e1ae42b5ba720223203730b4bf580b3f8814cda31fc1c*",".{0,1000}64b63a013561fd18af1e1ae42b5ba720223203730b4bf580b3f8814cda31fc1c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28000"
"*64d07dc9f31487e91ebb3b16d1fbecc8c49e71c80e2fb89679e53ff194af7ac5*",".{0,1000}64d07dc9f31487e91ebb3b16d1fbecc8c49e71c80e2fb89679e53ff194af7ac5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28006"
"*64d74833b7399d52cd90584314ceb3a59049d93a25a3743602224888fc39aaaf*",".{0,1000}64d74833b7399d52cd90584314ceb3a59049d93a25a3743602224888fc39aaaf.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28010"
"*6510e91b5511a68222bade46531b5d70850559b7da4dadd2fb187015cc811efa*",".{0,1000}6510e91b5511a68222bade46531b5d70850559b7da4dadd2fb187015cc811efa.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","28024"
"*6510fdf42becdab665232ef6393e40a559dd2b3b2b7927333c9f30a62bf7de3f*",".{0,1000}6510fdf42becdab665232ef6393e40a559dd2b3b2b7927333c9f30a62bf7de3f.{0,1000}","greyware_tool_keyword","staqlab-tunnel","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/cocoflan/Staqlab-tunnel","1","0","#filehash","N/A","10","10","1","0","2020-05-19T06:43:14Z","2020-05-19T06:19:31Z","28025"
"*651574316f30fcb27c5730435566812d3bdd67c5615c56473ae2ed1e22adabe2*",".{0,1000}651574316f30fcb27c5730435566812d3bdd67c5615c56473ae2ed1e22adabe2.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","28029"
"*651caf1b8d81a445db65551955dda4aa7df88a0013a81fda506bdfcfe05611b0*",".{0,1000}651caf1b8d81a445db65551955dda4aa7df88a0013a81fda506bdfcfe05611b0.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#filehash","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","28031"
"*65673e9110f58e5f801f6c7256cb09307466f22e94645b0de36f510141d02be8*",".{0,1000}65673e9110f58e5f801f6c7256cb09307466f22e94645b0de36f510141d02be8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28046"
"*6571057d649cfccb2d84577c32a83ad5d4f5fac298e72f08a6974cf4a620c7ec*",".{0,1000}6571057d649cfccb2d84577c32a83ad5d4f5fac298e72f08a6974cf4a620c7ec.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#filehash","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","28050"
"*657337a33b59dcee4cabdbcbb254ed988755adc36a8714539e76f838a88a0345*",".{0,1000}657337a33b59dcee4cabdbcbb254ed988755adc36a8714539e76f838a88a0345.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28051"
"*65786b035dc5483efb08c767e482a57c2edb8993d11b2bf0d7b0ee68f3d23168*",".{0,1000}65786b035dc5483efb08c767e482a57c2edb8993d11b2bf0d7b0ee68f3d23168.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28053"
"*658e2b74ab4ed141f1c0794f03e95efe8dc718bffaad44267d290987fc4ecd2c*",".{0,1000}658e2b74ab4ed141f1c0794f03e95efe8dc718bffaad44267d290987fc4ecd2c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28064"
"*65a291b3d4e59783d3055262819f8aba9cada498e60b578dfe7321be68d45b10*",".{0,1000}65a291b3d4e59783d3055262819f8aba9cada498e60b578dfe7321be68d45b10.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28066"
"*65b130644bca2559f84fca5bb2bc22a1ae7d889f01e8905f9799763720fccdb6*",".{0,1000}65b130644bca2559f84fca5bb2bc22a1ae7d889f01e8905f9799763720fccdb6.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","28069"
"*65b36a7d2b547af519016a6c77eb8870a629ffe740d05bb188817460d34ccae5*",".{0,1000}65b36a7d2b547af519016a6c77eb8870a629ffe740d05bb188817460d34ccae5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28070"
"*65f081caa613ba53342c9c3dd7188f22552b83c9e8ac73f740321f99f6a9fe5b*",".{0,1000}65f081caa613ba53342c9c3dd7188f22552b83c9e8ac73f740321f99f6a9fe5b.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","28092"
"*65fb7e17d5786676540f52657cbbb54407ded73b48787d5946f140120db898f0*",".{0,1000}65fb7e17d5786676540f52657cbbb54407ded73b48787d5946f140120db898f0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28094"
"*66092d1e08e55e35b60dc348f2f59d69c0768a09ce411a50fc0d161bfab3303d*",".{0,1000}66092d1e08e55e35b60dc348f2f59d69c0768a09ce411a50fc0d161bfab3303d.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","28097"
"*661ff1a84f0413f062b672be7ffccad36357290c76646715887689e3524e2b48*",".{0,1000}661ff1a84f0413f062b672be7ffccad36357290c76646715887689e3524e2b48.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28098"
"*6626d67f60eb1fae7cf36b9c6c250e38810fd27878beb6350fadd09bc7110835*",".{0,1000}6626d67f60eb1fae7cf36b9c6c250e38810fd27878beb6350fadd09bc7110835.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28099"
"*662aa3c30a3486158b79373f1ab537139a069778519e8e42455e846ff4bab1f8*",".{0,1000}662aa3c30a3486158b79373f1ab537139a069778519e8e42455e846ff4bab1f8.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","28100"
"*662d62af7744b9b639b3473bbdd2c4c70dfa5ac5fe1d058d13ce3cc7ea059500*",".{0,1000}662d62af7744b9b639b3473bbdd2c4c70dfa5ac5fe1d058d13ce3cc7ea059500.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28101"
"*662d9dd3a88b004a8eb3e5944457a1661ec7a28dd4695d6f96fbcbf095ba057a*",".{0,1000}662d9dd3a88b004a8eb3e5944457a1661ec7a28dd4695d6f96fbcbf095ba057a.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","#filehash","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","28102"
"*662f875055d740d98e0047adeb2b632b85cafffa2129c1635c5312217ca978f3*",".{0,1000}662f875055d740d98e0047adeb2b632b85cafffa2129c1635c5312217ca978f3.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","28103"
"*66378582dd58282341dc79f206813fbcfc215a21c0236ae5d162d08503ade743*",".{0,1000}66378582dd58282341dc79f206813fbcfc215a21c0236ae5d162d08503ade743.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28105"
"*664c2927a15fcf39f6a87c135100c45d021ddbdb6277820507f92590458c3ac4*",".{0,1000}664c2927a15fcf39f6a87c135100c45d021ddbdb6277820507f92590458c3ac4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28110"
"*665419215556b97d2ebc89e3b1df2222d848259ae005d0579b1311a93d224fa4*",".{0,1000}665419215556b97d2ebc89e3b1df2222d848259ae005d0579b1311a93d224fa4.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28114"
"*666e400ed79f20f4f846cfe6bbcf9fb90fbff447695d217731ed5f830afb2f3f*",".{0,1000}666e400ed79f20f4f846cfe6bbcf9fb90fbff447695d217731ed5f830afb2f3f.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28118"
"*6675d7eb9dde349a58343e5a155e9f530eca6b6afd47280f331eeb0523421118*",".{0,1000}6675d7eb9dde349a58343e5a155e9f530eca6b6afd47280f331eeb0523421118.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","28119"
"*6678de2dac73cd8adb8e56721871afdee864f06aaf43fb1f854ea793148defd4*",".{0,1000}6678de2dac73cd8adb8e56721871afdee864f06aaf43fb1f854ea793148defd4.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","28120"
"*6680fa302838dad7262ebe0dc33c2f954d74552021062e3dc1f20993038e54bc*",".{0,1000}6680fa302838dad7262ebe0dc33c2f954d74552021062e3dc1f20993038e54bc.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28122"
"*6681551b9bb7311625be8f3a269c183b600e13966787a8b11a8f9e8595a3d66b*",".{0,1000}6681551b9bb7311625be8f3a269c183b600e13966787a8b11a8f9e8595a3d66b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28123"
"*66911ebca32cf181fc029455979e0be46b057cc0f7516c4cbabbf4fd6a5578f8*",".{0,1000}66911ebca32cf181fc029455979e0be46b057cc0f7516c4cbabbf4fd6a5578f8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28127"
"*669d5f76c3456565a231a907aee6c2887a8835638a023cbded6c7bdaa306fbe5*",".{0,1000}669d5f76c3456565a231a907aee6c2887a8835638a023cbded6c7bdaa306fbe5.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28132"
"*66a2764e71b7eed7243032dd66476e7aa59d9f4667005d8a4190197667fee9b5*",".{0,1000}66a2764e71b7eed7243032dd66476e7aa59d9f4667005d8a4190197667fee9b5.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","28133"
"*66ae97d291d0e2d0dae8a8642fb8d2872a6dd0183aff325b7eaedcc911284741*",".{0,1000}66ae97d291d0e2d0dae8a8642fb8d2872a6dd0183aff325b7eaedcc911284741.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","28136"
"*66b52ee470feb8f6d2e6bc138a82d0db8aa59511b3c9f6d44300250ed7273ebc*",".{0,1000}66b52ee470feb8f6d2e6bc138a82d0db8aa59511b3c9f6d44300250ed7273ebc.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","28137"
"*66ca083757fb22198309b73879831ed2b42309892394bf193ff95c75dff69c73*",".{0,1000}66ca083757fb22198309b73879831ed2b42309892394bf193ff95c75dff69c73.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28142"
"*66cb20febb3ce35cfd4bd1320e7abd087c6b23aa457f6e350a8b05fddecc641f*",".{0,1000}66cb20febb3ce35cfd4bd1320e7abd087c6b23aa457f6e350a8b05fddecc641f.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","28143"
"*66cf5a1681259b3e801b8effceaa210e4c66eba58c9ab260ddc7463474c637e6*",".{0,1000}66cf5a1681259b3e801b8effceaa210e4c66eba58c9ab260ddc7463474c637e6.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28145"
"*66eda7f0e6f85ede326a715db2d5796a163595fdcf8f8c5240b2cfe509ef738e*",".{0,1000}66eda7f0e6f85ede326a715db2d5796a163595fdcf8f8c5240b2cfe509ef738e.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28151"
"*66ee25c76d430eea6f787983fe0e79368304ddc69494a4876b012bc3932b1db3*",".{0,1000}66ee25c76d430eea6f787983fe0e79368304ddc69494a4876b012bc3932b1db3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28152"
"*66fc8fa5564448729b569b843c158d933d8774666651f98cfbd757ea9d721d94*",".{0,1000}66fc8fa5564448729b569b843c158d933d8774666651f98cfbd757ea9d721d94.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","28154"
"*67003a49d703431238d30117af78874ef72453ba883cc8d2f03e1a4227da54f9*",".{0,1000}67003a49d703431238d30117af78874ef72453ba883cc8d2f03e1a4227da54f9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28156"
"*670e18960efd34bae9d1a0152a54f16ba0c6b8fad728d7ff4ea8b141ef1ed93d*",".{0,1000}670e18960efd34bae9d1a0152a54f16ba0c6b8fad728d7ff4ea8b141ef1ed93d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28159"
"*671e11ba1db069358185dff58705ad2d6b244f16026541e48443fe4d5f3be747*",".{0,1000}671e11ba1db069358185dff58705ad2d6b244f16026541e48443fe4d5f3be747.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28160"
"*671eaebafae768f136c85087dca3ecc2068283e611f62345d152d843cfcf02ea*",".{0,1000}671eaebafae768f136c85087dca3ecc2068283e611f62345d152d843cfcf02ea.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","28161"
"*671ebf4a6d78b932d9544bb7c6469d0e08bd6124462f5b94d90597b82c5579b5*",".{0,1000}671ebf4a6d78b932d9544bb7c6469d0e08bd6124462f5b94d90597b82c5579b5.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28162"
"*67392f0cdf1ea5443b9f625eff4eb55e3630fec77b16e35b01c5b2214023f331*",".{0,1000}67392f0cdf1ea5443b9f625eff4eb55e3630fec77b16e35b01c5b2214023f331.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28164"
"*673bf02f5e5f536474cb96c78ea2da5f992ffa8d9b98021f7f569c185305cad1*",".{0,1000}673bf02f5e5f536474cb96c78ea2da5f992ffa8d9b98021f7f569c185305cad1.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28165"
"*673de62a71e95d4b855f3a8c616edbe2b51f066625cdef9924c76a1f021a660c*",".{0,1000}673de62a71e95d4b855f3a8c616edbe2b51f066625cdef9924c76a1f021a660c.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","28166"
"*67402a451ff767c1045a79d5ee001f255f9b5898c67f76cd021c586e0998c0dd*",".{0,1000}67402a451ff767c1045a79d5ee001f255f9b5898c67f76cd021c586e0998c0dd.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28167"
"*67565a74ae8ccdcf388bf100bc96712ff579a4774e6a8feeaeb6357b8335277d*",".{0,1000}67565a74ae8ccdcf388bf100bc96712ff579a4774e6a8feeaeb6357b8335277d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28175"
"*6765fae1d6833ddd5f57815c1925ee564b4ac3ced93a6bde383ad843d2e94000*",".{0,1000}6765fae1d6833ddd5f57815c1925ee564b4ac3ced93a6bde383ad843d2e94000.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28180"
"*6794102a7b3d61dd4344b555ab684f4140d40da9ec0da36b03cd397f1987bb61*",".{0,1000}6794102a7b3d61dd4344b555ab684f4140d40da9ec0da36b03cd397f1987bb61.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","28192"
"*680085ce3348940cb67940e3ca7da4ae409ab3169c99592052760ffaf374f9a0*",".{0,1000}680085ce3348940cb67940e3ca7da4ae409ab3169c99592052760ffaf374f9a0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28211"
"*681f20b796bc6b59048b2eecf7a05884cfb1ea2464a14364f0769a10077bfb5b*",".{0,1000}681f20b796bc6b59048b2eecf7a05884cfb1ea2464a14364f0769a10077bfb5b.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28215"
"*68200563fb40d6ba3b6f744c919867bfc6fd6106b6317e55853d37f797b783b5*",".{0,1000}68200563fb40d6ba3b6f744c919867bfc6fd6106b6317e55853d37f797b783b5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28216"
"*68248a96b04afe29d0e807c5c5adcf05c9c86a699080cbd69de2bef1e2d94140*",".{0,1000}68248a96b04afe29d0e807c5c5adcf05c9c86a699080cbd69de2bef1e2d94140.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28219"
"*68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309*",".{0,1000}68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","28220"
"*683b19a505756b7dc99eca09caf00cd546d474405f08151daef687c890919027*",".{0,1000}683b19a505756b7dc99eca09caf00cd546d474405f08151daef687c890919027.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28221"
"*6844205e2b4a41577969581d5447a6d0661cf885daacf50092c777ff4f85328b*",".{0,1000}6844205e2b4a41577969581d5447a6d0661cf885daacf50092c777ff4f85328b.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28224"
"*68664083956f7abff8fa9b471ae0f8ff2a5ae540ae292c3ff780411c0f8cc072*",".{0,1000}68664083956f7abff8fa9b471ae0f8ff2a5ae540ae292c3ff780411c0f8cc072.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28229"
"*68715639afd1f47089068f9de486068471fce5fca4a07aef888f960b73b09d56*",".{0,1000}68715639afd1f47089068f9de486068471fce5fca4a07aef888f960b73b09d56.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28232"
"*687a576ce0781327c1b94663364685e9d59f28359e3d6a60b2ed59cfccdf9c3e*",".{0,1000}687a576ce0781327c1b94663364685e9d59f28359e3d6a60b2ed59cfccdf9c3e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28233"
"*6880a6b34d856513873c439fc59d8c51c392fe360d5e69577d4e707d6ef77c02*",".{0,1000}6880a6b34d856513873c439fc59d8c51c392fe360d5e69577d4e707d6ef77c02.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28234"
"*689798d97c80041b0d42e4db12ba8d85b30889fccca42e92faed8d5151ffc91d*",".{0,1000}689798d97c80041b0d42e4db12ba8d85b30889fccca42e92faed8d5151ffc91d.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28239"
"*68a061deb112b2c02ba5f146b2dfc13ac8eafea91f15cb7f0f760bad4cc0c560*",".{0,1000}68a061deb112b2c02ba5f146b2dfc13ac8eafea91f15cb7f0f760bad4cc0c560.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","28240"
"*68b1bf3e1cd96f1ac58a0a90b888a2f483b6996bc46d61dd4ae630f23dab93a1*",".{0,1000}68b1bf3e1cd96f1ac58a0a90b888a2f483b6996bc46d61dd4ae630f23dab93a1.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28243"
"*68b38ba64f0639f6c5b7c95e2d19676574cf9cfb2034748c46d89811546f3d88*",".{0,1000}68b38ba64f0639f6c5b7c95e2d19676574cf9cfb2034748c46d89811546f3d88.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28244"
"*68b38ba64f0639f6c5b7c95e2d19676574cf9cfb2034748c46d89811546f3d88*",".{0,1000}68b38ba64f0639f6c5b7c95e2d19676574cf9cfb2034748c46d89811546f3d88.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28245"
"*68bc7bb6b8359d8e92afce33991d3f3a4f13f91420a30927a3246e7ee47958b8*",".{0,1000}68bc7bb6b8359d8e92afce33991d3f3a4f13f91420a30927a3246e7ee47958b8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28246"
"*68c3320fc6aac048a90bbbbe7e066df33a9ad43831fe27101130627e1180565d*",".{0,1000}68c3320fc6aac048a90bbbbe7e066df33a9ad43831fe27101130627e1180565d.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28247"
"*68d84e43220ca8a2245f37422e8499710529197cfa599ee2174049c83fd68898*",".{0,1000}68d84e43220ca8a2245f37422e8499710529197cfa599ee2174049c83fd68898.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28251"
"*68e83d6ded3dfefa7e7da34e9089e61b1c0930a7c9dfb5c57b6be0ed9e37f2cf*",".{0,1000}68e83d6ded3dfefa7e7da34e9089e61b1c0930a7c9dfb5c57b6be0ed9e37f2cf.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#filehash","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","28258"
"*690c56c5ebd58d596632a4ff28596df8aa478309fc979b9eb8b07fb89db4d944*",".{0,1000}690c56c5ebd58d596632a4ff28596df8aa478309fc979b9eb8b07fb89db4d944.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","28266"
"*690f31d0d8f473ae1f71a7fbce1e7943d601f6adf2065d22d44162266c88f546*",".{0,1000}690f31d0d8f473ae1f71a7fbce1e7943d601f6adf2065d22d44162266c88f546.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","28268"
"*69163ce90631331f5df44f08f2cc5a32f851eea7dd25af4e881a4ab1e8de83c4*",".{0,1000}69163ce90631331f5df44f08f2cc5a32f851eea7dd25af4e881a4ab1e8de83c4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28269"
"*691d5d6406e5a2eb28bac68053fde03bbb4c749647f0ea54f7f5b2b173ef2ae3*",".{0,1000}691d5d6406e5a2eb28bac68053fde03bbb4c749647f0ea54f7f5b2b173ef2ae3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28270"
"*692af170382b823e32c575826762a222de1d34bf355f99858a80d8077c46bb86*",".{0,1000}692af170382b823e32c575826762a222de1d34bf355f99858a80d8077c46bb86.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28274"
"*692e70ade358ad4fe19f0cd5fbaf21c3830d0f23c3d4e491a043f6cbc1b5cf59*",".{0,1000}692e70ade358ad4fe19f0cd5fbaf21c3830d0f23c3d4e491a043f6cbc1b5cf59.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28275"
"*6932ff5ad4b81f5a8b7a04b58353d07e65be9ae7502922befee48a9b7056c8c8*",".{0,1000}6932ff5ad4b81f5a8b7a04b58353d07e65be9ae7502922befee48a9b7056c8c8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28276"
"*693475b69741d88b18afca69ab81daa69d5b7fe8f5f6849f69676b62c3379af5*",".{0,1000}693475b69741d88b18afca69ab81daa69d5b7fe8f5f6849f69676b62c3379af5.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","28277"
"*6936a522d7d0afd5955bc461cdc63d228aaf33d6cbeb7096e26d7ee90010d954*",".{0,1000}6936a522d7d0afd5955bc461cdc63d228aaf33d6cbeb7096e26d7ee90010d954.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28278"
"*694dc37c05dd6b897373b036c3c6f6845b6f962baffcaf20165822cf724fc4de*",".{0,1000}694dc37c05dd6b897373b036c3c6f6845b6f962baffcaf20165822cf724fc4de.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28282"
"*695626bd1c10bf40379744a91ceefd71c27261b26b959d87de5c2ec74bced1a4*",".{0,1000}695626bd1c10bf40379744a91ceefd71c27261b26b959d87de5c2ec74bced1a4.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","28286"
"*6959843cd7199564fcca1fd32d727e25468d8d71a9526ebff9cbf0dd3a7cfedf*",".{0,1000}6959843cd7199564fcca1fd32d727e25468d8d71a9526ebff9cbf0dd3a7cfedf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28287"
"*695cc49fc317d1c8180653884dd700bcb917ff4c881c66492f2eb62fabbaa37b*",".{0,1000}695cc49fc317d1c8180653884dd700bcb917ff4c881c66492f2eb62fabbaa37b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28288"
"*696fa827e966020026d3d380e63529eb5075a608332788bffd1ca2aadb94062e*",".{0,1000}696fa827e966020026d3d380e63529eb5075a608332788bffd1ca2aadb94062e.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28292"
"*69717f46c90721f550e466c0bd7708bfbc004749d49a784a7ae73cc11cd272e0*",".{0,1000}69717f46c90721f550e466c0bd7708bfbc004749d49a784a7ae73cc11cd272e0.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","28293"
"*69840aa0cd9ecadd2cf19e7a52f429e46df6d2945022a0ed0186343d10706094*",".{0,1000}69840aa0cd9ecadd2cf19e7a52f429e46df6d2945022a0ed0186343d10706094.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28299"
"*6988f41ce97bebcfae509ed20ba95dc1a7148dcafdfb7c58452088d6d6d74df4*",".{0,1000}6988f41ce97bebcfae509ed20ba95dc1a7148dcafdfb7c58452088d6d6d74df4.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28301"
"*698f1224df6146dd25de72204b2d5937b260abdf61496b90337926c78b92d29b*",".{0,1000}698f1224df6146dd25de72204b2d5937b260abdf61496b90337926c78b92d29b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28302"
"*6991cdf954dc1232832440f0578fd68fc06ebe86ce2a565cda8004de23c269d4*",".{0,1000}6991cdf954dc1232832440f0578fd68fc06ebe86ce2a565cda8004de23c269d4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28304"
"*6999c0176530816b444a27fb92404efa57068e5ab5fce5ea3334cedcfd461211*",".{0,1000}6999c0176530816b444a27fb92404efa57068e5ab5fce5ea3334cedcfd461211.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28309"
"*699c657acc47997abe868108294ab6625eae117242db51d6db5a715606a3e56e*",".{0,1000}699c657acc47997abe868108294ab6625eae117242db51d6db5a715606a3e56e.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","28310"
"*699ce703e508d2d05acfcc4317816741e2a393c8a3d7bdc0aa93c85f98dd6972*",".{0,1000}699ce703e508d2d05acfcc4317816741e2a393c8a3d7bdc0aa93c85f98dd6972.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28311"
"*69b21d5a3d2bcc2b2b075d275a38f551997c45f28c9504995ede406aa101bead*",".{0,1000}69b21d5a3d2bcc2b2b075d275a38f551997c45f28c9504995ede406aa101bead.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","28316"
"*69bc5a68959f7b47ac43810dbe782723eca56101d4bb60533a78530ac1ba23b1*",".{0,1000}69bc5a68959f7b47ac43810dbe782723eca56101d4bb60533a78530ac1ba23b1.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","0","#filehash","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","28318"
"*69c08bae93e16aaf57debbe2b10df6824f5dfef32ce21b5d57d750b0698999ee*",".{0,1000}69c08bae93e16aaf57debbe2b10df6824f5dfef32ce21b5d57d750b0698999ee.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28319"
"*69c2084081bcd8ea91474bc4292863af35bdafa0b3e3b585195bdb0e0523a419*",".{0,1000}69c2084081bcd8ea91474bc4292863af35bdafa0b3e3b585195bdb0e0523a419.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","#filehash","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","28320"
"*69cbed2ab8028723ed6b37d9680f9ac58e4cad8cefaa3d9215eb091462a03001*",".{0,1000}69cbed2ab8028723ed6b37d9680f9ac58e4cad8cefaa3d9215eb091462a03001.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28323"
"*69d3a5d9b30baf4ed4b24c664eb1e787647acc8e9d631f2498e934c9431c829e*",".{0,1000}69d3a5d9b30baf4ed4b24c664eb1e787647acc8e9d631f2498e934c9431c829e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28325"
"*69ea24257c033294c33d7bb036d7ea550a75d00c2313c6d4ef25126b67d7a574*",".{0,1000}69ea24257c033294c33d7bb036d7ea550a75d00c2313c6d4ef25126b67d7a574.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","28330"
"*69fd60793b4333e2c0fd80f36d293b6eea6cd3b8f3761b65b7074ef1d812fab9*",".{0,1000}69fd60793b4333e2c0fd80f36d293b6eea6cd3b8f3761b65b7074ef1d812fab9.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","28333"
"*6a08db58b1d1cb9244a48feeaaefc6097dd8a0fabbab0f51a83ecc2b2bfdd36d*",".{0,1000}6a08db58b1d1cb9244a48feeaaefc6097dd8a0fabbab0f51a83ecc2b2bfdd36d.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28337"
"*6a15569e7313b2e1ada69fa8b3ad6f7ed12934ad8b6c9991c4364d0088b74adf*",".{0,1000}6a15569e7313b2e1ada69fa8b3ad6f7ed12934ad8b6c9991c4364d0088b74adf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28340"
"*6a1810c50df3afd5f476e04c19b361c5802b890f1c06cea39d4c573abf3eaf16*",".{0,1000}6a1810c50df3afd5f476e04c19b361c5802b890f1c06cea39d4c573abf3eaf16.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28341"
"*6a23cc94b17569d60f0fb9f3fb1fac721c5763d85931b399afcc45540b8a1f75*",".{0,1000}6a23cc94b17569d60f0fb9f3fb1fac721c5763d85931b399afcc45540b8a1f75.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","28346"
"*6a3e20b001ab57b066a52394ba2d992ae6d93b22260b0969307966fad6214692*",".{0,1000}6a3e20b001ab57b066a52394ba2d992ae6d93b22260b0969307966fad6214692.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28352"
"*6a40ebd2f3e3f2bfd8836b27c7d6db08cabb84e43845cee5c48d61e7daf98c8e*",".{0,1000}6a40ebd2f3e3f2bfd8836b27c7d6db08cabb84e43845cee5c48d61e7daf98c8e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28354"
"*6a43c893da2a0f2fa6dcbec833f34290385c9ec44f06a358fadaad4677c9ae76*",".{0,1000}6a43c893da2a0f2fa6dcbec833f34290385c9ec44f06a358fadaad4677c9ae76.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","28357"
"*6a5ef3f47ea5813d221d0b2742ba2dd7c05c4ad02fec93fe93ec91a030e643fc*",".{0,1000}6a5ef3f47ea5813d221d0b2742ba2dd7c05c4ad02fec93fe93ec91a030e643fc.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","28366"
"*6a713689f4bbbdd3d72bfc4e3afb69034e0def7a2ff0e2f68869a422532b80cd*",".{0,1000}6a713689f4bbbdd3d72bfc4e3afb69034e0def7a2ff0e2f68869a422532b80cd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28367"
"*6a794fbb4e3db6e878ee213bfa6b5307136c074fd2214ca242c6ec4609f59785*",".{0,1000}6a794fbb4e3db6e878ee213bfa6b5307136c074fd2214ca242c6ec4609f59785.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28368"
"*6a842f64b5e04384ef3a1cb19797f2aa714ab44b3320f132529c60f4aafc6d75*",".{0,1000}6a842f64b5e04384ef3a1cb19797f2aa714ab44b3320f132529c60f4aafc6d75.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","28371"
"*6a986a22cb9ff63cf0f9c7ac240eada15806a6b1bc86c61242ccb73d8a24ac23*",".{0,1000}6a986a22cb9ff63cf0f9c7ac240eada15806a6b1bc86c61242ccb73d8a24ac23.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28375"
"*6ab324b655ea1c39c3c8fb5709f322f0c468a203411fbbcb460b36ee0fc1d835*",".{0,1000}6ab324b655ea1c39c3c8fb5709f322f0c468a203411fbbcb460b36ee0fc1d835.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","28383"
"*6abb1bc9f730937c6bb77f096087aed70599b3e708fe645dbcf8dfe6240d005d*",".{0,1000}6abb1bc9f730937c6bb77f096087aed70599b3e708fe645dbcf8dfe6240d005d.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","28386"
"*6abdb7353ae5562e16d28e1da142f5f97bd51964359901aafd694b4638f85739*",".{0,1000}6abdb7353ae5562e16d28e1da142f5f97bd51964359901aafd694b4638f85739.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28387"
"*6abfc342f0a659066c8b42999510ccc3592b499569c2e7af37470a445a2e3560*",".{0,1000}6abfc342f0a659066c8b42999510ccc3592b499569c2e7af37470a445a2e3560.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","0","#filehash","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","28388"
"*6add94e2916fd776bc2fd62a01fa6fd282f040e2f05ba42962e823eac821ae81*",".{0,1000}6add94e2916fd776bc2fd62a01fa6fd282f040e2f05ba42962e823eac821ae81.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28393"
"*6b26959b03bef47449a97288ed0ca0e136d6308affa626496c9a04d9b7632a03*",".{0,1000}6b26959b03bef47449a97288ed0ca0e136d6308affa626496c9a04d9b7632a03.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28400"
"*6b2bc6c1948e0462eabd40d92b7201d44648655679fde260454ce7f970d78b23*",".{0,1000}6b2bc6c1948e0462eabd40d92b7201d44648655679fde260454ce7f970d78b23.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28401"
"*6b2fc43f794182788aaa8dae50f1f731c33c5126558e621d693c18455aae92cc*",".{0,1000}6b2fc43f794182788aaa8dae50f1f731c33c5126558e621d693c18455aae92cc.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28403"
"*6b381ea3ed5d0925032ff8d98fe5c443668699983ba7e7b20fddd2b34b5796f0*",".{0,1000}6b381ea3ed5d0925032ff8d98fe5c443668699983ba7e7b20fddd2b34b5796f0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28406"
"*6b5f393778459329dbdc69151a3492bb3f18b798bc6e9a7707219923b2a0aab9*",".{0,1000}6b5f393778459329dbdc69151a3492bb3f18b798bc6e9a7707219923b2a0aab9.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","28415"
"*6b994027ecb764471cdcf3d547532203e4fcbe55fd68ad04a5f9881b56fce399*",".{0,1000}6b994027ecb764471cdcf3d547532203e4fcbe55fd68ad04a5f9881b56fce399.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28428"
"*6ba81dd21c13ae539695ecb47a9e7211f892edb6ecf6803324d89bfa07773cdc*",".{0,1000}6ba81dd21c13ae539695ecb47a9e7211f892edb6ecf6803324d89bfa07773cdc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28431"
"*6badff5495258b349559b9d2154ffcc7a435828dd57c4caf1c79f5d0ff9eb675*",".{0,1000}6badff5495258b349559b9d2154ffcc7a435828dd57c4caf1c79f5d0ff9eb675.{0,1000}","greyware_tool_keyword","Alpemix","connect to your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.alpemix.com/","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","28434"
"*6be7a09e3e3bc55af0ee9f00ea17fafdd8a38541ef2de21b8e804729b41af298*",".{0,1000}6be7a09e3e3bc55af0ee9f00ea17fafdd8a38541ef2de21b8e804729b41af298.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28438"
"*6bef9db4560b6c7da2def271f7bc5bf6988fafa3e654f8a2bfb589fd7d79b2db*",".{0,1000}6bef9db4560b6c7da2def271f7bc5bf6988fafa3e654f8a2bfb589fd7d79b2db.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28440"
"*6bf00733754b7a92e21c9851e591ad198bd08fbb4b0274954efce59e3898f545*",".{0,1000}6bf00733754b7a92e21c9851e591ad198bd08fbb4b0274954efce59e3898f545.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28441"
"*6bf2e2c83556bad748940200d1ab7e6d10906a50062a0e5ac6ffe779b4449428*",".{0,1000}6bf2e2c83556bad748940200d1ab7e6d10906a50062a0e5ac6ffe779b4449428.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","28443"
"*6c012bd2385804dd6dddcbf9a0a9977cdd8662f977c7b3afa6afa3eb96bc66df*",".{0,1000}6c012bd2385804dd6dddcbf9a0a9977cdd8662f977c7b3afa6afa3eb96bc66df.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28446"
"*6c20c6297aa22f6d3dcc00987a03ee30d2aff9051ba85832a6e20c3780bc599d*",".{0,1000}6c20c6297aa22f6d3dcc00987a03ee30d2aff9051ba85832a6e20c3780bc599d.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","28458"
"*6c23f9dc5552c6286c852faa91236587470efaf28af92c5b4742feac70ffed6b*",".{0,1000}6c23f9dc5552c6286c852faa91236587470efaf28af92c5b4742feac70ffed6b.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","28459"
"*6c2523493b48a91d2e484224c86431fddbbfb549d242a52182282ef8077341ae*",".{0,1000}6c2523493b48a91d2e484224c86431fddbbfb549d242a52182282ef8077341ae.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","28460"
"*6c37088f89695e0195fa333f92d2c4a4f8aaf5897f7cb1089ec23c144dba65bd*",".{0,1000}6c37088f89695e0195fa333f92d2c4a4f8aaf5897f7cb1089ec23c144dba65bd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28462"
"*6c3dc714596f1b78c4921bb8b25f073bdc95a8bca363f070b4e5e34c4b2a34ac*",".{0,1000}6c3dc714596f1b78c4921bb8b25f073bdc95a8bca363f070b4e5e34c4b2a34ac.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","28465"
"*6c3f5fc8aabdf36a901687fd30bb315b0d1e30f6a435e0f55f18bd397b44363e*",".{0,1000}6c3f5fc8aabdf36a901687fd30bb315b0d1e30f6a435e0f55f18bd397b44363e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28466"
"*6c40ba5215fcdfbe5dabad38ef1202a1a95b5f31663f695bf404e8075674723e*",".{0,1000}6c40ba5215fcdfbe5dabad38ef1202a1a95b5f31663f695bf404e8075674723e.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","28467"
"*6c45f1e711a40bdfded509788ac79aae184658c4615fe2292408a222b656a014*",".{0,1000}6c45f1e711a40bdfded509788ac79aae184658c4615fe2292408a222b656a014.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28471"
"*6c4a877eb0a3bc495d7490c2f218678005a10cd6e978a92c497791b980ca8567*",".{0,1000}6c4a877eb0a3bc495d7490c2f218678005a10cd6e978a92c497791b980ca8567.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","28473"
"*6c511d6c053f8958c718d4374289b25457d4d426c0215c5eba3616f77c6f65bb*",".{0,1000}6c511d6c053f8958c718d4374289b25457d4d426c0215c5eba3616f77c6f65bb.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28476"
"*6c514ecc4155806aef7eb0a913cf4a88214e20bdd69694ad9ac5c565d588dea9*",".{0,1000}6c514ecc4155806aef7eb0a913cf4a88214e20bdd69694ad9ac5c565d588dea9.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28477"
"*6c54695604de672882374e97f2f5730abf6ee122357f087f5ddf6902a5faa7d0*",".{0,1000}6c54695604de672882374e97f2f5730abf6ee122357f087f5ddf6902a5faa7d0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28478"
"*6c5749d0e5a2e5fece9a4fd75b61714a733f29479f46978be313f4eefe28c749*",".{0,1000}6c5749d0e5a2e5fece9a4fd75b61714a733f29479f46978be313f4eefe28c749.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28479"
"*6c8386af326a7123f12bff56f737a825e52564e9f142862cbd88653fc5b841b7*",".{0,1000}6c8386af326a7123f12bff56f737a825e52564e9f142862cbd88653fc5b841b7.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28488"
"*6c8676dc56e3d2e26358b5bae616ab3ec95e26181cd9b8692e101dcc0fc966a1*",".{0,1000}6c8676dc56e3d2e26358b5bae616ab3ec95e26181cd9b8692e101dcc0fc966a1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28489"
"*6c8aefae3e5ece28c1e182ffec2c00baf2faa7ca61c426b1db6275b03524dc8d*",".{0,1000}6c8aefae3e5ece28c1e182ffec2c00baf2faa7ca61c426b1db6275b03524dc8d.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","28491"
"*6c9628cb8382894dc0a928df8fcea9dad9cb763ff161e31f94f816443c7419e0*",".{0,1000}6c9628cb8382894dc0a928df8fcea9dad9cb763ff161e31f94f816443c7419e0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28493"
"*6c96dc136639c1bad445138519d0a4737d36195a32d7b36048b4778b0b9a69eb*",".{0,1000}6c96dc136639c1bad445138519d0a4737d36195a32d7b36048b4778b0b9a69eb.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","28494"
"*6c9c712e0274ee0e79c0b61f59b8bab9670afc69b905c987c6648da76220abab*",".{0,1000}6c9c712e0274ee0e79c0b61f59b8bab9670afc69b905c987c6648da76220abab.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28496"
"*6caae495c78cfaf80bef557903f997db566a5cf3ea08c03d6f09e2c30a6d6d0a*",".{0,1000}6caae495c78cfaf80bef557903f997db566a5cf3ea08c03d6f09e2c30a6d6d0a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28499"
"*6cc029abfa617d77e65ca70717fba6cfb418110e3922728c251aa8150b81e64e*",".{0,1000}6cc029abfa617d77e65ca70717fba6cfb418110e3922728c251aa8150b81e64e.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","28508"
"*6cc2585e1b00bf07cd02b4ee08fb51e88cba155f4a10f753142eb9cc1fcccbc8*",".{0,1000}6cc2585e1b00bf07cd02b4ee08fb51e88cba155f4a10f753142eb9cc1fcccbc8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28509"
"*6cecfa1b5cfba371a6a576e213eeb90f5ea82a91f94fb520cf9160a6526e0ac8*",".{0,1000}6cecfa1b5cfba371a6a576e213eeb90f5ea82a91f94fb520cf9160a6526e0ac8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28518"
"*6cf85567ac67515da97ff2cfd2adea85a088c5bb4b8eb3fc847d6d3d5637b842*",".{0,1000}6cf85567ac67515da97ff2cfd2adea85a088c5bb4b8eb3fc847d6d3d5637b842.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","28520"
"*6cfe97e965caf3c48dc87c975fe22c7833c172d6cf5ed8790d0bd5755ec0afd8*",".{0,1000}6cfe97e965caf3c48dc87c975fe22c7833c172d6cf5ed8790d0bd5755ec0afd8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28525"
"*6d01bb9b786da4013f55f0fe29dfb7490cede245414db1bac43fb204aad2c97c*",".{0,1000}6d01bb9b786da4013f55f0fe29dfb7490cede245414db1bac43fb204aad2c97c.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28527"
"*6d2e71d3158ce74d7cd53b333edc7389b02c9d473658b87d898a7a40e377850c*",".{0,1000}6d2e71d3158ce74d7cd53b333edc7389b02c9d473658b87d898a7a40e377850c.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","28530"
"*6d331a0cf4808cc0a5141960acfe009d99e5b6e33b477216c9e888d55a04885e*",".{0,1000}6d331a0cf4808cc0a5141960acfe009d99e5b6e33b477216c9e888d55a04885e.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","28531"
"*6d45c62ffaf587bb28e8c24ce0b29187df9589cce0daa6a2ccc02605a3a4f529*",".{0,1000}6d45c62ffaf587bb28e8c24ce0b29187df9589cce0daa6a2ccc02605a3a4f529.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28536"
"*6d4b70280b8a765a7f7bd302c73f9b20d0f743edb9e04123a0b8b5227ab3f5fa*",".{0,1000}6d4b70280b8a765a7f7bd302c73f9b20d0f743edb9e04123a0b8b5227ab3f5fa.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28538"
"*6d623f0fac370b54152399de17aaf49835a2703db0f59a40e411e3a1559a065d*",".{0,1000}6d623f0fac370b54152399de17aaf49835a2703db0f59a40e411e3a1559a065d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28544"
"*6d6455e1cb69eb0615a52cc046a296395e44d50c0f32627ba8590c677ddf50a9*",".{0,1000}6d6455e1cb69eb0615a52cc046a296395e44d50c0f32627ba8590c677ddf50a9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28545"
"*6d686399731d32af0783b096717c5a14fdbe74e1e432ee2e8fdaace36ebbbe3d*",".{0,1000}6d686399731d32af0783b096717c5a14fdbe74e1e432ee2e8fdaace36ebbbe3d.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28548"
"*6d795a5f052b3a8cb8e7571629da14f00e92035b7174eb20e32fd1440f68aaff*",".{0,1000}6d795a5f052b3a8cb8e7571629da14f00e92035b7174eb20e32fd1440f68aaff.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28551"
"*6d7d84fd5a11387aa706ed690f5855893594d5ded8ddeaf49cb449927c071f5f*",".{0,1000}6d7d84fd5a11387aa706ed690f5855893594d5ded8ddeaf49cb449927c071f5f.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","28552"
"*6d94fd795439afe13c95030b1b33a606beae24cab986395e374142021c59a7fa*",".{0,1000}6d94fd795439afe13c95030b1b33a606beae24cab986395e374142021c59a7fa.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28558"
"*6d99e41142a9c8753dbc8fafb178cec830a175f00ee57f69ff6c2049858a780f*",".{0,1000}6d99e41142a9c8753dbc8fafb178cec830a175f00ee57f69ff6c2049858a780f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28562"
"*6d9f0234c1022ad90c0ec7837dce7d93df645d7aac58c6fc75a0ef71450d477d*",".{0,1000}6d9f0234c1022ad90c0ec7837dce7d93df645d7aac58c6fc75a0ef71450d477d.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28563"
"*6da1f7a8087575b0580228caee8d40ba7d7fb078d7f18e627792b6cc862524e7*",".{0,1000}6da1f7a8087575b0580228caee8d40ba7d7fb078d7f18e627792b6cc862524e7.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28565"
"*6db1c295c1602011ddba8c5d3e43d8c73f247d1367fa2600062862004b1e88db*",".{0,1000}6db1c295c1602011ddba8c5d3e43d8c73f247d1367fa2600062862004b1e88db.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","28567"
"*6db5fe227458239815cb4a5f6c7775daf8b534746121c2f1ef8cfcdd6963c721*",".{0,1000}6db5fe227458239815cb4a5f6c7775daf8b534746121c2f1ef8cfcdd6963c721.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28568"
"*6db7f9491dc7389e6f64cd4ae549eb3a304b1868309a40b7a175c0206c681bc9*",".{0,1000}6db7f9491dc7389e6f64cd4ae549eb3a304b1868309a40b7a175c0206c681bc9.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","28569"
"*6dc7b95343fd96cff5e68e03c97f52957868fb3dc09dbbf2d559325789ad06d8*",".{0,1000}6dc7b95343fd96cff5e68e03c97f52957868fb3dc09dbbf2d559325789ad06d8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28571"
"*6ddb4ce3d13cfc9003bd4351bfd6ce9ad25d3cabea52e9a7e7b9ac1ca0cd6605*",".{0,1000}6ddb4ce3d13cfc9003bd4351bfd6ce9ad25d3cabea52e9a7e7b9ac1ca0cd6605.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28577"
"*6de3528cac2c68c0f14a98474db820bb8291b49ab63727e52d58d29288af3fa7*",".{0,1000}6de3528cac2c68c0f14a98474db820bb8291b49ab63727e52d58d29288af3fa7.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","28579"
"*6df1812ceb5b98224890e3b48d458c94a0c486cbeac4f9cde750ef7954d85569*",".{0,1000}6df1812ceb5b98224890e3b48d458c94a0c486cbeac4f9cde750ef7954d85569.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","28581"
"*6df9f806f4cb4001e3722196bfe629c48c2dd39078b33e96db139823db1236e1*",".{0,1000}6df9f806f4cb4001e3722196bfe629c48c2dd39078b33e96db139823db1236e1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28583"
"*6dfa9158c5e57aab361fe9b554369024c16671a134eb34b1604d0e170e184f57*",".{0,1000}6dfa9158c5e57aab361fe9b554369024c16671a134eb34b1604d0e170e184f57.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28584"
"*6e12d0f2f68b89133032436717f20a60bc8b9b0e116f2985e658dfb0f1e46066*",".{0,1000}6e12d0f2f68b89133032436717f20a60bc8b9b0e116f2985e658dfb0f1e46066.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","28597"
"*6e2028eb0bc06325c6101c497832e66a95ce482b1771455bc7a873ef22291c65*",".{0,1000}6e2028eb0bc06325c6101c497832e66a95ce482b1771455bc7a873ef22291c65.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","28601"
"*6e2966ff6488fa05ed5ffb24ae5dde4fe1954b3006aa0269510ac9feaf099c78*",".{0,1000}6e2966ff6488fa05ed5ffb24ae5dde4fe1954b3006aa0269510ac9feaf099c78.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28604"
"*6e37dce8f0d1f42f2a752c4297feccdebbdc9358bd8c04f4449052033efc1a9b*",".{0,1000}6e37dce8f0d1f42f2a752c4297feccdebbdc9358bd8c04f4449052033efc1a9b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28605"
"*6e44d4eec61c35b14e9e43158b8a169269a98be0e2ae8992cdb0a50ea09b97a1*",".{0,1000}6e44d4eec61c35b14e9e43158b8a169269a98be0e2ae8992cdb0a50ea09b97a1.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","28607"
"*6e469301d72958686bc78469c7c9d6a79fb848e77e6b00a037526d44f5d48819*",".{0,1000}6e469301d72958686bc78469c7c9d6a79fb848e77e6b00a037526d44f5d48819.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","#filehash","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","28608"
"*6e503a1a3b0f9117bce6ff7cc30cf61bdc79e9b32d074cf96deb0264e067a60d*",".{0,1000}6e503a1a3b0f9117bce6ff7cc30cf61bdc79e9b32d074cf96deb0264e067a60d.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","28610"
"*6e6c21f7a5070f2af43febe26adcd26007651b928f335ac66673e955c39a4a29*",".{0,1000}6e6c21f7a5070f2af43febe26adcd26007651b928f335ac66673e955c39a4a29.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28614"
"*6e8947870ecf553ed99f745eb8c66fd7daf3d60fb16f5ff44285c7c7f11137c0*",".{0,1000}6e8947870ecf553ed99f745eb8c66fd7daf3d60fb16f5ff44285c7c7f11137c0.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","28618"
"*6e8b78647d756a84e7662d42955224fe17bcea674ff125ba1e63b0737ceaebe1*",".{0,1000}6e8b78647d756a84e7662d42955224fe17bcea674ff125ba1e63b0737ceaebe1.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28620"
"*6ea5a9fb8f4ddeb82111ebe5583c88e0d483d2b4d18f64cbff7530be3affd5da*",".{0,1000}6ea5a9fb8f4ddeb82111ebe5583c88e0d483d2b4d18f64cbff7530be3affd5da.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28627"
"*6eaacd4b20f6cc94e884edde513bb561f7ce54e3388cb751caa2ffe6b781202e*",".{0,1000}6eaacd4b20f6cc94e884edde513bb561f7ce54e3388cb751caa2ffe6b781202e.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","28629"
"*6eba09a7e386379e173bea81ca5de348bef4c0f024d2efa963ab8d3bb8b37a8e*",".{0,1000}6eba09a7e386379e173bea81ca5de348bef4c0f024d2efa963ab8d3bb8b37a8e.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28634"
"*6ebf021ec1ecf18a97b59fcf9c045aa245120b84a84a5319dbbc5ff4c34f42ee*",".{0,1000}6ebf021ec1ecf18a97b59fcf9c045aa245120b84a84a5319dbbc5ff4c34f42ee.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","28635"
"*6ec72829df83fe1ad5c943580274d7753b802aa4de88c1aef4ba019e99a16ee5*",".{0,1000}6ec72829df83fe1ad5c943580274d7753b802aa4de88c1aef4ba019e99a16ee5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28638"
"*6edca5b408b075285b85db4ebfe180dc86695c387f5005f58af8c53a7d36b1a8*",".{0,1000}6edca5b408b075285b85db4ebfe180dc86695c387f5005f58af8c53a7d36b1a8.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28642"
"*6edcee9130bc97aac10f1d04e9a3c86b20c38a66c1aeed24c4e2244cddfd98ea*",".{0,1000}6edcee9130bc97aac10f1d04e9a3c86b20c38a66c1aeed24c4e2244cddfd98ea.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28643"
"*6ee05f1a72395ef7d41538ef5cc84395d5a168d13e3054a329f0d9f593f80f6d*",".{0,1000}6ee05f1a72395ef7d41538ef5cc84395d5a168d13e3054a329f0d9f593f80f6d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28644"
"*6ee1775d22b9392a4cf9f14450eb072ce78799bc81cb82e3c09c8bb68542cfab*",".{0,1000}6ee1775d22b9392a4cf9f14450eb072ce78799bc81cb82e3c09c8bb68542cfab.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","28645"
"*6ee5eab9a9aa836ac397746a20afbb671971c6553bf8d6a844ba0a7a8de8447e*",".{0,1000}6ee5eab9a9aa836ac397746a20afbb671971c6553bf8d6a844ba0a7a8de8447e.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","28649"
"*6ee659ad14046e38ef7a00c2afe4785674015a5ab08cdf78cf40fa2eb11a891e*",".{0,1000}6ee659ad14046e38ef7a00c2afe4785674015a5ab08cdf78cf40fa2eb11a891e.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","28650"
"*6ef99a03b1df823546e414b4b3ce5ce0e43121db66b52c9e10b61ab653b46bf8*",".{0,1000}6ef99a03b1df823546e414b4b3ce5ce0e43121db66b52c9e10b61ab653b46bf8.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","28658"
"*6efd0a501a91178a31ae82146c8ed8b1d91b2a62e8e8ea644e80b7562846dbb1*",".{0,1000}6efd0a501a91178a31ae82146c8ed8b1d91b2a62e8e8ea644e80b7562846dbb1.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","28660"
"*6f072e5783a999399690a8fbb7aff14f818746a910165bb7514576bf9ef179da*",".{0,1000}6f072e5783a999399690a8fbb7aff14f818746a910165bb7514576bf9ef179da.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","28662"
"*6f0a3e80dcde8611beb4ac1d9e575601997e58b9a4a17054c5cb4eedf6f8062f*",".{0,1000}6f0a3e80dcde8611beb4ac1d9e575601997e58b9a4a17054c5cb4eedf6f8062f.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","28663"
"*6f12c2f6c1d43cc0cfdbd2f73917a227ebd507de82e3d45b6ca6de259ff89f0c*",".{0,1000}6f12c2f6c1d43cc0cfdbd2f73917a227ebd507de82e3d45b6ca6de259ff89f0c.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28665"
"*6f252952b482ffac286cfec43774b6f510ad7f47eb7332ce8bbddc1400a91ec3*",".{0,1000}6f252952b482ffac286cfec43774b6f510ad7f47eb7332ce8bbddc1400a91ec3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28669"
"*6f35a34033499938700e42f4123399f711003d2dab83ed50e69f7df5ecf976d8*",".{0,1000}6f35a34033499938700e42f4123399f711003d2dab83ed50e69f7df5ecf976d8.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","28675"
"*6f3663f7cdd25063c8c8728f5d9b07813ced8780522fd1f124ba539e2854215f*",".{0,1000}6f3663f7cdd25063c8c8728f5d9b07813ced8780522fd1f124ba539e2854215f.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","28676"
"*6f3b17759a79f9cee899d61622d88b6a5f87aa7d8ecdc8c4d82fd0386c3e8c0a*",".{0,1000}6f3b17759a79f9cee899d61622d88b6a5f87aa7d8ecdc8c4d82fd0386c3e8c0a.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","28678"
"*6f44dd5e572279979a9a59b0186a9fb2805be4c6decbcc438cf2b9d2c17f3a42*",".{0,1000}6f44dd5e572279979a9a59b0186a9fb2805be4c6decbcc438cf2b9d2c17f3a42.{0,1000}","greyware_tool_keyword","localtunnels","server for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/server","1","0","#filehash","N/A","8","10","3163","1033","2024-03-20T09:14:46Z","2013-06-16T22:30:48Z","28681"
"*6f486fb6576a30179b3ef6bf36ad0bec39745f22d504209abd602338c77707b9*",".{0,1000}6f486fb6576a30179b3ef6bf36ad0bec39745f22d504209abd602338c77707b9.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","28683"
"*6f4ad87a95fda2c0a77122b77942d54f688b6a355f40b256578cf7e8c26cc5f1*",".{0,1000}6f4ad87a95fda2c0a77122b77942d54f688b6a355f40b256578cf7e8c26cc5f1.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28686"
"*6f4cee01855c127463f149bb94adc8bec1a5b9b19f8edfd8471002effbdd1fdb*",".{0,1000}6f4cee01855c127463f149bb94adc8bec1a5b9b19f8edfd8471002effbdd1fdb.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","28687"
"*6f54f9c1108613f68114da87cba5fc1c4a800d62fcfaf42d8b3cbb76436f5cb6*",".{0,1000}6f54f9c1108613f68114da87cba5fc1c4a800d62fcfaf42d8b3cbb76436f5cb6.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","28689"
"*6f5d1ac64a7b84b02a3bb488ad13d5134a4f7aadfe7d11e0a3338703f1e5261b*",".{0,1000}6f5d1ac64a7b84b02a3bb488ad13d5134a4f7aadfe7d11e0a3338703f1e5261b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28691"
"*6f6594f84e45eb92f0049426a85db0be619c0d3117577d69d6651e19a489f7c3*",".{0,1000}6f6594f84e45eb92f0049426a85db0be619c0d3117577d69d6651e19a489f7c3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28692"
"*6f93ebfce80642e697c1de729ccf6ac3d0d3c7171d4d53e9c69eeaf3417f0d77*",".{0,1000}6f93ebfce80642e697c1de729ccf6ac3d0d3c7171d4d53e9c69eeaf3417f0d77.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28704"
"*6f94077fc6f9092d9e9282bee1588e70aaf70ad90407e2bd164c38325249af5e*",".{0,1000}6f94077fc6f9092d9e9282bee1588e70aaf70ad90407e2bd164c38325249af5e.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","28705"
"*6f9d22dde53839cfc4a035c019f2e55fa6a7e7e1ac308060ec312b70e6272611*",".{0,1000}6f9d22dde53839cfc4a035c019f2e55fa6a7e7e1ac308060ec312b70e6272611.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28707"
"*6fa10205d1ade554f1f0250db2752f855919abba4cf63efb907a7543efc1beae*",".{0,1000}6fa10205d1ade554f1f0250db2752f855919abba4cf63efb907a7543efc1beae.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","28708"
"*6fab3fa836659c85b97e7a8e514bdbb8d4df186600212a7b5c36cafff7942e38*",".{0,1000}6fab3fa836659c85b97e7a8e514bdbb8d4df186600212a7b5c36cafff7942e38.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28709"
"*6fae4e720a4f9d3d8b9b635ac161596ab4dce24168dabd75e41ccead6915a454*",".{0,1000}6fae4e720a4f9d3d8b9b635ac161596ab4dce24168dabd75e41ccead6915a454.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28712"
"*6fe6b708ab65d61293fb7f1669a3dceab6d8a7d06f9f9b93db68025873f51c44*",".{0,1000}6fe6b708ab65d61293fb7f1669a3dceab6d8a7d06f9f9b93db68025873f51c44.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28721"
"*6fe778623ef31eb224b4aeff3eaa73aef6d76c091fcb328782046e1ec44969d5*",".{0,1000}6fe778623ef31eb224b4aeff3eaa73aef6d76c091fcb328782046e1ec44969d5.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","28722"
"*6fec9d5af24c2d845ab1e2146e38196ae9a8ae351442c6fb8a048373befd88d8*",".{0,1000}6fec9d5af24c2d845ab1e2146e38196ae9a8ae351442c6fb8a048373befd88d8.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","28724"
"*6ff59cb7898fc8534f0a799029d8cf5b9b033c1d19cba81a91b6cb05415d34c1*",".{0,1000}6ff59cb7898fc8534f0a799029d8cf5b9b033c1d19cba81a91b6cb05415d34c1.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","28727"
"*700d65fb0b7653666b1ba1b3911f97ec9a6c6af647083dafd8609ffcf5499b4b*",".{0,1000}700d65fb0b7653666b1ba1b3911f97ec9a6c6af647083dafd8609ffcf5499b4b.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","28735"
"*701b8a45901f7dc715140662e68f7d7e8c59f631866f9ac862896cd06a2d5865*",".{0,1000}701b8a45901f7dc715140662e68f7d7e8c59f631866f9ac862896cd06a2d5865.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","28738"
"*701fd0ae9d88d3a08c418e9d0fca6651c058b7eef8fb34194acf753bfd80e221*",".{0,1000}701fd0ae9d88d3a08c418e9d0fca6651c058b7eef8fb34194acf753bfd80e221.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28739"
"*702e44943daae9c094858ed1a8a50e427264a1967535cad0362ce80fdf5acc92*",".{0,1000}702e44943daae9c094858ed1a8a50e427264a1967535cad0362ce80fdf5acc92.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28742"
"*703e2d2c0fa3fb1e6b7f1a5249533072d9d9caeaf7811dbe1750ee43c1ef0501*",".{0,1000}703e2d2c0fa3fb1e6b7f1a5249533072d9d9caeaf7811dbe1750ee43c1ef0501.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","28744"
"*704ad0f0f657c644c867b0a29a002cd9424867b5670cc251a44b5978eea722e7*",".{0,1000}704ad0f0f657c644c867b0a29a002cd9424867b5670cc251a44b5978eea722e7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28747"
"*704b9980f885441fe974a85f0c18d33f24ba3f2022224cd255d95cecc77a737d*",".{0,1000}704b9980f885441fe974a85f0c18d33f24ba3f2022224cd255d95cecc77a737d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28749"
"*704cd5aaaf2ad78e31ce1b7e13ff87c7b5e97bc5e2ef55188525eb7c96a53232*",".{0,1000}704cd5aaaf2ad78e31ce1b7e13ff87c7b5e97bc5e2ef55188525eb7c96a53232.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","28750"
"*705377a7e00904ccdc2e5ab9c3440ca366756b2b74ea107ecf51aefaeb0164c2*",".{0,1000}705377a7e00904ccdc2e5ab9c3440ca366756b2b74ea107ecf51aefaeb0164c2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28755"
"*708c1844718122e5da7e9cae65860e8c6a01608cbd628ebc90ff7737503833e9*",".{0,1000}708c1844718122e5da7e9cae65860e8c6a01608cbd628ebc90ff7737503833e9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28765"
"*709f64122893b3970f4ccf7a0e116024f3029fb141d0ade3f37f86a1b024096c*",".{0,1000}709f64122893b3970f4ccf7a0e116024f3029fb141d0ade3f37f86a1b024096c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28769"
"*70a4631e43134af49d957c6e4fa3275383c1543f5462d6230f90b2e446189efe*",".{0,1000}70a4631e43134af49d957c6e4fa3275383c1543f5462d6230f90b2e446189efe.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28770"
"*70b9dff9c9d9ed85549bdf6f818771776cbfaf3adbc04abfadc84485a20a8a6f*",".{0,1000}70b9dff9c9d9ed85549bdf6f818771776cbfaf3adbc04abfadc84485a20a8a6f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28778"
"*70bac6ab24591aa3df6592daacec697e11fdf865e3f27b8ccb7fa5a65934d96d*",".{0,1000}70bac6ab24591aa3df6592daacec697e11fdf865e3f27b8ccb7fa5a65934d96d.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","28779"
"*70d2b7f5e3ca6061206e54786b04143fc5154eab4feaf854797aee3f523d5175*",".{0,1000}70d2b7f5e3ca6061206e54786b04143fc5154eab4feaf854797aee3f523d5175.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","28788"
"*70f1ed3ea1ba5d2fe5430735089f03cbce1b85a4c719ad2adc7d1049345f2b6c*",".{0,1000}70f1ed3ea1ba5d2fe5430735089f03cbce1b85a4c719ad2adc7d1049345f2b6c.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","28794"
"*70f47558dfa4e88f330d3bfcb40cc9f88e2483b2e0db1d7c0841da000c98be18*",".{0,1000}70f47558dfa4e88f330d3bfcb40cc9f88e2483b2e0db1d7c0841da000c98be18.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28795"
"*70f57deb3ce57eb890104fe14d6fe442a815e095122a9c2b584e34d3c54f5563*",".{0,1000}70f57deb3ce57eb890104fe14d6fe442a815e095122a9c2b584e34d3c54f5563.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28796"
"*70f7f49337d31968d4a2b7eb27200bced44eade5ba5c75547bd1f9a51660f2d5*",".{0,1000}70f7f49337d31968d4a2b7eb27200bced44eade5ba5c75547bd1f9a51660f2d5.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","28799"
"*70feebe9f930310824eda3d246b5b85b0106cb5aa876390827d4743661362026*",".{0,1000}70feebe9f930310824eda3d246b5b85b0106cb5aa876390827d4743661362026.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28802"
"*70ff1ea046dbf3a51880965281a9d6a19b87e297303660346d36e7cb7969cd48*",".{0,1000}70ff1ea046dbf3a51880965281a9d6a19b87e297303660346d36e7cb7969cd48.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","28803"
"*710c8601b26a63482c9d8044bfb12d8dec9297aaa593942cb68185276dd304b6*",".{0,1000}710c8601b26a63482c9d8044bfb12d8dec9297aaa593942cb68185276dd304b6.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","28805"
"*7110096e52faff29a4d6c683d1223876280852679963a1d7dac8d79994369a65*",".{0,1000}7110096e52faff29a4d6c683d1223876280852679963a1d7dac8d79994369a65.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28807"
"*711795b31d4482d7f7ce181b00db2ce2a33d3d7675f1d9feab0e984b017d2178*",".{0,1000}711795b31d4482d7f7ce181b00db2ce2a33d3d7675f1d9feab0e984b017d2178.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28812"
"*713eedbc3a86409bb621d853b9fb157c2abe789a9b696796ca0e887e610e8295*",".{0,1000}713eedbc3a86409bb621d853b9fb157c2abe789a9b696796ca0e887e610e8295.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28820"
"*71737381ff602f28a74621db960d7fc62a2926b83f61ef9024024eae09237271*",".{0,1000}71737381ff602f28a74621db960d7fc62a2926b83f61ef9024024eae09237271.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28830"
"*7174a1328325da89ed6aabcf522131db9928222154e9607b0d5a2f7b2977ae93*",".{0,1000}7174a1328325da89ed6aabcf522131db9928222154e9607b0d5a2f7b2977ae93.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28831"
"*717500a496b76ffa5205ed4dd9bd2ef79da659d75e1d8e98efb1b2ec8c224509*",".{0,1000}717500a496b76ffa5205ed4dd9bd2ef79da659d75e1d8e98efb1b2ec8c224509.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28832"
"*718883f3de3684d2fb9c8c905de422a5cefac2bc7dac2b0cad1698be61d54cb9*",".{0,1000}718883f3de3684d2fb9c8c905de422a5cefac2bc7dac2b0cad1698be61d54cb9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28835"
"*718c0f0820f65782bc19af479f2406c9654fc564b9999a0936581b4ed1d91bb2*",".{0,1000}718c0f0820f65782bc19af479f2406c9654fc564b9999a0936581b4ed1d91bb2.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28836"
"*71938906831a2fbab00a0519cb8a1f6aaa31425d528df130e60ca371f0dd45ab*",".{0,1000}71938906831a2fbab00a0519cb8a1f6aaa31425d528df130e60ca371f0dd45ab.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28837"
"*719e6b5eedc0d4b178d6f0f999555fc3292a22747f3ed2238d529604ee1a5532*",".{0,1000}719e6b5eedc0d4b178d6f0f999555fc3292a22747f3ed2238d529604ee1a5532.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","0","#filehash","N/A","7","8","N/A","N/A","N/A","N/A","28839"
"*71a0f3137f02da4116ea2b7d134c38be86a1229cffb0b1dac4469b561ea35985*",".{0,1000}71a0f3137f02da4116ea2b7d134c38be86a1229cffb0b1dac4469b561ea35985.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28840"
"*71a74ecc3adea709976ea8995e4e692982dfb9bdacd839f9e66df426f91537c0*",".{0,1000}71a74ecc3adea709976ea8995e4e692982dfb9bdacd839f9e66df426f91537c0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28842"
"*71add603c1e99cf23497d2c79e317d27a08c9ba7ac8afce3e36e48b080a4a456*",".{0,1000}71add603c1e99cf23497d2c79e317d27a08c9ba7ac8afce3e36e48b080a4a456.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28844"
"*71b3685e138ff787324a21d5192d9e90b0c6c2d752b99837db80c7486d1a6cf7*",".{0,1000}71b3685e138ff787324a21d5192d9e90b0c6c2d752b99837db80c7486d1a6cf7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28845"
"*71be22b601b991d36eede50c35c3dbd9e5854e8555860f974e4a13cfe721e32f*",".{0,1000}71be22b601b991d36eede50c35c3dbd9e5854e8555860f974e4a13cfe721e32f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28849"
"*71c807766303d5e102509a7209831660c1c947db0da3d3c1e3f9be5be5d5ceb3*",".{0,1000}71c807766303d5e102509a7209831660c1c947db0da3d3c1e3f9be5be5d5ceb3.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28851"
"*71d606337dad38eabe7321a8f82672b1c214c5334b340f2cc4a5b296efe157f5*",".{0,1000}71d606337dad38eabe7321a8f82672b1c214c5334b340f2cc4a5b296efe157f5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28852"
"*71d9d8c3e4260db98cae345523171ba30c983d38d7b94724448a791527e206a3*",".{0,1000}71d9d8c3e4260db98cae345523171ba30c983d38d7b94724448a791527e206a3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28854"
"*71e29bff6cee7938472b8d16ea5696b4966cb587a266c43257770efffed93aae*",".{0,1000}71e29bff6cee7938472b8d16ea5696b4966cb587a266c43257770efffed93aae.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#filehash","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","28858"
"*71fe9b98c24f53cdc002f7efde57d17e08288dee084a98eed639bab982d9cd26*",".{0,1000}71fe9b98c24f53cdc002f7efde57d17e08288dee084a98eed639bab982d9cd26.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28863"
"*7207b7631683005ed4b09b1a1f07a781284761fc143a8cce873e9cc500530f06*",".{0,1000}7207b7631683005ed4b09b1a1f07a781284761fc143a8cce873e9cc500530f06.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28865"
"*7215255a842142ffa7f7e1624942684279e9a2f14fa7947451a3194d0b608f52*",".{0,1000}7215255a842142ffa7f7e1624942684279e9a2f14fa7947451a3194d0b608f52.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","0","#filehash","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","28868"
"*7218d911d8644674912e3871b6dae46af2272b63f2979d121db86f8e03ca395c*",".{0,1000}7218d911d8644674912e3871b6dae46af2272b63f2979d121db86f8e03ca395c.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","28885"
"*722d7c6b976d85f29acd429f1fd6289a6e8451a3e1815444404bd4b99eb553f7*",".{0,1000}722d7c6b976d85f29acd429f1fd6289a6e8451a3e1815444404bd4b99eb553f7.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28889"
"*7237594482ea47498b240d39ca8e94e3c635dc66fb4989db47739a8a420e6fc2*",".{0,1000}7237594482ea47498b240d39ca8e94e3c635dc66fb4989db47739a8a420e6fc2.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","28894"
"*725f1d7143aa95e149333459b48d7b538e98b65bffb1c4005eac8f890e84e34e*",".{0,1000}725f1d7143aa95e149333459b48d7b538e98b65bffb1c4005eac8f890e84e34e.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28900"
"*72605e93bf880f32e23eb3b5d1ab30a66c7a2beb3c195d5d2bc5738e1b7ddbf5*",".{0,1000}72605e93bf880f32e23eb3b5d1ab30a66c7a2beb3c195d5d2bc5738e1b7ddbf5.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","#filehash","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","28901"
"*7266febec1f01a25d6575de51c44ddf749071a4950a6384e4164954dff7ac37e*",".{0,1000}7266febec1f01a25d6575de51c44ddf749071a4950a6384e4164954dff7ac37e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28903"
"*726996a84c8ef0f3c50ecbab6842c5679c38f73f2dd7d0c7f7b4dec5411daee3*",".{0,1000}726996a84c8ef0f3c50ecbab6842c5679c38f73f2dd7d0c7f7b4dec5411daee3.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28906"
"*7270581d315cffb125f9ac64ebcb6622959c8e9f779b8a07808fd6929b0e746a*",".{0,1000}7270581d315cffb125f9ac64ebcb6622959c8e9f779b8a07808fd6929b0e746a.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#filehash","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","28908"
"*727adce0f900a6991f36b3efdde89d49e1435ff9c2a9bd5623bdc929c65b623b*",".{0,1000}727adce0f900a6991f36b3efdde89d49e1435ff9c2a9bd5623bdc929c65b623b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28911"
"*727b1692111d8e799e8deb7f1243503994f08d71488805d3f8c35015b142a6b7*",".{0,1000}727b1692111d8e799e8deb7f1243503994f08d71488805d3f8c35015b142a6b7.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","28912"
"*72807b455e5a1fa442bb1d06bab1efac76e5b7e23256d0c1ab869a02cef890d2*",".{0,1000}72807b455e5a1fa442bb1d06bab1efac76e5b7e23256d0c1ab869a02cef890d2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28913"
"*7287fab98c5650ad7241959233347f346053d691adeaf4ebf5235b9cb00bf711*",".{0,1000}7287fab98c5650ad7241959233347f346053d691adeaf4ebf5235b9cb00bf711.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","28915"
"*72b86dc356b7f6708f1996cf2085fd66a75d05e04ab728c245db5d660f645281*",".{0,1000}72b86dc356b7f6708f1996cf2085fd66a75d05e04ab728c245db5d660f645281.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","28924"
"*72c007c9121974c0812eb2f98e26f987be28774b3175325d45596a555bfb811a*",".{0,1000}72c007c9121974c0812eb2f98e26f987be28774b3175325d45596a555bfb811a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","28925"
"*72c04c3a683943559166a4ef21e7e35670531d6fdf28d3482298b75d5f736718*",".{0,1000}72c04c3a683943559166a4ef21e7e35670531d6fdf28d3482298b75d5f736718.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28926"
"*72cae1ce4bdd18227d0917fb2002615d0c78a6485a2daf850e2494ccab6aa4df*",".{0,1000}72cae1ce4bdd18227d0917fb2002615d0c78a6485a2daf850e2494ccab6aa4df.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28929"
"*72ce6357beb322ad185e5aec9247665babe206519ec7b0b741b285fdb60375f8*",".{0,1000}72ce6357beb322ad185e5aec9247665babe206519ec7b0b741b285fdb60375f8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28932"
"*72cfa26b9ac9f6c0e9af071df88f52d526b6b1301ab1c3e7055416e059ba7926*",".{0,1000}72cfa26b9ac9f6c0e9af071df88f52d526b6b1301ab1c3e7055416e059ba7926.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28933"
"*72d4be0337fe92dda02f3828e2f1f7df290a1c079e81ef3873d9c0502bbe90a3*",".{0,1000}72d4be0337fe92dda02f3828e2f1f7df290a1c079e81ef3873d9c0502bbe90a3.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","28934"
"*72dd6e4cdd75c245adf8c59c9dc4eeae3cd474ec459b238c714282e66a04ae70*",".{0,1000}72dd6e4cdd75c245adf8c59c9dc4eeae3cd474ec459b238c714282e66a04ae70.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28940"
"*72fbdbca48fabbc84dfe551bdd3bc2d8d8b96b30ca7a2a71344c4d0878d91d99*",".{0,1000}72fbdbca48fabbc84dfe551bdd3bc2d8d8b96b30ca7a2a71344c4d0878d91d99.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28948"
"*73314bd200038dc11b2a008f9d90164565d15744724a5ea9a0750823a8d0d73b*",".{0,1000}73314bd200038dc11b2a008f9d90164565d15744724a5ea9a0750823a8d0d73b.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","28958"
"*7334543f2f3555690c9a4995cf1d8e83beb9fa45e6aa147c49114a4ef89670b8*",".{0,1000}7334543f2f3555690c9a4995cf1d8e83beb9fa45e6aa147c49114a4ef89670b8.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","#filehash","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","28962"
"*733c94230677c98424402523a308d03893948c0c89be9920f3ffae73ecbdbc71*",".{0,1000}733c94230677c98424402523a308d03893948c0c89be9920f3ffae73ecbdbc71.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","28966"
"*7350f50c3fc022d217821e6f416497820e6216a714c5ee859af1f36be9b740d7*",".{0,1000}7350f50c3fc022d217821e6f416497820e6216a714c5ee859af1f36be9b740d7.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","28971"
"*735a96908571fa623b9d4065a3061deaa897e5140724fc3dcb620bdd6679b516*",".{0,1000}735a96908571fa623b9d4065a3061deaa897e5140724fc3dcb620bdd6679b516.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28973"
"*73793e0d320ba7c4a8a4c5b7fe75283ca880530e18c76f3fc02180603301a34b*",".{0,1000}73793e0d320ba7c4a8a4c5b7fe75283ca880530e18c76f3fc02180603301a34b.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","28979"
"*73857ff880d961978dc2b9d183462db429be5397341f2d2e8885c8807c0919e3*",".{0,1000}73857ff880d961978dc2b9d183462db429be5397341f2d2e8885c8807c0919e3.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","28981"
"*7395137f9c26a99367fec72c608e85b7fcc078aad85fa19f48a9debe6a2ffae9*",".{0,1000}7395137f9c26a99367fec72c608e85b7fcc078aad85fa19f48a9debe6a2ffae9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28988"
"*73af3c4a756699cf07ae67395f549b754ef562cfc02b764a0455cd211ec42142*",".{0,1000}73af3c4a756699cf07ae67395f549b754ef562cfc02b764a0455cd211ec42142.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","28993"
"*73cf434ec93e2e20aa3d593dc5eacb221a71d5ae0943ca59bdffedeaf238a9c6*",".{0,1000}73cf434ec93e2e20aa3d593dc5eacb221a71d5ae0943ca59bdffedeaf238a9c6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29000"
"*73d07981ab0538707f5045dc72a89ff0c7dd2a4c403950cc77ee13c8ca6c65b4*",".{0,1000}73d07981ab0538707f5045dc72a89ff0c7dd2a4c403950cc77ee13c8ca6c65b4.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","29001"
"*73e83646-1d53-4dec-950a-a48559e438e8*",".{0,1000}73e83646\-1d53\-4dec\-950a\-a48559e438e8.{0,1000}","greyware_tool_keyword","VncSharp","VncSharp is a GPL implementation of the VNC Remote Framebuffer (RFB) Protocol for the .NET Framework","T1021.001 - T1219  - T1071.001","TA0007 - TA0008","Carbanak","FIN7 - Carbanak","Lateral Movement","https://github.com/humphd/VncSharp","1","0","#GUIDproject","N/A","8","3","246","179","2019-02-18T16:04:27Z","2012-03-05T15:23:41Z","29004"
"*73eb5215f2d0d3a768bceff7c385d7cc3cf2cd2d0f7e8b19ceedb9a5c8b35a05*",".{0,1000}73eb5215f2d0d3a768bceff7c385d7cc3cf2cd2d0f7e8b19ceedb9a5c8b35a05.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29005"
"*73f20bfc29a0308600ab347f8a9b6ad0c72ea18173d44e763514bedc1f6e3023*",".{0,1000}73f20bfc29a0308600ab347f8a9b6ad0c72ea18173d44e763514bedc1f6e3023.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29009"
"*73f3e7037e5f06e8f6fc30aa47aabbc815b4173decdcab149c647126a4aa6370*",".{0,1000}73f3e7037e5f06e8f6fc30aa47aabbc815b4173decdcab149c647126a4aa6370.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29010"
"*7402fc76816fd653bbe050a3f8a2dfd7c1363c980e2cc3dc369c60c3f0d502a7*",".{0,1000}7402fc76816fd653bbe050a3f8a2dfd7c1363c980e2cc3dc369c60c3f0d502a7.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29013"
"*740bd508d67ae19842b9f48b4433cf6f41f3e42f8f12f177ca0767f7985dfa1d*",".{0,1000}740bd508d67ae19842b9f48b4433cf6f41f3e42f8f12f177ca0767f7985dfa1d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29018"
"*74173938c4040e181f011e7e2f6cdb171244c84f96517d0392a7759bf7d72f12*",".{0,1000}74173938c4040e181f011e7e2f6cdb171244c84f96517d0392a7759bf7d72f12.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29020"
"*743592ce1fa6a16f1abf80c3226237e59e4661491124a5f97824a0dfc5ae0ba2*",".{0,1000}743592ce1fa6a16f1abf80c3226237e59e4661491124a5f97824a0dfc5ae0ba2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29027"
"*74395de1ba089f44dd7379d38254e3c4aa022341143482f0ddaf19011de25d10*",".{0,1000}74395de1ba089f44dd7379d38254e3c4aa022341143482f0ddaf19011de25d10.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29029"
"*743d40286b6e5d2f630e7f6f2e2609ae4b1d99c455c949677549e63495f6f65a*",".{0,1000}743d40286b6e5d2f630e7f6f2e2609ae4b1d99c455c949677549e63495f6f65a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29030"
"*743e73b664ae59c68042364849629ca96fe81d3cba0e48e4e7f4f30e71d04f32*",".{0,1000}743e73b664ae59c68042364849629ca96fe81d3cba0e48e4e7f4f30e71d04f32.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","29031"
"*7445aec09c2d4cd750b8ae74e8fdabbb43a93005570682be5ab889aa0937771d*",".{0,1000}7445aec09c2d4cd750b8ae74e8fdabbb43a93005570682be5ab889aa0937771d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29034"
"*744a0029e2e666d09e3fad6304782ceb12997dbaf2b9288caaf8485c80ddf949*",".{0,1000}744a0029e2e666d09e3fad6304782ceb12997dbaf2b9288caaf8485c80ddf949.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","29035"
"*7455b514720dacb5dadbf5c3cc1a69614ded8375ebe23daf0778441af6da907d*",".{0,1000}7455b514720dacb5dadbf5c3cc1a69614ded8375ebe23daf0778441af6da907d.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29039"
"*7459f321ec957d160f95ccf5fccc46be6f2c26bd78f0bcdf03d53ae131d051f5*",".{0,1000}7459f321ec957d160f95ccf5fccc46be6f2c26bd78f0bcdf03d53ae131d051f5.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","29040"
"*748696842cc0d2277c0ffed2dec5a42aa3822558465770a638e730e9a1956c7e*",".{0,1000}748696842cc0d2277c0ffed2dec5a42aa3822558465770a638e730e9a1956c7e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29049"
"*748db6b8df67896f3adf369e785365c439ec5500daaf480e932adbbfd28ac0da*",".{0,1000}748db6b8df67896f3adf369e785365c439ec5500daaf480e932adbbfd28ac0da.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29050"
"*7492c254c277a271e909f2799447aeab7d753a79d0d231b2246cc2c4a2f92738*",".{0,1000}7492c254c277a271e909f2799447aeab7d753a79d0d231b2246cc2c4a2f92738.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29051"
"*74a4277e37419fd55a972cbaf18d6cb1334c544346c698f3eb59c23cd2e3e82a*",".{0,1000}74a4277e37419fd55a972cbaf18d6cb1334c544346c698f3eb59c23cd2e3e82a.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","29054"
"*74a47f3037ee817f08ebec905b4dfe43c9fb88c15f82535296e00252d52e8103*",".{0,1000}74a47f3037ee817f08ebec905b4dfe43c9fb88c15f82535296e00252d52e8103.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29055"
"*74b61c34014cb422b0eee3c53b32cde42a911c53bdfe80e074546fb26376628b*",".{0,1000}74b61c34014cb422b0eee3c53b32cde42a911c53bdfe80e074546fb26376628b.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29060"
"*74c5657c473f13396e3200188c9958acd722072e26af9f6df55e623fb1bb15f8*",".{0,1000}74c5657c473f13396e3200188c9958acd722072e26af9f6df55e623fb1bb15f8.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","29065"
"*74ce40c0871314e1308984b12d93161faf806f6d508dd256678f09af1abc1052*",".{0,1000}74ce40c0871314e1308984b12d93161faf806f6d508dd256678f09af1abc1052.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","29068"
"*74cefaab7643651255c870159cec7f7231f66cfe509e9598fb3f1078549d6c49*",".{0,1000}74cefaab7643651255c870159cec7f7231f66cfe509e9598fb3f1078549d6c49.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29069"
"*74d130cad8acef03e4faa3b5befcb1351db038fa47421d6a5d3010f583ab0e47*",".{0,1000}74d130cad8acef03e4faa3b5befcb1351db038fa47421d6a5d3010f583ab0e47.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29070"
"*74df509decd6953a77543ae8febcdc05379bb2bd0614ad2fe53a4a6cfac86caf*",".{0,1000}74df509decd6953a77543ae8febcdc05379bb2bd0614ad2fe53a4a6cfac86caf.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29073"
"*74e054fd266e44bb50951cfc626f3bc0ad9f820ab8bd444bcd81308aed7c1521*",".{0,1000}74e054fd266e44bb50951cfc626f3bc0ad9f820ab8bd444bcd81308aed7c1521.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29074"
"*74fbccc09445b0aba5eeccf05da49fbfca37508e6ff7e271dff3f5e6d78341a6*",".{0,1000}74fbccc09445b0aba5eeccf05da49fbfca37508e6ff7e271dff3f5e6d78341a6.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29080"
"*751670c4b55addd996a3e58b5be6203aa481b4f090514f32d4eb11906830f098*",".{0,1000}751670c4b55addd996a3e58b5be6203aa481b4f090514f32d4eb11906830f098.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29090"
"*7521ae02982e13b74da0f4b9781b66394ffe8755b5d8c2dc3c67eedbb8591729*",".{0,1000}7521ae02982e13b74da0f4b9781b66394ffe8755b5d8c2dc3c67eedbb8591729.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29092"
"*7535ea41cfd717ec0beb5dbc2671b7c66e1fb34ef904313899946f297d943e6b*",".{0,1000}7535ea41cfd717ec0beb5dbc2671b7c66e1fb34ef904313899946f297d943e6b.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29096"
"*7537476764f218919dd4eef5affee61286e88eaab8b0c3fd5a95b3285e9e90c0*",".{0,1000}7537476764f218919dd4eef5affee61286e88eaab8b0c3fd5a95b3285e9e90c0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29097"
"*754754c196b3601f2c29758c94000f208a880d45f9b1cc3164123962c97f4ad7*",".{0,1000}754754c196b3601f2c29758c94000f208a880d45f9b1cc3164123962c97f4ad7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29100"
"*754d66a918d3550c83e670a458f66954eec0521d6e76a20dd0a865992ad1b55e*",".{0,1000}754d66a918d3550c83e670a458f66954eec0521d6e76a20dd0a865992ad1b55e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29101"
"*7585ced4ace610e2b5ca199838a277d6eed393bf4ad7bbf687ded696e67399f8*",".{0,1000}7585ced4ace610e2b5ca199838a277d6eed393bf4ad7bbf687ded696e67399f8.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","29112"
"*7585ced4ace610e2b5ca199838a277d6eed393bf4ad7bbf687ded696e67399f8*",".{0,1000}7585ced4ace610e2b5ca199838a277d6eed393bf4ad7bbf687ded696e67399f8.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","29113"
"*759769fb5f4ddb821039eb7aa68632b0f24625e93fd1298ac30474b6343467db*",".{0,1000}759769fb5f4ddb821039eb7aa68632b0f24625e93fd1298ac30474b6343467db.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29121"
"*75a0df17aa8f770e15a71aae53fa30d3b2d822756c915228c499e33c8006a960*",".{0,1000}75a0df17aa8f770e15a71aae53fa30d3b2d822756c915228c499e33c8006a960.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29124"
"*75a4733b689d72c6fe7133c5547952f2264ff63af1fdf8794c8a63fb98d9eed1*",".{0,1000}75a4733b689d72c6fe7133c5547952f2264ff63af1fdf8794c8a63fb98d9eed1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29125"
"*75aa0f10da5eebe668564c35d467330b2432bceadfc74a7177def720b66fce6e*",".{0,1000}75aa0f10da5eebe668564c35d467330b2432bceadfc74a7177def720b66fce6e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29126"
"*75accdaedad3b82edc185dc8824a19a59c30dc6392de7074b6cd98d1dc2c9040*",".{0,1000}75accdaedad3b82edc185dc8824a19a59c30dc6392de7074b6cd98d1dc2c9040.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29127"
"*75c997df094171b145b07be980e5812a4c853d8c5e0a6d465a3d5b924af7c23e*",".{0,1000}75c997df094171b145b07be980e5812a4c853d8c5e0a6d465a3d5b924af7c23e.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","29131"
"*75cb7ebd2e1f98eb7e97929ed659acbbd93b230bae532421a9b5f17ad13cdf86*",".{0,1000}75cb7ebd2e1f98eb7e97929ed659acbbd93b230bae532421a9b5f17ad13cdf86.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29132"
"*75d3a8726d4989bd93120a0d2072ad533bfa44bd57aa156d524844cb04d6408e*",".{0,1000}75d3a8726d4989bd93120a0d2072ad533bfa44bd57aa156d524844cb04d6408e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29134"
"*75dce532b65a7c7644a626196a8af9d8370e163e802847505fb033a6290fb4a5*",".{0,1000}75dce532b65a7c7644a626196a8af9d8370e163e802847505fb033a6290fb4a5.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","#filehash","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","29137"
"*75e170822ea113698c86a194968b088f62e391d9f1151f3b3184decdd8d30d35*",".{0,1000}75e170822ea113698c86a194968b088f62e391d9f1151f3b3184decdd8d30d35.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29139"
"*75e67a2bd8883d61ee6d62b37ffea24c92ee446d6443a67b17bbfbf449d17e1b*",".{0,1000}75e67a2bd8883d61ee6d62b37ffea24c92ee446d6443a67b17bbfbf449d17e1b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29143"
"*75ea00374c071424bf1fda860ad857049f82c82298e5a10d8a79412d4124a87c*",".{0,1000}75ea00374c071424bf1fda860ad857049f82c82298e5a10d8a79412d4124a87c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29145"
"*7615aa42e43a01180dc29308b8ab3ba64d36c91e4d7fa661e3621e374de38e6a*",".{0,1000}7615aa42e43a01180dc29308b8ab3ba64d36c91e4d7fa661e3621e374de38e6a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29154"
"*762089017bf87803b74509640cd7affd14e56e96747cbccfa324c4f766379470*",".{0,1000}762089017bf87803b74509640cd7affd14e56e96747cbccfa324c4f766379470.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29156"
"*762433cd21a41e39e1cb40721fdfa40b560d91ba587498d1d5e71a0c73b2e752*",".{0,1000}762433cd21a41e39e1cb40721fdfa40b560d91ba587498d1d5e71a0c73b2e752.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","29158"
"*763ca50b38753d213fa1c4b3d447ad0b7f595e9251f5471be04c6dae3a034308*",".{0,1000}763ca50b38753d213fa1c4b3d447ad0b7f595e9251f5471be04c6dae3a034308.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","29163"
"*763e2f8597ef969c08a17932f0d4e10424b478314ceddbf72ba13a5d41aa8df0*",".{0,1000}763e2f8597ef969c08a17932f0d4e10424b478314ceddbf72ba13a5d41aa8df0.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29164"
"*765718d9c62be08268c07697433430055a1c212d33d09049e6c4f3207d140b23*",".{0,1000}765718d9c62be08268c07697433430055a1c212d33d09049e6c4f3207d140b23.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","29169"
"*766aefca85a31be65bb759d69203c9ade3288316fba346a11119e80763edf705*",".{0,1000}766aefca85a31be65bb759d69203c9ade3288316fba346a11119e80763edf705.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29176"
"*7685c6ba0fa78d518c50316bb33123f40b4b814bf4b1fb2ff0a3f43d9f2cbd31*",".{0,1000}7685c6ba0fa78d518c50316bb33123f40b4b814bf4b1fb2ff0a3f43d9f2cbd31.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29180"
"*768789bf3298d6ebcd03995ad1a0af4de83af5d894030c67e70edc229f61bd75*",".{0,1000}768789bf3298d6ebcd03995ad1a0af4de83af5d894030c67e70edc229f61bd75.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","29181"
"*769239f45299ec58cc7328bb467a8bd72ba5e3f37b73ebbaae6915c3460668c4*",".{0,1000}769239f45299ec58cc7328bb467a8bd72ba5e3f37b73ebbaae6915c3460668c4.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29182"
"*76a2c3a4f3a39d91c6b42e2990efc64d878a6b5733ff1b14782e4fcdd50fca70*",".{0,1000}76a2c3a4f3a39d91c6b42e2990efc64d878a6b5733ff1b14782e4fcdd50fca70.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29184"
"*76a3e6ff182dcab32b35fe89a3ed0c42b48aaee9dbbb78f13765c3f5d207b8b6*",".{0,1000}76a3e6ff182dcab32b35fe89a3ed0c42b48aaee9dbbb78f13765c3f5d207b8b6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29186"
"*76c7a4f5e35f32b726c48fdd32e292f63c7b374ba019a28dc44b04140f03e6de*",".{0,1000}76c7a4f5e35f32b726c48fdd32e292f63c7b374ba019a28dc44b04140f03e6de.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29194"
"*76ccaaf7c67797cd5a61ce1855f5d8119c00970383b5a0e138b919434c63a0ce*",".{0,1000}76ccaaf7c67797cd5a61ce1855f5d8119c00970383b5a0e138b919434c63a0ce.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29195"
"*76d2a7bc7ceb5f542ed5be5208f68253261a36d1f4206fc4689296d9033a59a2*",".{0,1000}76d2a7bc7ceb5f542ed5be5208f68253261a36d1f4206fc4689296d9033a59a2.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29196"
"*76da4679b37e969c96e2a243e8b4e94a622be8cf28261e722b7f7a70874a3691*",".{0,1000}76da4679b37e969c96e2a243e8b4e94a622be8cf28261e722b7f7a70874a3691.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29201"
"*76e5d42d4d2971de51de652417cfe38461ef9e18672e1070a1138910c8448a2f*",".{0,1000}76e5d42d4d2971de51de652417cfe38461ef9e18672e1070a1138910c8448a2f.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29204"
"*76EFDEE3-81CF-4ADA-94DC-EA5509FF6FFC*",".{0,1000}76EFDEE3\-81CF\-4ADA\-94DC\-EA5509FF6FFC.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#GUIDproject","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","29206"
"*7704cd231ce7852898420cffe834f8efd031876df46420b6ded0d060c878e4ad*",".{0,1000}7704cd231ce7852898420cffe834f8efd031876df46420b6ded0d060c878e4ad.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29210"
"*770ca5efa95e4c0a44f8f1653c41d79c9fe55d0e9a228eb2d374bdd8a11a63f7*",".{0,1000}770ca5efa95e4c0a44f8f1653c41d79c9fe55d0e9a228eb2d374bdd8a11a63f7.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29212"
"*772500800e1771de69a364caf268b648333c69c97b5727f132605ec01c51d2d0*",".{0,1000}772500800e1771de69a364caf268b648333c69c97b5727f132605ec01c51d2d0.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","29217"
"*772acdb9d5502a67fabe618d3ebf734879f4f5aaf3249aaea40c2d6d0c81d117*",".{0,1000}772acdb9d5502a67fabe618d3ebf734879f4f5aaf3249aaea40c2d6d0c81d117.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29220"
"*772bec520912784af836fb89dee9a61763aa3c1c6340753fe1dbbc9a2cfb9ea7*",".{0,1000}772bec520912784af836fb89dee9a61763aa3c1c6340753fe1dbbc9a2cfb9ea7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29221"
"*772d623dd57c74226010fd7b330a5e6cf7a6b59ae37fc4dc9a6b47fe46756d99*",".{0,1000}772d623dd57c74226010fd7b330a5e6cf7a6b59ae37fc4dc9a6b47fe46756d99.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29222"
"*77310426d3e2e159f1ef2c8d498f17dc47cbeae310451377a2857f3ce9cd73c0*",".{0,1000}77310426d3e2e159f1ef2c8d498f17dc47cbeae310451377a2857f3ce9cd73c0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29223"
"*7737f7230b1f09b12b877710b8add003b01c59d51ac734bedeb283ef686010e9*",".{0,1000}7737f7230b1f09b12b877710b8add003b01c59d51ac734bedeb283ef686010e9.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29225"
"*773eee8cca2ea03e21802e85783f50e5a5489ba4f56e4b27ca1c667473216f74*",".{0,1000}773eee8cca2ea03e21802e85783f50e5a5489ba4f56e4b27ca1c667473216f74.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29227"
"*774279ce55ca7b8136f36328ce57a884af2880a8f2097160fd44b646aa8e1429*",".{0,1000}774279ce55ca7b8136f36328ce57a884af2880a8f2097160fd44b646aa8e1429.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29228"
"*77432fd21f975da9215b15efc8e0080345732102f7d57a5d9d57f61faa4dfa20*",".{0,1000}77432fd21f975da9215b15efc8e0080345732102f7d57a5d9d57f61faa4dfa20.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","29229"
"*7749b3c203617b95dce12ca8a044e5206e585a2f010c011ee87d7251fb1d0a4b*",".{0,1000}7749b3c203617b95dce12ca8a044e5206e585a2f010c011ee87d7251fb1d0a4b.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","29230"
"*7749bb3fa881d702bdcaf541f87308c438663ef32fc67c07d0c10c286f7da12f*",".{0,1000}7749bb3fa881d702bdcaf541f87308c438663ef32fc67c07d0c10c286f7da12f.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","29231"
"*774dbc75e046096a7a18dbcef9353543db74312e9656ff4017d7f41c778be2fb*",".{0,1000}774dbc75e046096a7a18dbcef9353543db74312e9656ff4017d7f41c778be2fb.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","29233"
"*776a5e227d275f6a777ea5c7886e69efe5b9ee9da3fd79700965f4809cde5d27*",".{0,1000}776a5e227d275f6a777ea5c7886e69efe5b9ee9da3fd79700965f4809cde5d27.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","29243"
"*776a81b705827758d8810b9985a23ac59dc4cfd7ac616f0f08373d188d8291e6*",".{0,1000}776a81b705827758d8810b9985a23ac59dc4cfd7ac616f0f08373d188d8291e6.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","29244"
"*776b64a95ccc334446805d680288c7ac35f1e938ee43115c1911f1c2fed27312*",".{0,1000}776b64a95ccc334446805d680288c7ac35f1e938ee43115c1911f1c2fed27312.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","29245"
"*7777762e76bc6c0025effecba1efd3028fe15453c4375a9fb63040831c8bcf33*",".{0,1000}7777762e76bc6c0025effecba1efd3028fe15453c4375a9fb63040831c8bcf33.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","29247"
"*7777E837-E7A3-481B-8BD2-4C76F639ECFC*",".{0,1000}7777E837\-E7A3\-481B\-8BD2\-4C76F639ECFC.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","#GUIDproject","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","29248"
"*7788d7ab1b6b9e57d30766caaacac880553dc869c3c346c194e5bc83d368a1ba*",".{0,1000}7788d7ab1b6b9e57d30766caaacac880553dc869c3c346c194e5bc83d368a1ba.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29256"
"*778dc2b522e8c8a828ac6de8c286f136bfff01ab570d90edc107ca21d68bfde2*",".{0,1000}778dc2b522e8c8a828ac6de8c286f136bfff01ab570d90edc107ca21d68bfde2.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29258"
"*77bbb9dfeb00b721fdd4e6bf429487460843ca308673fb344c8ccbdb2e7ee7b6*",".{0,1000}77bbb9dfeb00b721fdd4e6bf429487460843ca308673fb344c8ccbdb2e7ee7b6.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","29269"
"*77bf63fc831cc573dafa8ff6e2a6481af07df0107ff058eb7fc012b7c5c945e2*",".{0,1000}77bf63fc831cc573dafa8ff6e2a6481af07df0107ff058eb7fc012b7c5c945e2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29270"
"*77e4c1e41124ad2e11ea1c7d5f960bbcc54d87c83396b4680700227c6ab18566*",".{0,1000}77e4c1e41124ad2e11ea1c7d5f960bbcc54d87c83396b4680700227c6ab18566.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29281"
"*780ac5c4465f722d74b03675558a153fcb5540a49a505b0e1a7ecf1ee136c1cb*",".{0,1000}780ac5c4465f722d74b03675558a153fcb5540a49a505b0e1a7ecf1ee136c1cb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29290"
"*78312276c42ff12162e5afaf6de8586d432022c8bc7551366471b8812703be7e*",".{0,1000}78312276c42ff12162e5afaf6de8586d432022c8bc7551366471b8812703be7e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29302"
"*7836f34128ee338249e00a47199408d57a052bd5f3e542ee9f09b6e42ad0895f*",".{0,1000}7836f34128ee338249e00a47199408d57a052bd5f3e542ee9f09b6e42ad0895f.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","29304"
"*783cde05218d88146f9401491cc0431917cb479009f75c3af1e14c4e42bf6a84*",".{0,1000}783cde05218d88146f9401491cc0431917cb479009f75c3af1e14c4e42bf6a84.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29306"
"*784e6ae14f95b6980d03543b36191595f5f4087f00bb7dd75086ac86c8148923*",".{0,1000}784e6ae14f95b6980d03543b36191595f5f4087f00bb7dd75086ac86c8148923.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29310"
"*786985d9671f485f045b1039b98d312e5d97c85b38b116f5087e5c95d831e455*",".{0,1000}786985d9671f485f045b1039b98d312e5d97c85b38b116f5087e5c95d831e455.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29319"
"*786b267fff4f1a5d826418d127432d495d21e25eb3261c0e6c9f2db18abc5962*",".{0,1000}786b267fff4f1a5d826418d127432d495d21e25eb3261c0e6c9f2db18abc5962.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29320"
"*789b38bc3c55852ece5657fe808a7aec867a151f8a3f7fe648adcd15172e6278*",".{0,1000}789b38bc3c55852ece5657fe808a7aec867a151f8a3f7fe648adcd15172e6278.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29328"
"*78a34aed87a873fb155ca34ec30ec520bf64f34fbe4452be2ba3a8a928a28e30*",".{0,1000}78a34aed87a873fb155ca34ec30ec520bf64f34fbe4452be2ba3a8a928a28e30.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","29332"
"*78abad9b589f303f6d9c129ed5ebfe240fbdbdaa5bb0ffec43dacb2991bd526a*",".{0,1000}78abad9b589f303f6d9c129ed5ebfe240fbdbdaa5bb0ffec43dacb2991bd526a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29336"
"*78cdd8994908ebe7923188395734bb3cdc9101477e4163c67e7cc3b8fd3b4bd6*",".{0,1000}78cdd8994908ebe7923188395734bb3cdc9101477e4163c67e7cc3b8fd3b4bd6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29347"
"*78db6e175aac64df82c8c51798da5dcedeb82559fa7cdcc489a718f87c385203*",".{0,1000}78db6e175aac64df82c8c51798da5dcedeb82559fa7cdcc489a718f87c385203.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","29349"
"*78ddbc63bc64a5f1dd67be4a5ef8ee94ec59c9492fabe3a2b96eb115f755be90*",".{0,1000}78ddbc63bc64a5f1dd67be4a5ef8ee94ec59c9492fabe3a2b96eb115f755be90.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29351"
"*78EB3006-81B0-4C13-9B80-E91766874A57*",".{0,1000}78EB3006\-81B0\-4C13\-9B80\-E91766874A57.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#GUIDproject","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","29355"
"*78fb147d286d223da111ca67f5e0e2532026e3b24a5c513a109c026ff6f025bd*",".{0,1000}78fb147d286d223da111ca67f5e0e2532026e3b24a5c513a109c026ff6f025bd.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29360"
"*7903eb393533b1ce51e527cae1ba3c4da6752f87d2717c3984b39228ce65a028*",".{0,1000}7903eb393533b1ce51e527cae1ba3c4da6752f87d2717c3984b39228ce65a028.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29363"
"*790bfe46db189eba7c8d9464da34ec62511b9b2f3ef0889162a5682910563875*",".{0,1000}790bfe46db189eba7c8d9464da34ec62511b9b2f3ef0889162a5682910563875.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29364"
"*79214ac3ae4f23ca7fbe8325ef3d0148d06ea39ad95b08182e9e7b0264ad7bc1*",".{0,1000}79214ac3ae4f23ca7fbe8325ef3d0148d06ea39ad95b08182e9e7b0264ad7bc1.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","29365"
"*7931404e96b6aff52bc81a852f1f545f0cd07712d648099ec0618f4e66a1807f*",".{0,1000}7931404e96b6aff52bc81a852f1f545f0cd07712d648099ec0618f4e66a1807f.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","#filehash","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","29368"
"*7939cd653bcd9023465f1e4110a7204722d42c08252eb019dfeb717ba180ccde*",".{0,1000}7939cd653bcd9023465f1e4110a7204722d42c08252eb019dfeb717ba180ccde.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","29370"
"*793e227ee3a811a143e303909645a874c8db144cf6b48f480411efb2fdd44904*",".{0,1000}793e227ee3a811a143e303909645a874c8db144cf6b48f480411efb2fdd44904.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","29372"
"*79463fd2757c244075372066f2c6734c7bad99014ce4d133a73ecab3d4763c66*",".{0,1000}79463fd2757c244075372066f2c6734c7bad99014ce4d133a73ecab3d4763c66.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","29375"
"*7946d13b2498410bf9fb0cc32fee7ea44bde8be438eb1b1bc67c440a3671589d*",".{0,1000}7946d13b2498410bf9fb0cc32fee7ea44bde8be438eb1b1bc67c440a3671589d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29376"
"*79571f764640046994297e5c3123fc3c5243d5df378a16abbce7abc30ebec829*",".{0,1000}79571f764640046994297e5c3123fc3c5243d5df378a16abbce7abc30ebec829.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29380"
"*7957e636a8a5a50b4c91c2927483a1c6034a74c722c3a79ea4c8387f01e9810c*",".{0,1000}7957e636a8a5a50b4c91c2927483a1c6034a74c722c3a79ea4c8387f01e9810c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29381"
"*795defca4853f7cded6625d792eae33b45987856b961a82c8b6cc44a8d0b3bc7*",".{0,1000}795defca4853f7cded6625d792eae33b45987856b961a82c8b6cc44a8d0b3bc7.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29385"
"*796c2baabb9126ec5f2a3006803bd5e3aae3084f1d5578de312d0f7035094a2b*",".{0,1000}796c2baabb9126ec5f2a3006803bd5e3aae3084f1d5578de312d0f7035094a2b.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","29388"
"*796c8853196cd8a5b4aaed85718ff95c86006200fa5f579a9523f66421873004*",".{0,1000}796c8853196cd8a5b4aaed85718ff95c86006200fa5f579a9523f66421873004.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29389"
"*796d3702d3376d0116192eef85fbb05e2f10531c57958489bbadb92372c120e6*",".{0,1000}796d3702d3376d0116192eef85fbb05e2f10531c57958489bbadb92372c120e6.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29390"
"*7983d5af3fb00770345c09aca16a8d8ff122dbe81b58a0de69b571b55f4dae1e*",".{0,1000}7983d5af3fb00770345c09aca16a8d8ff122dbe81b58a0de69b571b55f4dae1e.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29397"
"*79ade448ca0b6f8b378fa067b60e199a4b5bcbe779397beb1e046f239f60f7e6*",".{0,1000}79ade448ca0b6f8b378fa067b60e199a4b5bcbe779397beb1e046f239f60f7e6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29405"
"*79ae34d44a22c9c5e7f1eb1d60fc19e8ab43120cdf0852d8e17ea62ee39669ac*",".{0,1000}79ae34d44a22c9c5e7f1eb1d60fc19e8ab43120cdf0852d8e17ea62ee39669ac.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","29406"
"*79ae4620212f13c7881985eb57c819c01e8faa66b14ec44827a641848d93b76b*",".{0,1000}79ae4620212f13c7881985eb57c819c01e8faa66b14ec44827a641848d93b76b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29407"
"*79b8a3146278cd69bda4a8e0cf8f9c95e27d38693403ca41b84df8487a4ef837*",".{0,1000}79b8a3146278cd69bda4a8e0cf8f9c95e27d38693403ca41b84df8487a4ef837.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29408"
"*79c98d35d02ac92c72aadf48a1ca55e2b7afe5a41ad70e5cf0467c50a84dce22*",".{0,1000}79c98d35d02ac92c72aadf48a1ca55e2b7afe5a41ad70e5cf0467c50a84dce22.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29412"
"*79d6da35083dc0008ed1da0396c561994822b84bc679d7d6193cd70b1ddce0ef*",".{0,1000}79d6da35083dc0008ed1da0396c561994822b84bc679d7d6193cd70b1ddce0ef.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","29417"
"*79f3f7872f14c334104740fc6199ab8eba2a91ddf6f5d2dcbaf6b58ab95362d5*",".{0,1000}79f3f7872f14c334104740fc6199ab8eba2a91ddf6f5d2dcbaf6b58ab95362d5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29425"
"*79f5c26bdac4bbebe20fad039b028776f064003690b4141e9db5fd01c3262901*",".{0,1000}79f5c26bdac4bbebe20fad039b028776f064003690b4141e9db5fd01c3262901.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29429"
"*7a029f256fc6849538e6b849389d12c23490e0dd3b465043e65d4bb1767c0b77*",".{0,1000}7a029f256fc6849538e6b849389d12c23490e0dd3b465043e65d4bb1767c0b77.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29431"
"*7a0dfa37846ead5afe73e4a8525eb1738d3b52c608291ba37088b0c037abde58*",".{0,1000}7a0dfa37846ead5afe73e4a8525eb1738d3b52c608291ba37088b0c037abde58.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","29437"
"*7a0e3f15d12453d6661ff40e068bfee6df470b531e2a5c434a7f62752fc5ca8b*",".{0,1000}7a0e3f15d12453d6661ff40e068bfee6df470b531e2a5c434a7f62752fc5ca8b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29438"
"*7a2aeb7256c40efa434c6fc95f920ee9b4555e526f2f7cd325b6dc482faa7c20*",".{0,1000}7a2aeb7256c40efa434c6fc95f920ee9b4555e526f2f7cd325b6dc482faa7c20.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","#filehash","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","29443"
"*7a3c9d753d8905987a2cccdca22a3dc2e1002ea396574c44cd38688bd184c9e8*",".{0,1000}7a3c9d753d8905987a2cccdca22a3dc2e1002ea396574c44cd38688bd184c9e8.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29451"
"*7a4ccd5e3e612d5967167ed948cc0cb2347765783e3658cb747fdcbb559b7955*",".{0,1000}7a4ccd5e3e612d5967167ed948cc0cb2347765783e3658cb747fdcbb559b7955.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","29453"
"*7a52b4827a4dac14ccd0c8a05a46c7debafca33672285e7630ee8f8e54387738*",".{0,1000}7a52b4827a4dac14ccd0c8a05a46c7debafca33672285e7630ee8f8e54387738.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","29459"
"*7a542d030cdfdda09c4ff01b6610f0c7c90e1ba27432952e81fb817335b8861e*",".{0,1000}7a542d030cdfdda09c4ff01b6610f0c7c90e1ba27432952e81fb817335b8861e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29460"
"*7a64765efe8fe0d9f6a346e5f38aae30a3534f931e539890114aea698d8960cb*",".{0,1000}7a64765efe8fe0d9f6a346e5f38aae30a3534f931e539890114aea698d8960cb.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29462"
"*7a70080db23b2f02e3304cf2e5d41e75286e28d33b79d0cf514f0161dbe378ea*",".{0,1000}7a70080db23b2f02e3304cf2e5d41e75286e28d33b79d0cf514f0161dbe378ea.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","29468"
"*7a73e3609296d6b933064c219abd26a30b04c5d17e4602ba491a8325eb107676*",".{0,1000}7a73e3609296d6b933064c219abd26a30b04c5d17e4602ba491a8325eb107676.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29470"
"*7a7418913aa6c3e5f5def9d79bc027376cbfccaa6bb334f0852bb1beaecbd358*",".{0,1000}7a7418913aa6c3e5f5def9d79bc027376cbfccaa6bb334f0852bb1beaecbd358.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29471"
"*7a742a163154666a06b24105445d36476196accfae8c96909696445b0e988f2f*",".{0,1000}7a742a163154666a06b24105445d36476196accfae8c96909696445b0e988f2f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29472"
"*7a755ed0f04fbb2ca6f802761b50036315ca25802a44a528287911dfaea2ed2a*",".{0,1000}7a755ed0f04fbb2ca6f802761b50036315ca25802a44a528287911dfaea2ed2a.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","29473"
"*7a75ffa6b95556dfc5841eed63d45ad41eb495c0da386aa4f61ddf209a529075*",".{0,1000}7a75ffa6b95556dfc5841eed63d45ad41eb495c0da386aa4f61ddf209a529075.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","29474"
"*7a778797dd640eb51defe912e8b6872df92241927193106590a2ccb92a5dc926*",".{0,1000}7a778797dd640eb51defe912e8b6872df92241927193106590a2ccb92a5dc926.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#filehash","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","29475"
"*7a7a44335289a4612f0dd903745b49853c0f8f53dcca01306d5d45ca1611a2df*",".{0,1000}7a7a44335289a4612f0dd903745b49853c0f8f53dcca01306d5d45ca1611a2df.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","29476"
"*7a9f4a3bfc2a24075f9331f9ac21655b270ca43bb1845bc8f81e56943374a775*",".{0,1000}7a9f4a3bfc2a24075f9331f9ac21655b270ca43bb1845bc8f81e56943374a775.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","29486"
"*7a9fd341e0deb467ba0ab4913852adc965a0df2ba38e18ec80ab7ef61a9e99e8*",".{0,1000}7a9fd341e0deb467ba0ab4913852adc965a0df2ba38e18ec80ab7ef61a9e99e8.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29487"
"*7acd1614389d34c4f15474a4c529aa8eee8d9245fb31c9db166cf9acb8720c76*",".{0,1000}7acd1614389d34c4f15474a4c529aa8eee8d9245fb31c9db166cf9acb8720c76.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29500"
"*7ad778d21c0e146bb55d34da5e83d42e973b55df1df8065976618166e83c481d*",".{0,1000}7ad778d21c0e146bb55d34da5e83d42e973b55df1df8065976618166e83c481d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29502"
"*7ae80842420ed2c83f1792e045fe3871b508af0b42aeab1008848338bea3cc1a*",".{0,1000}7ae80842420ed2c83f1792e045fe3871b508af0b42aeab1008848338bea3cc1a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29504"
"*7b0e1417692e9ea1fe147c7e1f63461219c66a571affd8b807d655bf145090f1*",".{0,1000}7b0e1417692e9ea1fe147c7e1f63461219c66a571affd8b807d655bf145090f1.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","29516"
"*7b23bad83e3921e1d9e528b69b7d643b646231e5b736f8588698326c527e31a7*",".{0,1000}7b23bad83e3921e1d9e528b69b7d643b646231e5b736f8588698326c527e31a7.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29522"
"*7b2aeb01bd57aa53f1d615294fa425aaa3d82f43474ed529d9a33efb873a183e*",".{0,1000}7b2aeb01bd57aa53f1d615294fa425aaa3d82f43474ed529d9a33efb873a183e.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","29523"
"*7b3ed9e4b5430bbfbb619e7367e05319fc41102dba1dd2103a25f37d66dcd1b0*",".{0,1000}7b3ed9e4b5430bbfbb619e7367e05319fc41102dba1dd2103a25f37d66dcd1b0.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","29527"
"*7b430460f7b6eee413a53e58f7ca7ff5c5f66c9e31fce4b2f02c9fe76f251301*",".{0,1000}7b430460f7b6eee413a53e58f7ca7ff5c5f66c9e31fce4b2f02c9fe76f251301.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29529"
"*7b4c65fae9cf9cb7ce70928fe6580fa9d077c425e1831958098ebc4537ae16c2*",".{0,1000}7b4c65fae9cf9cb7ce70928fe6580fa9d077c425e1831958098ebc4537ae16c2.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29532"
"*7b5719a90750b365cd44f2798f2ccfa7e8ee513214cd9a8b9fee13569ed91683*",".{0,1000}7b5719a90750b365cd44f2798f2ccfa7e8ee513214cd9a8b9fee13569ed91683.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29535"
"*7b5de4f0a090f29dd3d63a3d773b792cb059e2b39497ff4d633fcabb2afbc297*",".{0,1000}7b5de4f0a090f29dd3d63a3d773b792cb059e2b39497ff4d633fcabb2afbc297.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29538"
"*7b603195b50a4b3822f847c97040e2397b0d34eee9fafd60ef6c0fac0c977a29*",".{0,1000}7b603195b50a4b3822f847c97040e2397b0d34eee9fafd60ef6c0fac0c977a29.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29539"
"*7b6c9cf91ad9d00385d47139ffc69c0c9d72270886dbdb4f71f599efaec2cb64*",".{0,1000}7b6c9cf91ad9d00385d47139ffc69c0c9d72270886dbdb4f71f599efaec2cb64.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29541"
"*7b71b013061e80d7fa52560b061e142f9d7abf38d847da9d6871a90f8cbdc293*",".{0,1000}7b71b013061e80d7fa52560b061e142f9d7abf38d847da9d6871a90f8cbdc293.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","29543"
"*7b76cf1713a14ce545ebad381570cce04a32d41d7535eacd11491a61d77c67a6*",".{0,1000}7b76cf1713a14ce545ebad381570cce04a32d41d7535eacd11491a61d77c67a6.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","29544"
"*7b89ba929cc86c0b945cef5168476ba82ac80d19c9c2111d816643eb453cb14d*",".{0,1000}7b89ba929cc86c0b945cef5168476ba82ac80d19c9c2111d816643eb453cb14d.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29547"
"*7ba37f26aaa4de6fa3f0b1d77eb2d6b0f14f7df9acc8bb7ff8837cddb8941fa7*",".{0,1000}7ba37f26aaa4de6fa3f0b1d77eb2d6b0f14f7df9acc8bb7ff8837cddb8941fa7.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29555"
"*7bb651eec86e0126af3bd515235901a64b5490115defa10972e703c05bc65345*",".{0,1000}7bb651eec86e0126af3bd515235901a64b5490115defa10972e703c05bc65345.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29558"
"*7bd94e75f734f3d4b45758e87eb67fde300992db436ba11841175a334cf47f11*",".{0,1000}7bd94e75f734f3d4b45758e87eb67fde300992db436ba11841175a334cf47f11.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","29566"
"*7be3968468ba873800b67376c017a529418f1aa250f65577776b9630641f2468*",".{0,1000}7be3968468ba873800b67376c017a529418f1aa250f65577776b9630641f2468.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","29568"
"*7be4b33d5f554546778d2f4b35cab35ea4157cad14b68cbc730bf4279fe3d3fb*",".{0,1000}7be4b33d5f554546778d2f4b35cab35ea4157cad14b68cbc730bf4279fe3d3fb.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","29569"
"*7bf403c3f26cd1d4728905738a501dc137973227c5b64eb9a54f324c96664107*",".{0,1000}7bf403c3f26cd1d4728905738a501dc137973227c5b64eb9a54f324c96664107.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29576"
"*7c1416256f7f3637e0dfed99988d08282ae0866784f1eecd53a3639e1a942867*",".{0,1000}7c1416256f7f3637e0dfed99988d08282ae0866784f1eecd53a3639e1a942867.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29580"
"*7c26189a98e1b82293fa72a8a88725ecce3d38622480e5809b8bec9fca407ab1*",".{0,1000}7c26189a98e1b82293fa72a8a88725ecce3d38622480e5809b8bec9fca407ab1.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29583"
"*7c29aa8878b16f39b265ec02cdc47f6db82876ef3e198dfd02ed853a5991b38f*",".{0,1000}7c29aa8878b16f39b265ec02cdc47f6db82876ef3e198dfd02ed853a5991b38f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29584"
"*7c3e4ff39cf34bd825ddbcbfeae12fc2bc58adcb0f745686392f11963f750604*",".{0,1000}7c3e4ff39cf34bd825ddbcbfeae12fc2bc58adcb0f745686392f11963f750604.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29590"
"*7c437d4d02d7e2a936b4c1ff7bc8f5abbf16786746deffa92d5f5f2fd7ba04fb*",".{0,1000}7c437d4d02d7e2a936b4c1ff7bc8f5abbf16786746deffa92d5f5f2fd7ba04fb.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","29592"
"*7c4914fb0be3e091e4c693c4c6c31824b75b270a97ead524a4795b6d32b6b6ce*",".{0,1000}7c4914fb0be3e091e4c693c4c6c31824b75b270a97ead524a4795b6d32b6b6ce.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29597"
"*7c55322bb55e4085ab950711f0c3406a25f95573f618ed347e8f542ecf93cb78*",".{0,1000}7c55322bb55e4085ab950711f0c3406a25f95573f618ed347e8f542ecf93cb78.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29598"
"*7c57f9dec93639dcbb125d53e6dfb241b7704597cdda9123d7e94bdaf3a190e3*",".{0,1000}7c57f9dec93639dcbb125d53e6dfb241b7704597cdda9123d7e94bdaf3a190e3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29600"
"*7c5982b75e7804e6750ddad6dfd74888cf154d1df3377a2aa350a5b7c27e0e1e*",".{0,1000}7c5982b75e7804e6750ddad6dfd74888cf154d1df3377a2aa350a5b7c27e0e1e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29601"
"*7c613e92042864f06470efed0d8b494a7d03aafc01f47691c3f5172942f06b92*",".{0,1000}7c613e92042864f06470efed0d8b494a7d03aafc01f47691c3f5172942f06b92.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29605"
"*7c6208a3f7131802f24ad7bf7f02c760bba5c17443bdf328598d0758865f80df*",".{0,1000}7c6208a3f7131802f24ad7bf7f02c760bba5c17443bdf328598d0758865f80df.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29606"
"*7c744c2ad991f9163fd5adac998e8c6ddccca1bf9c66ba844adae1b5d34f7e2f*",".{0,1000}7c744c2ad991f9163fd5adac998e8c6ddccca1bf9c66ba844adae1b5d34f7e2f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29609"
"*7c772e7a840bfa0fa04609f6b8b2938acdb565493514d85146ccf589f04cf12a*",".{0,1000}7c772e7a840bfa0fa04609f6b8b2938acdb565493514d85146ccf589f04cf12a.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29610"
"*7c826148232f2a27362b5da0e089ce532476f5dbf66d57a95bc1af88aaf890ad*",".{0,1000}7c826148232f2a27362b5da0e089ce532476f5dbf66d57a95bc1af88aaf890ad.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29615"
"*7c8a8e35b0104fe2fef94a7c7cff468bf7447b77b1018fc1d692da9d001fe3e4*",".{0,1000}7c8a8e35b0104fe2fef94a7c7cff468bf7447b77b1018fc1d692da9d001fe3e4.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29616"
"*7ca32274aad66276fcbc12b50158356781277aa4efc50eee49c10f2eac192cef*",".{0,1000}7ca32274aad66276fcbc12b50158356781277aa4efc50eee49c10f2eac192cef.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","29623"
"*7ca4bec4cc5f4ba72c863976da33085689083a04b3ee1f7bd37e08a278ca474f*",".{0,1000}7ca4bec4cc5f4ba72c863976da33085689083a04b3ee1f7bd37e08a278ca474f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29624"
"*7ca6a195613daefad79766c8e784e3e8adeba912f8467b934523041d63e634f5*",".{0,1000}7ca6a195613daefad79766c8e784e3e8adeba912f8467b934523041d63e634f5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29625"
"*7ca86e21a7433649ab9a2adc49dcdd8a6a415969c16a4158bf32cb06dfa1f8a5*",".{0,1000}7ca86e21a7433649ab9a2adc49dcdd8a6a415969c16a4158bf32cb06dfa1f8a5.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29626"
"*7cb8360009c9ee1fab996e446a5d1f2d1540dadb9256c9787f3f30e33aa5e121*",".{0,1000}7cb8360009c9ee1fab996e446a5d1f2d1540dadb9256c9787f3f30e33aa5e121.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","29631"
"*7cbcaba89fb2dfe22cbeeaf2426379560f015d49f4dad0caf2cd732146d96b84*",".{0,1000}7cbcaba89fb2dfe22cbeeaf2426379560f015d49f4dad0caf2cd732146d96b84.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29632"
"*7cde37e49b52a6ea480783c572a2fd04afcae330251ac65bbbc77b1c37faca6b*",".{0,1000}7cde37e49b52a6ea480783c572a2fd04afcae330251ac65bbbc77b1c37faca6b.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","29642"
"*7cdfe04313b09d98da9ab7526c10ebfad98eeefe1b3b6f7a8e35f689a03785df*",".{0,1000}7cdfe04313b09d98da9ab7526c10ebfad98eeefe1b3b6f7a8e35f689a03785df.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29643"
"*7ceaba0911567fe17c4a06f63777411f452783aa8e9eabc3db3858e410e70580*",".{0,1000}7ceaba0911567fe17c4a06f63777411f452783aa8e9eabc3db3858e410e70580.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29649"
"*7d0a1148c6f19ad8597975d65092e77a088de255c958e80403e33eb9826279ca*",".{0,1000}7d0a1148c6f19ad8597975d65092e77a088de255c958e80403e33eb9826279ca.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","29658"
"*7d125c52c61c096690f092a393877648dda4f913011d486427b84c0f32e106de*",".{0,1000}7d125c52c61c096690f092a393877648dda4f913011d486427b84c0f32e106de.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29659"
"*7d299b5695b0076b24e93928bad255f76c8352b5002fd459ef63c0199251abe9*",".{0,1000}7d299b5695b0076b24e93928bad255f76c8352b5002fd459ef63c0199251abe9.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29662"
"*7d367e348e24f197222c639324ce56bea8d2b2cd39c88f8df390e1b5af90942b*",".{0,1000}7d367e348e24f197222c639324ce56bea8d2b2cd39c88f8df390e1b5af90942b.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","29667"
"*7d49e7215481d044c66c2af30c063b4253e2086be6b20f6c99142ad3b6fb4fbe*",".{0,1000}7d49e7215481d044c66c2af30c063b4253e2086be6b20f6c99142ad3b6fb4fbe.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29671"
"*7d5975b4ed5d6f2016b617c08b6e00cab52db4f90dc04cd5e724ce02fb334618*",".{0,1000}7d5975b4ed5d6f2016b617c08b6e00cab52db4f90dc04cd5e724ce02fb334618.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","29675"
"*7d602aa3b76b0aae9dd6771e6451d3aa23b89f46ff115b0096b9074d110e2877*",".{0,1000}7d602aa3b76b0aae9dd6771e6451d3aa23b89f46ff115b0096b9074d110e2877.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29676"
"*7d6d7f8fd0a2ecdd1b81934fd7f0670c17d1f6aa2b67ba1b4cb2a214d1c7b480*",".{0,1000}7d6d7f8fd0a2ecdd1b81934fd7f0670c17d1f6aa2b67ba1b4cb2a214d1c7b480.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29685"
"*7d739b6a0667be4e84dff7ad01ae6db2369aac0bb8685d1eafb74a239cf3dde4*",".{0,1000}7d739b6a0667be4e84dff7ad01ae6db2369aac0bb8685d1eafb74a239cf3dde4.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29686"
"*7d786b3cb5c38c73c63063e37b7a4ce06f9ea23690bba0a250d8b8b5f2d795cc*",".{0,1000}7d786b3cb5c38c73c63063e37b7a4ce06f9ea23690bba0a250d8b8b5f2d795cc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29687"
"*7d9713740d78deeabff15b6080a387460a315a680777d4f1e04c498f1b708826*",".{0,1000}7d9713740d78deeabff15b6080a387460a315a680777d4f1e04c498f1b708826.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","29690"
"*7d97c9853b4bfb386f351545d1a4c0bafea316ccc6ca9c710a3db65ac622067a*",".{0,1000}7d97c9853b4bfb386f351545d1a4c0bafea316ccc6ca9c710a3db65ac622067a.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","29691"
"*7dba4f6e942502f0eca2ec37206671734eeb87c40a29f16b96ce14045da9e833*",".{0,1000}7dba4f6e942502f0eca2ec37206671734eeb87c40a29f16b96ce14045da9e833.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29700"
"*7dc4508e0332301b78c5c252e53efa42e194ed6e0603fb13cc95bf38c4c75afb*",".{0,1000}7dc4508e0332301b78c5c252e53efa42e194ed6e0603fb13cc95bf38c4c75afb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29703"
"*7dc50c28dc7c2fa9a6ea80df35c06bd649b17ae86d333e88b3bf242ac5690c98*",".{0,1000}7dc50c28dc7c2fa9a6ea80df35c06bd649b17ae86d333e88b3bf242ac5690c98.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#filehash","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","29704"
"*7dd91ec59be3f16ccfe6f8b3a660867bcf87714e71cba4338a867a9ef3d2384e*",".{0,1000}7dd91ec59be3f16ccfe6f8b3a660867bcf87714e71cba4338a867a9ef3d2384e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29707"
"*7ddee6c94a33b7dedd603f12f361d2689ca59b41d6b119a806491ac76497ba9a*",".{0,1000}7ddee6c94a33b7dedd603f12f361d2689ca59b41d6b119a806491ac76497ba9a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29708"
"*7df4f0da54f3adc731f24f971d41040a2922a9822aa3b0a596b545502a638ef3*",".{0,1000}7df4f0da54f3adc731f24f971d41040a2922a9822aa3b0a596b545502a638ef3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29715"
"*7df5411490635c5c29704e2fec13133a27a4acaa35255cd22da16dda1b9f5f24*",".{0,1000}7df5411490635c5c29704e2fec13133a27a4acaa35255cd22da16dda1b9f5f24.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29716"
"*7e041cc324312bff2d86542c6818e96916caa1e8737ff83cbc39ff9d20fc69f9*",".{0,1000}7e041cc324312bff2d86542c6818e96916caa1e8737ff83cbc39ff9d20fc69f9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29719"
"*7e09a8fc84665d590659493aa9a832945c6ff9b25bfa87f3bd2aa9636781e87a*",".{0,1000}7e09a8fc84665d590659493aa9a832945c6ff9b25bfa87f3bd2aa9636781e87a.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","29720"
"*7e09a8fc84665d590659493aa9a832945c6ff9b25bfa87f3bd2aa9636781e87a*",".{0,1000}7e09a8fc84665d590659493aa9a832945c6ff9b25bfa87f3bd2aa9636781e87a.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","29721"
"*7e1562d7995b291237984eafd847c018c8bf8ba1ac3869749a1622f119bbd8bc*",".{0,1000}7e1562d7995b291237984eafd847c018c8bf8ba1ac3869749a1622f119bbd8bc.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29723"
"*7e1d84475333b5945334a27420cf96b50100292923c7db5b94aaefd34cad99ee*",".{0,1000}7e1d84475333b5945334a27420cf96b50100292923c7db5b94aaefd34cad99ee.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29727"
"*7e2641906f4beeaf11dff6c4aefc9be37bae9a314ce2357dd88b804387ecd096*",".{0,1000}7e2641906f4beeaf11dff6c4aefc9be37bae9a314ce2357dd88b804387ecd096.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","29729"
"*7e2938acd4f92c036f1e72559acc262c60342f6e96380d2fa451b960f96be6dd*",".{0,1000}7e2938acd4f92c036f1e72559acc262c60342f6e96380d2fa451b960f96be6dd.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","29730"
"*7e3a066f157ccb8e9fc9319c94561dc9bef52e502d73d9b02c0343f413a8c543*",".{0,1000}7e3a066f157ccb8e9fc9319c94561dc9bef52e502d73d9b02c0343f413a8c543.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29734"
"*7e3a5a3901bc2af3a00c4c3e2296f0064778b5be47ae0d0b2eee7afb72d8b3d8*",".{0,1000}7e3a5a3901bc2af3a00c4c3e2296f0064778b5be47ae0d0b2eee7afb72d8b3d8.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29735"
"*7e3d5037f8e2208067518a513ac921d2bc085beb97840f0939a6ef1d24443346*",".{0,1000}7e3d5037f8e2208067518a513ac921d2bc085beb97840f0939a6ef1d24443346.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29736"
"*7e3dbba1c95060ddc7fe1bf52e869246a6923e9695aa8d724feb8c5c1a5f8e37*",".{0,1000}7e3dbba1c95060ddc7fe1bf52e869246a6923e9695aa8d724feb8c5c1a5f8e37.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29737"
"*7e479c191b5a4dc29c0da009c7165ed6cba9171338a6360ce9e8e83167dcba99*",".{0,1000}7e479c191b5a4dc29c0da009c7165ed6cba9171338a6360ce9e8e83167dcba99.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","29743"
"*7e570c5aa02fb16d74433033fdcdd74f890d8eac26b9b94d24f600c9e48feacc*",".{0,1000}7e570c5aa02fb16d74433033fdcdd74f890d8eac26b9b94d24f600c9e48feacc.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","29749"
"*7e58ac2436868f98276bb647edeb7cae2c5cb68a9d4d4aa152b0c80985a72a3a*",".{0,1000}7e58ac2436868f98276bb647edeb7cae2c5cb68a9d4d4aa152b0c80985a72a3a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29750"
"*7e655682c4e17b7682ea225d79bfd321c07f28b649110a3d686bf6fbf23b0977*",".{0,1000}7e655682c4e17b7682ea225d79bfd321c07f28b649110a3d686bf6fbf23b0977.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29753"
"*7e735d5682bcc025c49cd916f004ae6649d736bae2e486098cd34c29e50c21cf*",".{0,1000}7e735d5682bcc025c49cd916f004ae6649d736bae2e486098cd34c29e50c21cf.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29757"
"*7e7f92d6ff919fe8cbe63f2daa348d122339d1a0aac0883afcf799facd214810*",".{0,1000}7e7f92d6ff919fe8cbe63f2daa348d122339d1a0aac0883afcf799facd214810.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29760"
"*7e87ed799b7b8ca543691b5f261212cb3efebca5ed03e65ceea4e7dbb405ed34*",".{0,1000}7e87ed799b7b8ca543691b5f261212cb3efebca5ed03e65ceea4e7dbb405ed34.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","29761"
"*7ea80cfb998032be5b67dc614fc40087e1e36383e59a46616c9d03405c08af3c*",".{0,1000}7ea80cfb998032be5b67dc614fc40087e1e36383e59a46616c9d03405c08af3c.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","29768"
"*7ea81ae66bbcb8065d3b7d00c7f67738a4f9fc5c38a28a6cd602552369ea3343*",".{0,1000}7ea81ae66bbcb8065d3b7d00c7f67738a4f9fc5c38a28a6cd602552369ea3343.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","29769"
"*7eb4b08bab7663e0998d4cff0f69acf6c9b583d3698bfc27aa08af44a9a6a51c*",".{0,1000}7eb4b08bab7663e0998d4cff0f69acf6c9b583d3698bfc27aa08af44a9a6a51c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29774"
"*7eb68ed7e2a9ca4802a0988d2d41cf8b859c00b8add791c52a304f434120c5b1*",".{0,1000}7eb68ed7e2a9ca4802a0988d2d41cf8b859c00b8add791c52a304f434120c5b1.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29775"
"*7ebdb680e615f690bd52c661487379f9df8de648ecf38743e49fe12c6ace6dc7*",".{0,1000}7ebdb680e615f690bd52c661487379f9df8de648ecf38743e49fe12c6ace6dc7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29776"
"*7ebff99259931e26c3baf8dd78c1af671d73a6c91a1d6ec9107c0c225df76bf0*",".{0,1000}7ebff99259931e26c3baf8dd78c1af671d73a6c91a1d6ec9107c0c225df76bf0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29778"
"*7ec0b4c68270256b0d8a6919f1171f87b5f960ef5003c83ed2d9d6887c9e3c78*",".{0,1000}7ec0b4c68270256b0d8a6919f1171f87b5f960ef5003c83ed2d9d6887c9e3c78.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29779"
"*7ec426ac53bac81654965fa1b8ff8af3451b7524f648d4b11ea7d3437a5ba907*",".{0,1000}7ec426ac53bac81654965fa1b8ff8af3451b7524f648d4b11ea7d3437a5ba907.{0,1000}","greyware_tool_keyword","staqlab-tunnel","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/cocoflan/Staqlab-tunnel","1","0","#filehash","N/A","10","10","1","0","2020-05-19T06:43:14Z","2020-05-19T06:19:31Z","29780"
"*7ec46c20cc8b0d99d230cf54b0e12d97ac4a5049f22badbe7164e7b6d75607d1*",".{0,1000}7ec46c20cc8b0d99d230cf54b0e12d97ac4a5049f22badbe7164e7b6d75607d1.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","29781"
"*7eda8b7dbce7550e3d56092a4f4bdfe23df822c33e9b5cf20ff986946f8882b0*",".{0,1000}7eda8b7dbce7550e3d56092a4f4bdfe23df822c33e9b5cf20ff986946f8882b0.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29784"
"*7edc7446cc381b9accc10f16ad6c3c10a910815c54c496662c2a2430dde92a7f*",".{0,1000}7edc7446cc381b9accc10f16ad6c3c10a910815c54c496662c2a2430dde92a7f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29785"
"*7efe9473d976e0f2d45fa7e32e84cdbd01d2afa03ae79435eacb93381e672f4f*",".{0,1000}7efe9473d976e0f2d45fa7e32e84cdbd01d2afa03ae79435eacb93381e672f4f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29792"
"*7f0125964d3060da6c75a5229f87c9be434abf3566c2fcd3c461868aa33199be*",".{0,1000}7f0125964d3060da6c75a5229f87c9be434abf3566c2fcd3c461868aa33199be.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29795"
"*7f08d1c537cc683674c8b85e02ba5ae0513a779fc416c687f82a1b0eba4010d8*",".{0,1000}7f08d1c537cc683674c8b85e02ba5ae0513a779fc416c687f82a1b0eba4010d8.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29798"
"*7f21c8cb257523a9e810b7e7ae76308b2740fef55dc13f265c427876aa87b559*",".{0,1000}7f21c8cb257523a9e810b7e7ae76308b2740fef55dc13f265c427876aa87b559.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","29806"
"*7f23ac69fa3f519b324bcc33e56272bf1cc9191980bef960a562099844659a3c*",".{0,1000}7f23ac69fa3f519b324bcc33e56272bf1cc9191980bef960a562099844659a3c.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","29808"
"*7f27f414ebe84f189adc68a963c7735d4cef34307a19cd0c21243ec202f9f456*",".{0,1000}7f27f414ebe84f189adc68a963c7735d4cef34307a19cd0c21243ec202f9f456.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29809"
"*7f36205ce8bfa40c35723afeee04f94c3a3c978b6076c321b6d108d4c7f04963*",".{0,1000}7f36205ce8bfa40c35723afeee04f94c3a3c978b6076c321b6d108d4c7f04963.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","29811"
"*7f4747710ba404d04c752320fce43e95fc680ee631fdee2e7ae3ceddb84420a9*",".{0,1000}7f4747710ba404d04c752320fce43e95fc680ee631fdee2e7ae3ceddb84420a9.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","29815"
"*7f476454dbd7fb672b1d63e0786e2e2755a1fbfc3be04ab4f5bec8f23132a631*",".{0,1000}7f476454dbd7fb672b1d63e0786e2e2755a1fbfc3be04ab4f5bec8f23132a631.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","29816"
"*7f4e887d5da95798aead133d2064997ef2a0b9b9bf32e27ccfa17c98946825b1*",".{0,1000}7f4e887d5da95798aead133d2064997ef2a0b9b9bf32e27ccfa17c98946825b1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29818"
"*7f59d8d46332b5cd74fa92390567375011b6123e8ccc2a1b4f91fa17761cd617*",".{0,1000}7f59d8d46332b5cd74fa92390567375011b6123e8ccc2a1b4f91fa17761cd617.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29819"
"*7f5d1fdc074adeca5013395f021574003a543c78953ee17a9afe7fc57d628369*",".{0,1000}7f5d1fdc074adeca5013395f021574003a543c78953ee17a9afe7fc57d628369.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29822"
"*7f68729cb251f5aa9ecba08e57f13c8a258ea3cb3c45e7f99881ca496a639d7e*",".{0,1000}7f68729cb251f5aa9ecba08e57f13c8a258ea3cb3c45e7f99881ca496a639d7e.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","29825"
"*7f797dd35843b42edf29a19340387f2bf230275fc7941a1ef2b67468e9c1445b*",".{0,1000}7f797dd35843b42edf29a19340387f2bf230275fc7941a1ef2b67468e9c1445b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29827"
"*7fa49a08d05a3616b5a24f52645d76c4496c37f5060a6bd4a648f534c4e85ae0*",".{0,1000}7fa49a08d05a3616b5a24f52645d76c4496c37f5060a6bd4a648f534c4e85ae0.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","#filehash","N/A","8","10","N/A","N/A","N/A","N/A","29835"
"*7fab6b56cc09d922c7160833d912a2a23ac61ae9d6dc1156d8228bc2c03f5059*",".{0,1000}7fab6b56cc09d922c7160833d912a2a23ac61ae9d6dc1156d8228bc2c03f5059.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29840"
"*7fac327360b72613dec67583e4b939b65af0b88b676660821647b161ec2173fd*",".{0,1000}7fac327360b72613dec67583e4b939b65af0b88b676660821647b161ec2173fd.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29841"
"*7fb420b5290c157897884e59a8a08988d5884f3fb586b557df48fe061b614b59*",".{0,1000}7fb420b5290c157897884e59a8a08988d5884f3fb586b557df48fe061b614b59.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29842"
"*7fd3bda1079e0e7ca9186f8e2ac6a41c688b5ad0293b9afbe1f4397aa8f26e53*",".{0,1000}7fd3bda1079e0e7ca9186f8e2ac6a41c688b5ad0293b9afbe1f4397aa8f26e53.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","29847"
"*7fdc003748c1fa5ff0d87a64aaa8a029927596db53ee09248494aaebe3970179*",".{0,1000}7fdc003748c1fa5ff0d87a64aaa8a029927596db53ee09248494aaebe3970179.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29850"
"*7ff2dd43787517d40d5618d6e682042bb8922b08db67d3581d00f1876737b578*",".{0,1000}7ff2dd43787517d40d5618d6e682042bb8922b08db67d3581d00f1876737b578.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29856"
"*7ff4e1c0fb6e485d203b3d484b44de78e00caf0c84be600e8ef94062005b7b9b*",".{0,1000}7ff4e1c0fb6e485d203b3d484b44de78e00caf0c84be600e8ef94062005b7b9b.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29857"
"*7ff5da235f8932a5e66bcf40bdf79947ebe731f8802af62a10684fed4e4e0388*",".{0,1000}7ff5da235f8932a5e66bcf40bdf79947ebe731f8802af62a10684fed4e4e0388.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","29858"
"*7ff954d3f9f0d655be5f250ca50e8b065ddb8b4d3a1da0a55f740cc03301c6f5*",".{0,1000}7ff954d3f9f0d655be5f250ca50e8b065ddb8b4d3a1da0a55f740cc03301c6f5.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29859"
"*7ffdce15d8adc97dcaaa845d3e7f493b9750103f4e0e6a3e5281109d93272374*",".{0,1000}7ffdce15d8adc97dcaaa845d3e7f493b9750103f4e0e6a3e5281109d93272374.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","29862"
"*7k3j6g3h67l23j345wennkoc4a2223rhjkba22o77ihzdj3achwa.remote.moe*",".{0,1000}7k3j6g3h67l23j345wennkoc4a2223rhjkba22o77ihzdj3achwa\.remote\.moe.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","1","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","29864"
"*8000e9b99094cdc71aeb1e81ff325681539b44fb3c2ad1b4e68164922b632da0*",".{0,1000}8000e9b99094cdc71aeb1e81ff325681539b44fb3c2ad1b4e68164922b632da0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29869"
"*8007c76597a892e234a78716e7fd500ca28d278ade6e5d4de965b35c6fefc7fd*",".{0,1000}8007c76597a892e234a78716e7fd500ca28d278ade6e5d4de965b35c6fefc7fd.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29872"
"*8014a77fd36652a4d7bea8fcc66f9fb474093bb5a058ac7d7d0ee5b9ad2930de*",".{0,1000}8014a77fd36652a4d7bea8fcc66f9fb474093bb5a058ac7d7d0ee5b9ad2930de.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","29879"
"*801705a8ff1da87d84dc70691d964f7b64719e7f5c35f83011c4d90eacd478bd*",".{0,1000}801705a8ff1da87d84dc70691d964f7b64719e7f5c35f83011c4d90eacd478bd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29880"
"*801a1ea2bf02b9ff657c34708918397bec61408bed216f6ed45889973ee09a01*",".{0,1000}801a1ea2bf02b9ff657c34708918397bec61408bed216f6ed45889973ee09a01.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29882"
"*80228ba9bd43db42713f682032c0d4c2faa07ecb01be848bb57f6d51f24fa138*",".{0,1000}80228ba9bd43db42713f682032c0d4c2faa07ecb01be848bb57f6d51f24fa138.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29886"
"*8023ad4a809f53faf76bc6c9b200e50b8145c561b076f6817ce22ab8b16ac25e*",".{0,1000}8023ad4a809f53faf76bc6c9b200e50b8145c561b076f6817ce22ab8b16ac25e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29888"
"*8027e8c3404952986b4323ee0773650bab81ae3cb36eb5f643b95c4f2c912ebf*",".{0,1000}8027e8c3404952986b4323ee0773650bab81ae3cb36eb5f643b95c4f2c912ebf.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","29890"
"*803441002d464ed753650ca0b322c96a939a7b9d073f9277367b51ea4a894cd5*",".{0,1000}803441002d464ed753650ca0b322c96a939a7b9d073f9277367b51ea4a894cd5.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","29894"
"*804201a4515437b3b24ffddc8aaa16cbd0640b4279237e0b162ea3e44c79e67f*",".{0,1000}804201a4515437b3b24ffddc8aaa16cbd0640b4279237e0b162ea3e44c79e67f.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","29898"
"*8057f21ea07c17333d815dd0d088b709c9cc3de1bb60104cf41960e9efa078d9*",".{0,1000}8057f21ea07c17333d815dd0d088b709c9cc3de1bb60104cf41960e9efa078d9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29901"
"*80594939a5a0caa3ae0a8425bb0cc149f1ba31b4dfc15fd183ca2ff1650150ad*",".{0,1000}80594939a5a0caa3ae0a8425bb0cc149f1ba31b4dfc15fd183ca2ff1650150ad.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","29902"
"*805df2a938819abf6d502f6d607ac78a8fa39f5027b21997f65daeb358a36c82*",".{0,1000}805df2a938819abf6d502f6d607ac78a8fa39f5027b21997f65daeb358a36c82.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29904"
"*806238839177ab580463a61cc47e98ed9827f1bff3f9c501df53b51fecc84c16*",".{0,1000}806238839177ab580463a61cc47e98ed9827f1bff3f9c501df53b51fecc84c16.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29905"
"*806530346d15b80d28b3050b3a6d435025ffef592fa44b9abae471be6f9c0cb8*",".{0,1000}806530346d15b80d28b3050b3a6d435025ffef592fa44b9abae471be6f9c0cb8.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","29906"
"*8067eadec99ed1f3d97a706a29bc7d2713c4d163973b383513cf41641e7c0c8c*",".{0,1000}8067eadec99ed1f3d97a706a29bc7d2713c4d163973b383513cf41641e7c0c8c.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29907"
"*806ad9ce802f8e110440ed228eddc40d82dad33ca0feaae1530d1490edb34d90*",".{0,1000}806ad9ce802f8e110440ed228eddc40d82dad33ca0feaae1530d1490edb34d90.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","29908"
"*807d6097fa6f16777eb54bc3be9639757e3dba0ca57c2a9d6b6b699289163df3*",".{0,1000}807d6097fa6f16777eb54bc3be9639757e3dba0ca57c2a9d6b6b699289163df3.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","29914"
"*807ed1ebbac824f29a84235afe7522ddbb66bf392a7c1f5ea849a5f0aedf1d20*",".{0,1000}807ed1ebbac824f29a84235afe7522ddbb66bf392a7c1f5ea849a5f0aedf1d20.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","29915"
"*80840379e83b70528c541218023961323ae10cfd85b4a1dcf6bf0fc01a9336b7*",".{0,1000}80840379e83b70528c541218023961323ae10cfd85b4a1dcf6bf0fc01a9336b7.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","#filehash","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","29916"
"*80a4f4c0ec5a5397fe7acb53c5e517109ad3a8869440ec0305dd16bb9ee863ea*",".{0,1000}80a4f4c0ec5a5397fe7acb53c5e517109ad3a8869440ec0305dd16bb9ee863ea.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29925"
"*80aa71e1022cde5a50c19e15148994c1e3218960b0e9a2ba50782711fea564d3*",".{0,1000}80aa71e1022cde5a50c19e15148994c1e3218960b0e9a2ba50782711fea564d3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29928"
"*80afb1294e5136dc196ac707ba1da2c66624e67e3467954a152115478a964b73*",".{0,1000}80afb1294e5136dc196ac707ba1da2c66624e67e3467954a152115478a964b73.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29930"
"*80b49c2c746081c110c0d26c8439f3d5915f3a40e6eda4a9dc004087f0ea9707*",".{0,1000}80b49c2c746081c110c0d26c8439f3d5915f3a40e6eda4a9dc004087f0ea9707.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","29931"
"*80b60adcd06ad0701c0f000d93d52d9bd4147eb0eb17089939b05dea0ae35cfa*",".{0,1000}80b60adcd06ad0701c0f000d93d52d9bd4147eb0eb17089939b05dea0ae35cfa.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29933"
"*80c4fd53fa4391adb0414bd60b34d05fa0371f95859b97d39e2238d32ef549aa*",".{0,1000}80c4fd53fa4391adb0414bd60b34d05fa0371f95859b97d39e2238d32ef549aa.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29937"
"*80c53e7d1ba179d07e6f7863c80a7acc4bc06801ce08322e82bad7147ae535d2*",".{0,1000}80c53e7d1ba179d07e6f7863c80a7acc4bc06801ce08322e82bad7147ae535d2.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29938"
"*80C7245C-B926-4CEB-BA5B-5353736137A8*",".{0,1000}80C7245C\-B926\-4CEB\-BA5B\-5353736137A8.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","#GUIDproject","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","29939"
"*80cd76926ec4cf711da761f81d469824ebfc21388b3e062fee509ea087f23a5a*",".{0,1000}80cd76926ec4cf711da761f81d469824ebfc21388b3e062fee509ea087f23a5a.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29940"
"*80ce06d9341317b4c4b4b1e89b2f046e0426e1e952eaa9152231cc26a08de58f*",".{0,1000}80ce06d9341317b4c4b4b1e89b2f046e0426e1e952eaa9152231cc26a08de58f.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","#filehash","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","29941"
"*80f47ef29cb32968c968bee785edf06e0cddc927cc016d7a735c7209300c813e*",".{0,1000}80f47ef29cb32968c968bee785edf06e0cddc927cc016d7a735c7209300c813e.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","29949"
"*80fe638eebe79635247d036438363f307f96dc388ca50ac5d4456b121c40b702*",".{0,1000}80fe638eebe79635247d036438363f307f96dc388ca50ac5d4456b121c40b702.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29951"
"*811db2a2f5deab16fc831dc8ff74172c121e9676a325bd8761fde7a863bcc598*",".{0,1000}811db2a2f5deab16fc831dc8ff74172c121e9676a325bd8761fde7a863bcc598.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","29961"
"*811febc6169517fbd42233cdc003fcaf660f1ee969fcea98261647274ae27f2a*",".{0,1000}811febc6169517fbd42233cdc003fcaf660f1ee969fcea98261647274ae27f2a.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29962"
"*81257d02ae9cd6d59809ea470ce590cdeb3e7949f5a51dfacba21e1cd3d2713e*",".{0,1000}81257d02ae9cd6d59809ea470ce590cdeb3e7949f5a51dfacba21e1cd3d2713e.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","29963"
"*81265cdf4e2efcc4c9285c8d2a4cf2716f0108d861bbababd01cf4bce9b2486c*",".{0,1000}81265cdf4e2efcc4c9285c8d2a4cf2716f0108d861bbababd01cf4bce9b2486c.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","29964"
"*813001f641f1f6efbfeed1b4ac4ca22274c3264d6f5d055778087b9878089013*",".{0,1000}813001f641f1f6efbfeed1b4ac4ca22274c3264d6f5d055778087b9878089013.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29966"
"*81317db18f63092007326ae6330d704c17d95ff2dfc65fc1922d0f3708ddee6e*",".{0,1000}81317db18f63092007326ae6330d704c17d95ff2dfc65fc1922d0f3708ddee6e.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","29967"
"*81336615ec3491b5ef7770fefaaa4c955dc1bc123d79bb90b24a86989c95aa86*",".{0,1000}81336615ec3491b5ef7770fefaaa4c955dc1bc123d79bb90b24a86989c95aa86.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","29969"
"*8141072eb367f6cc492bbcec66c0f08351398ba1a5b44e9f0a831b382ef866cd*",".{0,1000}8141072eb367f6cc492bbcec66c0f08351398ba1a5b44e9f0a831b382ef866cd.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29970"
"*8154e009a82ae62f597ac8b9da160feb7d74125987bfa3a65283ec19583a292f*",".{0,1000}8154e009a82ae62f597ac8b9da160feb7d74125987bfa3a65283ec19583a292f.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","29972"
"*815cdd766373b7d6c0a3274ed9f18c2f1d585787415e19087ca489a82c0b6b8d*",".{0,1000}815cdd766373b7d6c0a3274ed9f18c2f1d585787415e19087ca489a82c0b6b8d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29975"
"*81641ea0fd6b019e4120a46637c12981003e672b45b00248414697241cda8518*",".{0,1000}81641ea0fd6b019e4120a46637c12981003e672b45b00248414697241cda8518.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","29978"
"*8188be37fcc477e98f40d455c59936ba088a9bb32628fa68ea0a3d5c3d6dfc7a*",".{0,1000}8188be37fcc477e98f40d455c59936ba088a9bb32628fa68ea0a3d5c3d6dfc7a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29989"
"*81930048c93d8db07af024cd0355809248501dec0ce182a734d16e6bd48055a3*",".{0,1000}81930048c93d8db07af024cd0355809248501dec0ce182a734d16e6bd48055a3.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","29991"
"*819fef0b5e052b0f173acbfac84e3e5b672ff5ee789035d02aa813fb5ddcf48f*",".{0,1000}819fef0b5e052b0f173acbfac84e3e5b672ff5ee789035d02aa813fb5ddcf48f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29992"
"*81a217411829ecaf0af4a391b559a9ab78bb65de31eaa6bac524cc9c58bc4fc3*",".{0,1000}81a217411829ecaf0af4a391b559a9ab78bb65de31eaa6bac524cc9c58bc4fc3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","29994"
"*81CA3EC4-026E-4D37-9889-828186BBB8C0*",".{0,1000}81CA3EC4\-026E\-4D37\-9889\-828186BBB8C0.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#GUIDproject #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","30004"
"*81d2eda23ebaad0a355aab6ff030712470a42505b94c01c9bb5a9ead9168cedb*",".{0,1000}81d2eda23ebaad0a355aab6ff030712470a42505b94c01c9bb5a9ead9168cedb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30007"
"*81e16f20ad480d901964c4b9bfc2f0321a4693cb123f4d3148277bd9f7bc3f5d*",".{0,1000}81e16f20ad480d901964c4b9bfc2f0321a4693cb123f4d3148277bd9f7bc3f5d.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","30010"
"*81e30731b5eb8a1e704c146062efd856cbfd37ceba4874d5907f84ac7deb59c9*",".{0,1000}81e30731b5eb8a1e704c146062efd856cbfd37ceba4874d5907f84ac7deb59c9.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30013"
"*81e7be456369f5957713463e3624023e9159c1cae756e807937046ebc9394383*",".{0,1000}81e7be456369f5957713463e3624023e9159c1cae756e807937046ebc9394383.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30016"
"*81f14b29b131156c433a46709e83bbe8deeee87c4bb9db4d45171ece944f6612*",".{0,1000}81f14b29b131156c433a46709e83bbe8deeee87c4bb9db4d45171ece944f6612.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","30017"
"*81f47f6cd4d534902c6d146c6cf8bcb7e50d2b7b04d7402268e952278293347a*",".{0,1000}81f47f6cd4d534902c6d146c6cf8bcb7e50d2b7b04d7402268e952278293347a.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30018"
"*820b29ceaeed51da52cd45987f9a0ebcca4335aff654204393c0705e83324d50*",".{0,1000}820b29ceaeed51da52cd45987f9a0ebcca4335aff654204393c0705e83324d50.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30021"
"*820d4bccb36fefaa8b77fed456872ddd63a433fa5ce3dd024ccf3f9c93710c30*",".{0,1000}820d4bccb36fefaa8b77fed456872ddd63a433fa5ce3dd024ccf3f9c93710c30.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","30022"
"*820d907e4d5c567988b402ab0e31414937fd187b273004a538880f20aaefaa21*",".{0,1000}820d907e4d5c567988b402ab0e31414937fd187b273004a538880f20aaefaa21.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30023"
"*822374f306a334c37c055f40f4adcc6ef5b381a0e38133760634bdcd480186aa*",".{0,1000}822374f306a334c37c055f40f4adcc6ef5b381a0e38133760634bdcd480186aa.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30030"
"*822855a1e7c58a8b1cf0ec31a900a03009dd1015135f98d99cf6aac1472b000f*",".{0,1000}822855a1e7c58a8b1cf0ec31a900a03009dd1015135f98d99cf6aac1472b000f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30033"
"*824cde57cde28cf15e18e2eae0e68dda28ad89c33ddb0d6f01dd999513f35b68*",".{0,1000}824cde57cde28cf15e18e2eae0e68dda28ad89c33ddb0d6f01dd999513f35b68.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30041"
"*826463d9a2bc5e511e091c24be7d4bf6f2df396702662fb528498223ccb39b94*",".{0,1000}826463d9a2bc5e511e091c24be7d4bf6f2df396702662fb528498223ccb39b94.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30045"
"*8285531c07766ad9297296d9a466746b3bcafff13ceb39d374422f254f2d00d0*",".{0,1000}8285531c07766ad9297296d9a466746b3bcafff13ceb39d374422f254f2d00d0.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","30053"
"*828ee46c07c36e54f11e38f01898e3bd215739c28bbcf05606abe00ba0c6c51f*",".{0,1000}828ee46c07c36e54f11e38f01898e3bd215739c28bbcf05606abe00ba0c6c51f.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#filehash","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","30058"
"*829f65af61d795563f2651987a1146b49eaad6469d779074c4efd32433b4a6cd*",".{0,1000}829f65af61d795563f2651987a1146b49eaad6469d779074c4efd32433b4a6cd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30060"
"*82aa8a39e1cc14668a60048c7375ebd45f1bb5734863ad2cac1309c63f05c57f*",".{0,1000}82aa8a39e1cc14668a60048c7375ebd45f1bb5734863ad2cac1309c63f05c57f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30062"
"*82adb5af26e4d48ceafec3852889db12d4de8ce046f196aea425f978bdb7fa7c*",".{0,1000}82adb5af26e4d48ceafec3852889db12d4de8ce046f196aea425f978bdb7fa7c.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","30065"
"*82b2e4933abab5bad7a425ef7122157be4ab660f488f768f719a5b49017cda27*",".{0,1000}82b2e4933abab5bad7a425ef7122157be4ab660f488f768f719a5b49017cda27.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30068"
"*82b39dd75bda38dccb8f026507c583490b2f37dd299a2efde3c2d20b4a0143b0*",".{0,1000}82b39dd75bda38dccb8f026507c583490b2f37dd299a2efde3c2d20b4a0143b0.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","30069"
"*82c596e4b30f9be61f942b26948a5e51c6910e36073f6c5e531ddca8f60356d1*",".{0,1000}82c596e4b30f9be61f942b26948a5e51c6910e36073f6c5e531ddca8f60356d1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30073"
"*82d32160a4bc234ba3e1d34412e65ee7a74c904df4156a896f71c422a103abd6*",".{0,1000}82d32160a4bc234ba3e1d34412e65ee7a74c904df4156a896f71c422a103abd6.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30076"
"*82e0dfe67afecbff60f4442ca4595984ad82b8515c985857ac067eb4b1737f52*",".{0,1000}82e0dfe67afecbff60f4442ca4595984ad82b8515c985857ac067eb4b1737f52.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30081"
"*82e748eaceebf6c4612c4d7fb4c3bd9773c954ba7ef0a4912bca33084b14c2c7*",".{0,1000}82e748eaceebf6c4612c4d7fb4c3bd9773c954ba7ef0a4912bca33084b14c2c7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30084"
"*82e8b44fbea744b19d70b11e5c9836526d303680860fa39abed0b69835c64e8a*",".{0,1000}82e8b44fbea744b19d70b11e5c9836526d303680860fa39abed0b69835c64e8a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30085"
"*82ecdddcaec5ccde85ce2235c25aaebc70f24d3837917d7816c32ed6874c495f*",".{0,1000}82ecdddcaec5ccde85ce2235c25aaebc70f24d3837917d7816c32ed6874c495f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30086"
"*82fab464a4b0e1f1e284ec32370edd5090637c682ba7e7e609f2f5bb95c78c4b*",".{0,1000}82fab464a4b0e1f1e284ec32370edd5090637c682ba7e7e609f2f5bb95c78c4b.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","30091"
"*82fe60166f0c57916272576f45e5465f16b5b8272c37cfc3786de8130a0c48e4*",".{0,1000}82fe60166f0c57916272576f45e5465f16b5b8272c37cfc3786de8130a0c48e4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30092"
"*830d07f44abea51f4549edc31d61ad228e6621c60aebfd6e241ca5aa5abf14f7*",".{0,1000}830d07f44abea51f4549edc31d61ad228e6621c60aebfd6e241ca5aa5abf14f7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30099"
"*831096dedc1741e97c5a65d992cf8825a02bdcd43c76727d2a9d26638cfeedd3*",".{0,1000}831096dedc1741e97c5a65d992cf8825a02bdcd43c76727d2a9d26638cfeedd3.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","30101"
"*831296851f3b9f90c613b245ea3957e926f44f8373121a29b3f63df905b614c4*",".{0,1000}831296851f3b9f90c613b245ea3957e926f44f8373121a29b3f63df905b614c4.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30103"
"*83184461da759df6f22da0e53a4a367eccfce3b1e99941521181ce7a03000aaf*",".{0,1000}83184461da759df6f22da0e53a4a367eccfce3b1e99941521181ce7a03000aaf.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30104"
"*832974dc5dbee7b88c6d51acbcbe612ca5e2ee5a7d3101308135e433246cdb8f*",".{0,1000}832974dc5dbee7b88c6d51acbcbe612ca5e2ee5a7d3101308135e433246cdb8f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30107"
"*832b7b0c67c63fcc6abb02d937a3b631f86a934cdf85879eb1a0da5705b05c65*",".{0,1000}832b7b0c67c63fcc6abb02d937a3b631f86a934cdf85879eb1a0da5705b05c65.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30108"
"*8332935d27f531b6c85fe79f76625220391930506c5debb44895cd8269f58b07*",".{0,1000}8332935d27f531b6c85fe79f76625220391930506c5debb44895cd8269f58b07.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30109"
"*83415b22a293a7dd3445a721aafbfd17b24e8b3f0864d6a68d3f0f70efff4bd9*",".{0,1000}83415b22a293a7dd3445a721aafbfd17b24e8b3f0864d6a68d3f0f70efff4bd9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30113"
"*8355cecbe4792077c4977def67d9d10be79d0c9442aec7dc93cbdf9523387844*",".{0,1000}8355cecbe4792077c4977def67d9d10be79d0c9442aec7dc93cbdf9523387844.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30119"
"*8365dc72d291194a2b3bd59e36473db7404a219fe999c50dad3d793c3a3178e4*",".{0,1000}8365dc72d291194a2b3bd59e36473db7404a219fe999c50dad3d793c3a3178e4.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","30125"
"*83a82600aa1102569a14bb436c08b4abde68c4b47bd05934a4fed0ca8d187abd*",".{0,1000}83a82600aa1102569a14bb436c08b4abde68c4b47bd05934a4fed0ca8d187abd.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","30132"
"*83c2966fe942b2b0a1e31ea84f6336c024cb57ff5c397b0d1cddf050bb4e5b21*",".{0,1000}83c2966fe942b2b0a1e31ea84f6336c024cb57ff5c397b0d1cddf050bb4e5b21.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","30141"
"*83cafd75fbd94992f38162260fb8cd5f6388c10f4e0b40890554568c43a9fc19*",".{0,1000}83cafd75fbd94992f38162260fb8cd5f6388c10f4e0b40890554568c43a9fc19.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","30142"
"*83d5b44bdd3d37cf3bc76b3e9e433c947c7917fa6fe8522d2e4421fecdfaf987*",".{0,1000}83d5b44bdd3d37cf3bc76b3e9e433c947c7917fa6fe8522d2e4421fecdfaf987.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30144"
"*83e5e64474d446fb7f612d21968e4826a23f008e00110b199b35896eeb9436b4*",".{0,1000}83e5e64474d446fb7f612d21968e4826a23f008e00110b199b35896eeb9436b4.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30152"
"*83eeacb73e1ba4d3eb4d91887fa338e27c3ec91e283d6cdf2522322449b5e8ab*",".{0,1000}83eeacb73e1ba4d3eb4d91887fa338e27c3ec91e283d6cdf2522322449b5e8ab.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30154"
"*84002e45f5979c6ca1478be38d0215007f8208edb2b4a45e2571f6c003828dbc*",".{0,1000}84002e45f5979c6ca1478be38d0215007f8208edb2b4a45e2571f6c003828dbc.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30156"
"*84024388bfbdb79a8d084767325ef4b8f25c6551f50a1f9beb2409e73041644f*",".{0,1000}84024388bfbdb79a8d084767325ef4b8f25c6551f50a1f9beb2409e73041644f.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","30159"
"*8430f80dc17b98fd78aca6f7d635bf12a486687677e15989a891ff4f6d8490a9*",".{0,1000}8430f80dc17b98fd78aca6f7d635bf12a486687677e15989a891ff4f6d8490a9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30172"
"*8432faf9d944bcf430ebb7d45282f84901a59eb5e4ae3fc9b7ba5226b7a4ce35*",".{0,1000}8432faf9d944bcf430ebb7d45282f84901a59eb5e4ae3fc9b7ba5226b7a4ce35.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","30174"
"*843af28bae0fffafaf6c1aadce104fd299b3bd4c0b6d2d72ae9f4f7000167cf5*",".{0,1000}843af28bae0fffafaf6c1aadce104fd299b3bd4c0b6d2d72ae9f4f7000167cf5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30175"
"*84431e99daa0524ebef7f8ca6090243f7287b52bdd37afcbbdad8c52c516d5c5*",".{0,1000}84431e99daa0524ebef7f8ca6090243f7287b52bdd37afcbbdad8c52c516d5c5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30176"
"*8455f37f4777a237e87e3326cc9dd7af51b3bc2cfe968ff488e85effb2ca30ac*",".{0,1000}8455f37f4777a237e87e3326cc9dd7af51b3bc2cfe968ff488e85effb2ca30ac.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","30180"
"*845b979d93d58f985c1b6e1153fcfc12732c4d28a02cbae528cf106e55cfb93a*",".{0,1000}845b979d93d58f985c1b6e1153fcfc12732c4d28a02cbae528cf106e55cfb93a.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30181"
"*846318dda27ff847acc25676c4d7a133ee8ea2cb80d4f5d273ef0945f211dd57*",".{0,1000}846318dda27ff847acc25676c4d7a133ee8ea2cb80d4f5d273ef0945f211dd57.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30186"
"*84a0a90cde73607684db0142f2d9cd8e636f089514eba57835ec10806d8f5f4b*",".{0,1000}84a0a90cde73607684db0142f2d9cd8e636f089514eba57835ec10806d8f5f4b.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","#filehash","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","30201"
"*84b735e9c0af06be82353d3cfc511ffe8edcfc7e2952aceaec7221b282488d69*",".{0,1000}84b735e9c0af06be82353d3cfc511ffe8edcfc7e2952aceaec7221b282488d69.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30206"
"*84b92d2a8ea328fac12eaa92321d3a5c61374f1dc9c7a9a6e150431b11354854*",".{0,1000}84b92d2a8ea328fac12eaa92321d3a5c61374f1dc9c7a9a6e150431b11354854.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30207"
"*84bd394d27a36a89e86a265dd05d14d4747f16ec916044fec21ec113bf96a1c4*",".{0,1000}84bd394d27a36a89e86a265dd05d14d4747f16ec916044fec21ec113bf96a1c4.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30209"
"*84c868b63bcfba344a52d0f53c63beaaf5dfc08f0ead2cee80656b48fa1d5e47*",".{0,1000}84c868b63bcfba344a52d0f53c63beaaf5dfc08f0ead2cee80656b48fa1d5e47.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30212"
"*84dcc12153f8b7d66923070bf81d5c8f5dbc300baf8c37d7ab41f79d60358ab5*",".{0,1000}84dcc12153f8b7d66923070bf81d5c8f5dbc300baf8c37d7ab41f79d60358ab5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30219"
"*84f1ec6bd03bb770c9efe79a396dbd41ad417d691522638a331a493dfc42f0f2*",".{0,1000}84f1ec6bd03bb770c9efe79a396dbd41ad417d691522638a331a493dfc42f0f2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30226"
"*85057ff4c0fc97cb3b9b269c2bdddc0611cdbd7d748c52a2e4d949de9cdfb157*",".{0,1000}85057ff4c0fc97cb3b9b269c2bdddc0611cdbd7d748c52a2e4d949de9cdfb157.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","30231"
"*8513ddc466aa21460a7790754d7f9441725820996f68ae44731bd63fb8abd957*",".{0,1000}8513ddc466aa21460a7790754d7f9441725820996f68ae44731bd63fb8abd957.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","30235"
"*851dddcb60f2e90bc02a00a056ec9bf8d131082b0d7e3b9b7bf67ac1a381d297*",".{0,1000}851dddcb60f2e90bc02a00a056ec9bf8d131082b0d7e3b9b7bf67ac1a381d297.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","30238"
"*853e033af8339767d2ccc03845763bd250238ee0642d4042e027a5359a56760d*",".{0,1000}853e033af8339767d2ccc03845763bd250238ee0642d4042e027a5359a56760d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30247"
"*85549f76ecf192f4e61cdcbedc8af83b48a76d78924ab9c09eaeb31141944770*",".{0,1000}85549f76ecf192f4e61cdcbedc8af83b48a76d78924ab9c09eaeb31141944770.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30250"
"*8558ee2389b4493ff9b3d9bcab252564a817284583d651649ce79d7091ea45d3*",".{0,1000}8558ee2389b4493ff9b3d9bcab252564a817284583d651649ce79d7091ea45d3.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","30252"
"*855ebd0013f114417417fea33f17bbad5fb49a588e93ebc0099f0d2d5f7312a9*",".{0,1000}855ebd0013f114417417fea33f17bbad5fb49a588e93ebc0099f0d2d5f7312a9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30254"
"*8572bd593860c780a609128b9764e2f98e13ebf7130018e288f067bc75c71ef3*",".{0,1000}8572bd593860c780a609128b9764e2f98e13ebf7130018e288f067bc75c71ef3.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","30258"
"*8578d2a63bbedd34669ed4cd8b332fb3aecfd3480ea3ef6d0c692e6fc146cb3e*",".{0,1000}8578d2a63bbedd34669ed4cd8b332fb3aecfd3480ea3ef6d0c692e6fc146cb3e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30260"
"*8579d38432b7652643a84d0fd7edbc78668ca3f91ddc1d78ee8840a7a35fa9b7*",".{0,1000}8579d38432b7652643a84d0fd7edbc78668ca3f91ddc1d78ee8840a7a35fa9b7.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","30261"
"*85a6408cfb0798dab52335bcb00ac32066376c32daaa75461d43081499bc7de8*",".{0,1000}85a6408cfb0798dab52335bcb00ac32066376c32daaa75461d43081499bc7de8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30271"
"*85bf085697ae96895b2ddf719c382e1647b4f17f4f4dc216dd89da79783dcd87*",".{0,1000}85bf085697ae96895b2ddf719c382e1647b4f17f4f4dc216dd89da79783dcd87.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30276"
"*85c5f89ba2e10c646acc5912cb3a8c33857c40551b363257f23cfe855a1e3c54*",".{0,1000}85c5f89ba2e10c646acc5912cb3a8c33857c40551b363257f23cfe855a1e3c54.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30277"
"*85c623d7808f9d2cf51945e02e98d02b94f9f32ea892237f9a58b544c7a4f4f9*",".{0,1000}85c623d7808f9d2cf51945e02e98d02b94f9f32ea892237f9a58b544c7a4f4f9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30278"
"*85cd761d170a2b9d567dcf7bd8c1a4aefa19aa9cfca048edd29483a196b42dcb*",".{0,1000}85cd761d170a2b9d567dcf7bd8c1a4aefa19aa9cfca048edd29483a196b42dcb.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30279"
"*85d2f62537a5e72af0ea4f43f1d476f95f2081db5d42836823ba9be7684c7ac2*",".{0,1000}85d2f62537a5e72af0ea4f43f1d476f95f2081db5d42836823ba9be7684c7ac2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30280"
"*85dcecfbdf9927330ab06a6d347e91d6e780ee800bd9aa1b82b9d32f8c83a72f*",".{0,1000}85dcecfbdf9927330ab06a6d347e91d6e780ee800bd9aa1b82b9d32f8c83a72f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30282"
"*85eaf5c3848e384ff88f16bf59f8d6e31194e01b2b8be58191de5a74d03348be*",".{0,1000}85eaf5c3848e384ff88f16bf59f8d6e31194e01b2b8be58191de5a74d03348be.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","30284"
"*85f0b24d9e734c48dfe285aece6b7decb23eaa976590245adf67e43b1bc222d1*",".{0,1000}85f0b24d9e734c48dfe285aece6b7decb23eaa976590245adf67e43b1bc222d1.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30286"
"*861fe019ac96ac55b5e0e97c8d6138773a11b64f8cbd3530f51f56eb6009326c*",".{0,1000}861fe019ac96ac55b5e0e97c8d6138773a11b64f8cbd3530f51f56eb6009326c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30291"
"*865bbc5b3cae67db29423ec7c3d4795e2685dd568ae504087a1a36aca8b78cba*",".{0,1000}865bbc5b3cae67db29423ec7c3d4795e2685dd568ae504087a1a36aca8b78cba.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30308"
"*868d273ae930d63b3c437203040a3ab36d2f7b355a33c1b2ad13bf3264a35747*",".{0,1000}868d273ae930d63b3c437203040a3ab36d2f7b355a33c1b2ad13bf3264a35747.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","30317"
"*869076f7f55c9cecc46bcef4b7c44a7538f2af695ff8ce728c71a0d52c48443b*",".{0,1000}869076f7f55c9cecc46bcef4b7c44a7538f2af695ff8ce728c71a0d52c48443b.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","30318"
"*869df81bed2d14ea117e02aaff9894b9f9eac2b6c8802dd7be37eb14da8cca48*",".{0,1000}869df81bed2d14ea117e02aaff9894b9f9eac2b6c8802dd7be37eb14da8cca48.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","30325"
"*86a906672ad815e281944d68af3d0f7e8e48591b727a3215ed06be57dff8b514*",".{0,1000}86a906672ad815e281944d68af3d0f7e8e48591b727a3215ed06be57dff8b514.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30327"
"*86bd9d5adf837decef7b59ae3a02134103908a249ddd0457f4a688467a42ca63*",".{0,1000}86bd9d5adf837decef7b59ae3a02134103908a249ddd0457f4a688467a42ca63.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","30330"
"*86bfc150238405ea58c396e25766dee4b1e01caedbcfd32ed3fd74533e29d910*",".{0,1000}86bfc150238405ea58c396e25766dee4b1e01caedbcfd32ed3fd74533e29d910.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30331"
"*86c8dd3f7083c274723554ad02410bbdaf990836ce6d6047cf3d759bc6761cf5*",".{0,1000}86c8dd3f7083c274723554ad02410bbdaf990836ce6d6047cf3d759bc6761cf5.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","30334"
"*86f182e121994ab7f27c9936c947bf21151dbaa1a2c94640c9b3493e3101c98a*",".{0,1000}86f182e121994ab7f27c9936c947bf21151dbaa1a2c94640c9b3493e3101c98a.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","30341"
"*86f533145306e79ccdbe21d0b46326ae9fab9507f3a1740d0ffc8a088ce18d02*",".{0,1000}86f533145306e79ccdbe21d0b46326ae9fab9507f3a1740d0ffc8a088ce18d02.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30342"
"*86f782aab22bf6fff00382de47905a313a94c3e6d1d73d9f8100c59472d48e08*",".{0,1000}86f782aab22bf6fff00382de47905a313a94c3e6d1d73d9f8100c59472d48e08.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30343"
"*870089165f0603447e099ef6a27cbf0926fda8cbbe1df6fa3c7021897f1eabcc*",".{0,1000}870089165f0603447e099ef6a27cbf0926fda8cbbe1df6fa3c7021897f1eabcc.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","30349"
"*8704f3f1748b05a7d936a23172b3248acda6e5dfbe58a192872ae779755de513*",".{0,1000}8704f3f1748b05a7d936a23172b3248acda6e5dfbe58a192872ae779755de513.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30351"
"*870d0643bce12a91a51947e9fee61b2ccd3b0fd12c21e81bcfcdfd6248f4c287*",".{0,1000}870d0643bce12a91a51947e9fee61b2ccd3b0fd12c21e81bcfcdfd6248f4c287.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30354"
"*873b15cab88f6d288e02bd71e5cefb1edf0b96dc80a8a0d7d404f4b327c68097*",".{0,1000}873b15cab88f6d288e02bd71e5cefb1edf0b96dc80a8a0d7d404f4b327c68097.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","30364"
"*8758130f7aa1639b1b2c24c327114657a819c81cdd229a41f56fe9a6550a2b05*",".{0,1000}8758130f7aa1639b1b2c24c327114657a819c81cdd229a41f56fe9a6550a2b05.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30372"
"*8768fb4f5c0829e3ed696af614ff761ca72b5538bef2073464f57eadc76f5ed4*",".{0,1000}8768fb4f5c0829e3ed696af614ff761ca72b5538bef2073464f57eadc76f5ed4.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","30380"
"*876dc6fecb7587bc98ed1702f11e01f19f7c56cd9703c76b7722e914e143280c*",".{0,1000}876dc6fecb7587bc98ed1702f11e01f19f7c56cd9703c76b7722e914e143280c.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","30383"
"*876f05d707463603766c0d3073d2806f6a3b89b50d4c1c32f5a754a3db52c5c4*",".{0,1000}876f05d707463603766c0d3073d2806f6a3b89b50d4c1c32f5a754a3db52c5c4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30384"
"*87759dcbffdc166d166545937d55787701b69197a7138ac01850f661f2dceed4*",".{0,1000}87759dcbffdc166d166545937d55787701b69197a7138ac01850f661f2dceed4.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30385"
"*877754ae2d7a31733ab7ee31c4db2159c63c48899bbbf0e7578ae9067c8bfbdb*",".{0,1000}877754ae2d7a31733ab7ee31c4db2159c63c48899bbbf0e7578ae9067c8bfbdb.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30386"
"*877dc57373b8c8b98f7afb6a818a465dbf855f8d6a9b7330805fa08abfb197c3*",".{0,1000}877dc57373b8c8b98f7afb6a818a465dbf855f8d6a9b7330805fa08abfb197c3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30388"
"*8787b7404348874e5917f55316fcbae979f0b1358d9fa7c3c13f5019027afde4*",".{0,1000}8787b7404348874e5917f55316fcbae979f0b1358d9fa7c3c13f5019027afde4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30391"
"*878dadc0cd51626f39072cd599be261d184cfe894a4447298449def8588072b8*",".{0,1000}878dadc0cd51626f39072cd599be261d184cfe894a4447298449def8588072b8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30393"
"*87907a6d7e8d6b4cdf4264950869799096b5ebc9c3de4c9ed0204d91650ed54e*",".{0,1000}87907a6d7e8d6b4cdf4264950869799096b5ebc9c3de4c9ed0204d91650ed54e.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","#filehash","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","30395"
"*879b6b220338f388f14152df2b7b92abce0baa3feac0de0858fd2c6c7a906637*",".{0,1000}879b6b220338f388f14152df2b7b92abce0baa3feac0de0858fd2c6c7a906637.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30400"
"*879f2aff6d65c4ce886ccd74508a38dc49d4be49c37b98b88af45fb0f908e865*",".{0,1000}879f2aff6d65c4ce886ccd74508a38dc49d4be49c37b98b88af45fb0f908e865.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30401"
"*87a0056914c80855f8226b2b23118ed48776bd46a56d1cee328db464ec7502a3*",".{0,1000}87a0056914c80855f8226b2b23118ed48776bd46a56d1cee328db464ec7502a3.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","30402"
"*87a25f52f233c1176eeeab554a2941f1738a9e86669fb7febe8155d15ddf5530*",".{0,1000}87a25f52f233c1176eeeab554a2941f1738a9e86669fb7febe8155d15ddf5530.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","30403"
"*87a2fcc9f478c587a81b872f0943a0a280b6c663bb56222131c8b685f14ee1f2*",".{0,1000}87a2fcc9f478c587a81b872f0943a0a280b6c663bb56222131c8b685f14ee1f2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30404"
"*87c0e2e1aa8e9c492a4ae12219f7a14cae0724c57a127445f92513e4acc962b3*",".{0,1000}87c0e2e1aa8e9c492a4ae12219f7a14cae0724c57a127445f92513e4acc962b3.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30411"
"*87c37a74f246d2cdb49d5392c0bbe27e09033446346e839204eabd47224d5880*",".{0,1000}87c37a74f246d2cdb49d5392c0bbe27e09033446346e839204eabd47224d5880.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30412"
"*87d71be6639e0c89794aec6646ca5894c4be239c61462b4a8e78548898c553e6*",".{0,1000}87d71be6639e0c89794aec6646ca5894c4be239c61462b4a8e78548898c553e6.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30416"
"*87d7db96fb7c8fd8668f69717d84c9cc36f3c2ae96a8ef2187fb4b3544fabf5d*",".{0,1000}87d7db96fb7c8fd8668f69717d84c9cc36f3c2ae96a8ef2187fb4b3544fabf5d.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","30417"
"*87e8486846df3005c1b481b1c5205f661b715addfda262f56d2a41892126b399*",".{0,1000}87e8486846df3005c1b481b1c5205f661b715addfda262f56d2a41892126b399.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","#filehash","N/A","8","10","N/A","N/A","N/A","N/A","30419"
"*8805d70a692b0c5e20271214af085ffc3d8ea2176ce5dbe06fd6e4de59d8206f*",".{0,1000}8805d70a692b0c5e20271214af085ffc3d8ea2176ce5dbe06fd6e4de59d8206f.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30425"
"*8807e7e0d5bf8197bc51533f3731adb29a89f1cb18355d3a3d59a88d73119464*",".{0,1000}8807e7e0d5bf8197bc51533f3731adb29a89f1cb18355d3a3d59a88d73119464.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","30426"
"*880a24b003db1825ec63774cb5cb0c8a0b848d254eac6f977b700649e2baf4d9*",".{0,1000}880a24b003db1825ec63774cb5cb0c8a0b848d254eac6f977b700649e2baf4d9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30427"
"*88165b5b89b6064df37a9964d660f40ac62db51d6536e459db9aaea6f2b2fc11*",".{0,1000}88165b5b89b6064df37a9964d660f40ac62db51d6536e459db9aaea6f2b2fc11.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30431"
"*881f6c9e3c1e70dd076b850c146352b733957e1ef90a76c46595631f2cd5ff7c*",".{0,1000}881f6c9e3c1e70dd076b850c146352b733957e1ef90a76c46595631f2cd5ff7c.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30438"
"*88489815bf08cd6b93b92f3c21c76926e08c1c4f3e31c2f4a303eaa3b58f6c91*",".{0,1000}88489815bf08cd6b93b92f3c21c76926e08c1c4f3e31c2f4a303eaa3b58f6c91.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30447"
"*884a510aa8274a74bd77d27e5ae3b55c55a55ccc115ef0985d10a69b359e1453*",".{0,1000}884a510aa8274a74bd77d27e5ae3b55c55a55ccc115ef0985d10a69b359e1453.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","30448"
"*886ac7c8c0e01bddcb808947f76a5f904572e337fa4023cce4bad71a7ae9ca1c*",".{0,1000}886ac7c8c0e01bddcb808947f76a5f904572e337fa4023cce4bad71a7ae9ca1c.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30457"
"*886e67a861f34bcd7094cc4d2bb989d0c3aaf594d11a21fc11d4ffefe136f47f*",".{0,1000}886e67a861f34bcd7094cc4d2bb989d0c3aaf594d11a21fc11d4ffefe136f47f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30462"
"*887151c88c3be897947ce3159096518d452d30e1006b850a65d951387d2358d3*",".{0,1000}887151c88c3be897947ce3159096518d452d30e1006b850a65d951387d2358d3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30463"
"*887b0d18cc4158752105774b5b332ab290a51f08e2602b5c140bc2b1368d1b79*",".{0,1000}887b0d18cc4158752105774b5b332ab290a51f08e2602b5c140bc2b1368d1b79.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30465"
"*887db63eb3481f3a32aa449b84cbc44b4059ba2eacb869a87e965c10b4ce0173*",".{0,1000}887db63eb3481f3a32aa449b84cbc44b4059ba2eacb869a87e965c10b4ce0173.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","30466"
"*888fc4f6a333cad871710fca2227c37bef771323826c5c414492d653858db10a*",".{0,1000}888fc4f6a333cad871710fca2227c37bef771323826c5c414492d653858db10a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30474"
"*88c5d386c60a15d9758570e8b261f6b1d23248bd37d32b98cdf83ebc5223a266*",".{0,1000}88c5d386c60a15d9758570e8b261f6b1d23248bd37d32b98cdf83ebc5223a266.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","30487"
"*88d829d4560be8d3c7323523d84320910daec9354336166d0ebba78f24032819*",".{0,1000}88d829d4560be8d3c7323523d84320910daec9354336166d0ebba78f24032819.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30490"
"*88e0abfe14884bc8850346e1250c8fd54ee3f2de770f32d3ffecbe06c7769141*",".{0,1000}88e0abfe14884bc8850346e1250c8fd54ee3f2de770f32d3ffecbe06c7769141.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","30492"
"*88e1851d5b2c7725bb5e2cd08a45077496d207d8e04b56b35b982d6e32846f20*",".{0,1000}88e1851d5b2c7725bb5e2cd08a45077496d207d8e04b56b35b982d6e32846f20.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30494"
"*88ed9c876b03d2cc745463903ac5233e441cd56d0d1031906bc8381af11ea0c8*",".{0,1000}88ed9c876b03d2cc745463903ac5233e441cd56d0d1031906bc8381af11ea0c8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30497"
"*88f70507c3d00c6db0700498561444ba6ca5eff3afff4e0eecf96e7ac3668230*",".{0,1000}88f70507c3d00c6db0700498561444ba6ca5eff3afff4e0eecf96e7ac3668230.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30500"
"*891355660e32ea092c0af8602c2fad7602196bed297218d41ce8ba307ab84459*",".{0,1000}891355660e32ea092c0af8602c2fad7602196bed297218d41ce8ba307ab84459.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30507"
"*8914b7193d1961310e5247a9217ca8ed80bf212a25c889d432594f9ba533462d*",".{0,1000}8914b7193d1961310e5247a9217ca8ed80bf212a25c889d432594f9ba533462d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30508"
"*8922dfdc60c1bfb47a62ba4635e764a7e2882e6d8c74bcd96f8c5c1021000682*",".{0,1000}8922dfdc60c1bfb47a62ba4635e764a7e2882e6d8c74bcd96f8c5c1021000682.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30510"
"*8923E1ED-2594-4668-A4FA-DC2CFF7EA1CA*",".{0,1000}8923E1ED\-2594\-4668\-A4FA\-DC2CFF7EA1CA.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#GUIDproject","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","30511"
"*892405573aa34dfc49b37e4c35b655543e88ec1c5e8ffb27ab8d1bbf90fc6ae0*",".{0,1000}892405573aa34dfc49b37e4c35b655543e88ec1c5e8ffb27ab8d1bbf90fc6ae0.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30512"
"*892dfce05bfcab969306a1034ef0fc0decc52d82b43cda8b6c395549c8ef1133*",".{0,1000}892dfce05bfcab969306a1034ef0fc0decc52d82b43cda8b6c395549c8ef1133.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","30514"
"*894368f2b42eac9feee89560aa890c1215883b716232c66f20bf4145d6bbf671*",".{0,1000}894368f2b42eac9feee89560aa890c1215883b716232c66f20bf4145d6bbf671.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30519"
"*895b5c7ece8b458dff80ed790fc1633675a05fc9c4bd994ac89cf8e9d83bd32b*",".{0,1000}895b5c7ece8b458dff80ed790fc1633675a05fc9c4bd994ac89cf8e9d83bd32b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30527"
"*895d847eec516f9d8eb2cf8a08408c92523d1430d9dc2e91c5ed5268eb424479*",".{0,1000}895d847eec516f9d8eb2cf8a08408c92523d1430d9dc2e91c5ed5268eb424479.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30528"
"*89866c382c09e09e89fe8548c3cf51c64784c914ab2b308ad7820ec6b2758e91*",".{0,1000}89866c382c09e09e89fe8548c3cf51c64784c914ab2b308ad7820ec6b2758e91.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30536"
"*8988af63d7f1d5a9f1ffaf6f24c487e8713df21faf0ae8fc7bfb7996583c02ad*",".{0,1000}8988af63d7f1d5a9f1ffaf6f24c487e8713df21faf0ae8fc7bfb7996583c02ad.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30538"
"*89928c5882095cfc598c9479d2f5e7d9a41c3581fc0fd447237d79a310c305cc*",".{0,1000}89928c5882095cfc598c9479d2f5e7d9a41c3581fc0fd447237d79a310c305cc.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30539"
"*89a1b21160a0e3890c45596d7832ff37474a2c3200423f23adee11ff676b295b*",".{0,1000}89a1b21160a0e3890c45596d7832ff37474a2c3200423f23adee11ff676b295b.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","30542"
"*89af64dd653594b71277b175037995b356d139881c766706a4ab1862250a7f61*",".{0,1000}89af64dd653594b71277b175037995b356d139881c766706a4ab1862250a7f61.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","30545"
"*89b153d078008da7bf1d05f4f2f6a655f2757472a9275e2895b311d44dfcccbe*",".{0,1000}89b153d078008da7bf1d05f4f2f6a655f2757472a9275e2895b311d44dfcccbe.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30546"
"*89b8fdbc6fab18b4544efbfd2c7929e02f5d5ba66942e8550098f43111b79a6c*",".{0,1000}89b8fdbc6fab18b4544efbfd2c7929e02f5d5ba66942e8550098f43111b79a6c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30548"
"*89bd3a31299f6bbf9be9bcf5f1456c11333590290626f11017079fd84ee58ca1*",".{0,1000}89bd3a31299f6bbf9be9bcf5f1456c11333590290626f11017079fd84ee58ca1.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#filehash","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","30549"
"*89c0d3180d1baa0b0ca6fb7dd3af81a80400ea4c5674101a5800c074bd3aec98*",".{0,1000}89c0d3180d1baa0b0ca6fb7dd3af81a80400ea4c5674101a5800c074bd3aec98.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","30552"
"*89dd76ded9f76dc5e8590241d0564c26146f3716d814a5281d65a719d5dd66cf*",".{0,1000}89dd76ded9f76dc5e8590241d0564c26146f3716d814a5281d65a719d5dd66cf.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30561"
"*89e35428319e2e7ec6520f8f828c77e7a94dddf7137b17e0585cd98f5b42be4c*",".{0,1000}89e35428319e2e7ec6520f8f828c77e7a94dddf7137b17e0585cd98f5b42be4c.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","30563"
"*89fc051ffcc3b4b549366dddc833f7f60f0115b7adc026cfdadb043d694d4332*",".{0,1000}89fc051ffcc3b4b549366dddc833f7f60f0115b7adc026cfdadb043d694d4332.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30571"
"*8a0f1ef0b8723089613e2754d965ac9059eed027064bdd484f417fa6f5756d12*",".{0,1000}8a0f1ef0b8723089613e2754d965ac9059eed027064bdd484f417fa6f5756d12.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30574"
"*8a1ad5d4fc59693ea546bc7d9dfb9881cf33e48070907a5d7ca1b3643fb42590*",".{0,1000}8a1ad5d4fc59693ea546bc7d9dfb9881cf33e48070907a5d7ca1b3643fb42590.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30581"
"*8a1d6e1d9a8494a491c1f2fef92f0243f4d39406fa159b4ecb45428148fcbeb4*",".{0,1000}8a1d6e1d9a8494a491c1f2fef92f0243f4d39406fa159b4ecb45428148fcbeb4.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","30582"
"*8a1df785e99e5bee6541eda2597872088228699c8877d83e5dabe94b07a63828*",".{0,1000}8a1df785e99e5bee6541eda2597872088228699c8877d83e5dabe94b07a63828.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30583"
"*8a222ae6ff9a59164b44aac7d3005e4d75bd97997c48a51e05b5d50dbe6983af*",".{0,1000}8a222ae6ff9a59164b44aac7d3005e4d75bd97997c48a51e05b5d50dbe6983af.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30584"
"*8a2d2210931d6334c680e3a73145f7bea3c90cf42c840b20d86a4e60b21147a1*",".{0,1000}8a2d2210931d6334c680e3a73145f7bea3c90cf42c840b20d86a4e60b21147a1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30589"
"*8a2ee3773f2b5a22f6f01569e9d17cd3e1eba7c2e215e043c014b4bc609e55ef*",".{0,1000}8a2ee3773f2b5a22f6f01569e9d17cd3e1eba7c2e215e043c014b4bc609e55ef.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30590"
"*8a30340a7b37099b38bd6775171908ab550303bfa6fea9c2698b9f28458eaafa*",".{0,1000}8a30340a7b37099b38bd6775171908ab550303bfa6fea9c2698b9f28458eaafa.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30592"
"*8a35136501dde420ec5f3e88a7906c8c3d63af06621b47513befe8f09db3ed04*",".{0,1000}8a35136501dde420ec5f3e88a7906c8c3d63af06621b47513befe8f09db3ed04.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","0","#filehash","N/A","5","10","N/A","N/A","N/A","N/A","30595"
"*8a40c683b0192db6685d75115b4d3f3663662fcd7ba4695799756413f31dc43f*",".{0,1000}8a40c683b0192db6685d75115b4d3f3663662fcd7ba4695799756413f31dc43f.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","30598"
"*8a51f608a0c289334d341590a8b59fce757f07fd112aaa5459fc9c51891b5e60*",".{0,1000}8a51f608a0c289334d341590a8b59fce757f07fd112aaa5459fc9c51891b5e60.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30603"
"*8a589ad4b3ec87077fb149d95a7c53d4a9422c2270b8d83a17c2ae0e2bcc816f*",".{0,1000}8a589ad4b3ec87077fb149d95a7c53d4a9422c2270b8d83a17c2ae0e2bcc816f.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30607"
"*8a5a774f86857f7bbae3b31c87eb96be8ded925210b2ca02b02c13dc6ee2458a*",".{0,1000}8a5a774f86857f7bbae3b31c87eb96be8ded925210b2ca02b02c13dc6ee2458a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30608"
"*8a5b86e7ea67bd1355ca5b9ddda60ecfdfb7c0b13cf06af71c1e72e88371016d*",".{0,1000}8a5b86e7ea67bd1355ca5b9ddda60ecfdfb7c0b13cf06af71c1e72e88371016d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30609"
"*8a7b41190834b28f984007d406f9c9cde8388135f8d6f2d41a821b150a13a644*",".{0,1000}8a7b41190834b28f984007d406f9c9cde8388135f8d6f2d41a821b150a13a644.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30613"
"*8a9035a8ebb7500049aacb7291c559d29a2db2024cfdac39fbdd6ff277dc2764*",".{0,1000}8a9035a8ebb7500049aacb7291c559d29a2db2024cfdac39fbdd6ff277dc2764.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30614"
"*8ad37d3ba1aeb25f8997349cc4d1ee21540881ebb62249c5b4c95a2a7137dcca*",".{0,1000}8ad37d3ba1aeb25f8997349cc4d1ee21540881ebb62249c5b4c95a2a7137dcca.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","30626"
"*8ad8905b9296f3c26632f3bfc66302bc082b62295f6bbbb5b78e31d1e6649f26*",".{0,1000}8ad8905b9296f3c26632f3bfc66302bc082b62295f6bbbb5b78e31d1e6649f26.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30627"
"*8ae07a6baa55ac7873e964c424516b450221b32e0d7f67117687e04561268848*",".{0,1000}8ae07a6baa55ac7873e964c424516b450221b32e0d7f67117687e04561268848.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30630"
"*8af51e617e16cfeef3b087bbfdc9af15ec60c8195e0cb4cdef538481dfbc28ed*",".{0,1000}8af51e617e16cfeef3b087bbfdc9af15ec60c8195e0cb4cdef538481dfbc28ed.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30642"
"*8b0067e658dcbb21313ae8192aa7e1d364af8e96aeb7893ba7422ea0844e8bd5*",".{0,1000}8b0067e658dcbb21313ae8192aa7e1d364af8e96aeb7893ba7422ea0844e8bd5.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30644"
"*8b0da574d5be1c375f60b1f2e93a77ba8a1742df128a8557963757434e2375e2*",".{0,1000}8b0da574d5be1c375f60b1f2e93a77ba8a1742df128a8557963757434e2375e2.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30648"
"*8b1100e30d38c19fde571ff97412e66cdd2aef68c3699dcdb6b8416798db3cfb*",".{0,1000}8b1100e30d38c19fde571ff97412e66cdd2aef68c3699dcdb6b8416798db3cfb.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","30649"
"*8b2aee9d9eabc6078ae8a4c718030be85a13464becdb99f97f635e75425eb63e*",".{0,1000}8b2aee9d9eabc6078ae8a4c718030be85a13464becdb99f97f635e75425eb63e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30656"
"*8b4025c1613827180ca686411119d98da4b7540017dfee4ec0daf6631b0394fb*",".{0,1000}8b4025c1613827180ca686411119d98da4b7540017dfee4ec0daf6631b0394fb.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30663"
"*8b4cda04c1c75474ce2c59d9acbc32f83deaa0a0b6ce16aff15948ebddfec63e*",".{0,1000}8b4cda04c1c75474ce2c59d9acbc32f83deaa0a0b6ce16aff15948ebddfec63e.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30670"
"*8b6078e8fea18dfd13473f20cd0d7e74f2724d66183d5f44437139d996ec4794*",".{0,1000}8b6078e8fea18dfd13473f20cd0d7e74f2724d66183d5f44437139d996ec4794.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","30676"
"*8b831af85f7b48f5a1a2f461d77bcd70eeb92a52ecda38993614adb67f3f63ae*",".{0,1000}8b831af85f7b48f5a1a2f461d77bcd70eeb92a52ecda38993614adb67f3f63ae.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","30681"
"*8b870f77cc8e76422967eb08ea3c420e7f85a8dc689a0b4d66a4d307c20916fd*",".{0,1000}8b870f77cc8e76422967eb08ea3c420e7f85a8dc689a0b4d66a4d307c20916fd.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30683"
"*8b8c267ddc5eadfb6f8de8bf34fdcba33016bfad0111a38e804f328d4c8c07ba*",".{0,1000}8b8c267ddc5eadfb6f8de8bf34fdcba33016bfad0111a38e804f328d4c8c07ba.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30685"
"*8b98893fa34aa790ae23dd2417e8c9a200326c05feb26101dff09cda479aeb1f*",".{0,1000}8b98893fa34aa790ae23dd2417e8c9a200326c05feb26101dff09cda479aeb1f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30687"
"*8bb8d4acbcdb764276388f7cb19ee013462c9256d9fbd6068a613cca32355955*",".{0,1000}8bb8d4acbcdb764276388f7cb19ee013462c9256d9fbd6068a613cca32355955.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30696"
"*8bbfc29e4494eaa861f1e8ceea0982279cae939a7cbe4a6606919e07a67b85bc*",".{0,1000}8bbfc29e4494eaa861f1e8ceea0982279cae939a7cbe4a6606919e07a67b85bc.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","30699"
"*8bc84212c03f5e2ebce1c44cc5e1315309cc685592023892841cf0873a2b3560*",".{0,1000}8bc84212c03f5e2ebce1c44cc5e1315309cc685592023892841cf0873a2b3560.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30705"
"*8bd3acb166ddf194c57b5a38af0c9b3d1a60ab623fd04efa94434dcf5bb787c8*",".{0,1000}8bd3acb166ddf194c57b5a38af0c9b3d1a60ab623fd04efa94434dcf5bb787c8.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","#filehash","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","30709"
"*8beb7234aac02e5ca176c452da12725723691ca186c241953ed4b15643619f58*",".{0,1000}8beb7234aac02e5ca176c452da12725723691ca186c241953ed4b15643619f58.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30713"
"*8bf113cc1a24b7c1b5d2520e9e3e0f1537976afdf5dab671f92f28c91b4d00be*",".{0,1000}8bf113cc1a24b7c1b5d2520e9e3e0f1537976afdf5dab671f92f28c91b4d00be.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30714"
"*8bfa813b6ae328d1a7acfe1f3919f473b482a3518afb9059bf644a2294e2ba1e*",".{0,1000}8bfa813b6ae328d1a7acfe1f3919f473b482a3518afb9059bf644a2294e2ba1e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30720"
"*8bfe709bb0bb6d4e6976492ee41860bb06da468dd6baa268beaf6ba089c0a263*",".{0,1000}8bfe709bb0bb6d4e6976492ee41860bb06da468dd6baa268beaf6ba089c0a263.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30722"
"*8c00683c5e735117c8970664ff145273733c5d53c630489c52461ab3730ed1ea*",".{0,1000}8c00683c5e735117c8970664ff145273733c5d53c630489c52461ab3730ed1ea.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","30723"
"*8c0d6588192d65999d56f11d646d9ea17c787df2900f6061f5ac588eb18f0de6*",".{0,1000}8c0d6588192d65999d56f11d646d9ea17c787df2900f6061f5ac588eb18f0de6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30726"
"*8c191b2d03ec58627fd172193f1b90871524c5ebffe364f71308ee74de5168d4*",".{0,1000}8c191b2d03ec58627fd172193f1b90871524c5ebffe364f71308ee74de5168d4.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","30730"
"*8c1b2481e4dfe27c73d6446784fae2b9d2c7d27c11e0a19b081e877a38d08c94*",".{0,1000}8c1b2481e4dfe27c73d6446784fae2b9d2c7d27c11e0a19b081e877a38d08c94.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30731"
"*8c1c0d5652d1d4a77c1c48526fa46eedbaf2d57b96b5a9e632c2b4917449a912*",".{0,1000}8c1c0d5652d1d4a77c1c48526fa46eedbaf2d57b96b5a9e632c2b4917449a912.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30732"
"*8c1fa8087f1f0542b4b982791b6b403e278a3ff6154ed37a20f6c590054edda4*",".{0,1000}8c1fa8087f1f0542b4b982791b6b403e278a3ff6154ed37a20f6c590054edda4.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","30734"
"*8c341c2d36bae1817b1f31b77d5cc68dce21f30e59dd7ccc444d7b82ac88b7cc*",".{0,1000}8c341c2d36bae1817b1f31b77d5cc68dce21f30e59dd7ccc444d7b82ac88b7cc.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30735"
"*8c35ea32fdfbf8dd949fb86b3f8badfb46d40cfbb6fb80fb174c0a39cc1547df*",".{0,1000}8c35ea32fdfbf8dd949fb86b3f8badfb46d40cfbb6fb80fb174c0a39cc1547df.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","30737"
"*8c38c4c17d8d8382d9fe1f98db556bca3cfeb3fef0359d9d7c01ab73477b4a48*",".{0,1000}8c38c4c17d8d8382d9fe1f98db556bca3cfeb3fef0359d9d7c01ab73477b4a48.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30739"
"*8c39d2ef5bd7cb5c7aae4c5094f50cbd39b2a6c3fe65a049c91f7943f679d6b9*",".{0,1000}8c39d2ef5bd7cb5c7aae4c5094f50cbd39b2a6c3fe65a049c91f7943f679d6b9.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","30740"
"*8c3ca5ddeffaef4c8481b69314dc10d2d8b7da4a2e57b4ad381596d15e9767d2*",".{0,1000}8c3ca5ddeffaef4c8481b69314dc10d2d8b7da4a2e57b4ad381596d15e9767d2.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30742"
"*8c3d91b1b0f23fa6998de41c1f4c12eab9f14e39fc224d3055477fbdf0c8a7aa*",".{0,1000}8c3d91b1b0f23fa6998de41c1f4c12eab9f14e39fc224d3055477fbdf0c8a7aa.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","30743"
"*8c44028d1edb931e5561198ca64cfe1e078097ba236fd6ed14e553d9ff114f00*",".{0,1000}8c44028d1edb931e5561198ca64cfe1e078097ba236fd6ed14e553d9ff114f00.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","30745"
"*8c47d8f1ad960d0f0459bd0fae7bc33c9266943d04549145b969c9107c59703f*",".{0,1000}8c47d8f1ad960d0f0459bd0fae7bc33c9266943d04549145b969c9107c59703f.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30746"
"*8c4f57209e64bf6c59a9199663c8a386fc03f893d7f05539fb0f9b4a73420918*",".{0,1000}8c4f57209e64bf6c59a9199663c8a386fc03f893d7f05539fb0f9b4a73420918.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30750"
"*8c55fb2a90cd6c8f90e19b1cf4413ba4fc427a67ea6cdae2369abf10d3a83e88*",".{0,1000}8c55fb2a90cd6c8f90e19b1cf4413ba4fc427a67ea6cdae2369abf10d3a83e88.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30751"
"*8c589958321e847159b4c7cb3ada26e6039fffbc26a5bb6d85f34be77e136394*",".{0,1000}8c589958321e847159b4c7cb3ada26e6039fffbc26a5bb6d85f34be77e136394.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30753"
"*8c76b3f974e99232e25a8e2e3f04d15edf581ee94f9deff8ffb147c817359882*",".{0,1000}8c76b3f974e99232e25a8e2e3f04d15edf581ee94f9deff8ffb147c817359882.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30760"
"*8ca61966362d5e4cf80451b1fb49151514dc8877b931c3560cdc6b44348b0501*",".{0,1000}8ca61966362d5e4cf80451b1fb49151514dc8877b931c3560cdc6b44348b0501.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30776"
"*8CC59FFA-00E0-0AEA-59E8-E780672C3CB3*",".{0,1000}8CC59FFA\-00E0\-0AEA\-59E8\-E780672C3CB3.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","#GUIDproject","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","30783"
"*8cc5a818d4db91362257001f7bb7995841bf3d83bc8d91e16a4329797b937cac*",".{0,1000}8cc5a818d4db91362257001f7bb7995841bf3d83bc8d91e16a4329797b937cac.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","30784"
"*8cd5ba036af3ec08897247e2092b3378d85aebf93b9c54714f7bfe644df9bbb2*",".{0,1000}8cd5ba036af3ec08897247e2092b3378d85aebf93b9c54714f7bfe644df9bbb2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30790"
"*8cec1c5a5e6e7e7a7b2d2991e12587228ed2aa9428b1af003ff68dd6bd6994a4*",".{0,1000}8cec1c5a5e6e7e7a7b2d2991e12587228ed2aa9428b1af003ff68dd6bd6994a4.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","30793"
"*8cefe89e6d4a1fd83f8b26e6c6e2f260a18089b09cb008850bef13ceba997aec*",".{0,1000}8cefe89e6d4a1fd83f8b26e6c6e2f260a18089b09cb008850bef13ceba997aec.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30794"
"*8d0b5ca232aa2109cf7fbc5a1c046d1836d4554e8a572eb41f8967f15ca7aa91*",".{0,1000}8d0b5ca232aa2109cf7fbc5a1c046d1836d4554e8a572eb41f8967f15ca7aa91.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30799"
"*8d0dc8dfb7dacb735f1a81511ef4b9bc11b1688e8f38414dee85bab39f66fab9*",".{0,1000}8d0dc8dfb7dacb735f1a81511ef4b9bc11b1688e8f38414dee85bab39f66fab9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30802"
"*8d16dbb3c90052e4a2644008d40b65813912d7b117ab6f8c65e886f2881361c2*",".{0,1000}8d16dbb3c90052e4a2644008d40b65813912d7b117ab6f8c65e886f2881361c2.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30804"
"*8d2056b0dbb106c28a58f7652a7a40da94e417c951638831e2687ddbbc253594*",".{0,1000}8d2056b0dbb106c28a58f7652a7a40da94e417c951638831e2687ddbbc253594.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30807"
"*8d212e6de4c0cabd27572d0bf82784e470cc7732e7f8c866e7938a8132e1a768*",".{0,1000}8d212e6de4c0cabd27572d0bf82784e470cc7732e7f8c866e7938a8132e1a768.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30808"
"*8d2162fe492d7be3c17eb6578d8fcdedaeffe2294156a3f898f0cdb1fb6c10a8*",".{0,1000}8d2162fe492d7be3c17eb6578d8fcdedaeffe2294156a3f898f0cdb1fb6c10a8.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","30809"
"*8d218882bc3b64970ace2e697a58b701b64a2dc5d15d582244a3aaf93c9e3284*",".{0,1000}8d218882bc3b64970ace2e697a58b701b64a2dc5d15d582244a3aaf93c9e3284.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30810"
"*8d2d38ec00ce9c7b59d7fb058a05709c6ecf7628cf9fcfc560c475691badc533*",".{0,1000}8d2d38ec00ce9c7b59d7fb058a05709c6ecf7628cf9fcfc560c475691badc533.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30815"
"*8d3cb4cbaa6643fd38caec3505f0541a56883504a65759e38e8a9e8764a5f4c7*",".{0,1000}8d3cb4cbaa6643fd38caec3505f0541a56883504a65759e38e8a9e8764a5f4c7.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","30821"
"*8d551e03684d6dad75e286f8f0c06a7d0e7e2c6a0830c2b3986301fb380639a2*",".{0,1000}8d551e03684d6dad75e286f8f0c06a7d0e7e2c6a0830c2b3986301fb380639a2.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","30824"
"*8d59755171b977af9ec836990ee55a4d1f17873d7773131267b774b14d121fff*",".{0,1000}8d59755171b977af9ec836990ee55a4d1f17873d7773131267b774b14d121fff.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","30825"
"*8d5b9b9d08ffc221d1d3e37c68615134a582a91dfee1a5e482de687791716e55*",".{0,1000}8d5b9b9d08ffc221d1d3e37c68615134a582a91dfee1a5e482de687791716e55.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30826"
"*8d6c023d196a5b8bed12a6e85981bca95fc50c5d234b66d92c78231b6f70b852*",".{0,1000}8d6c023d196a5b8bed12a6e85981bca95fc50c5d234b66d92c78231b6f70b852.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30827"
"*8d76b2ca80541dc0e19a52323d3321260861460020bcc8db2b48de7469dfce6a*",".{0,1000}8d76b2ca80541dc0e19a52323d3321260861460020bcc8db2b48de7469dfce6a.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","30829"
"*8d799787a28a5c3c5c374bd736847d6036f29f93c96b476b680ebc15abd3e43c*",".{0,1000}8d799787a28a5c3c5c374bd736847d6036f29f93c96b476b680ebc15abd3e43c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30832"
"*8d800107c780c3f726b3768f5db0daa1a6d3d7ae0a505a8ea93fe554a4749294*",".{0,1000}8d800107c780c3f726b3768f5db0daa1a6d3d7ae0a505a8ea93fe554a4749294.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30834"
"*8d94ccdfe844f9763d5a09b3cdaa68b44916b16f6ebcf92481837860ad010c82*",".{0,1000}8d94ccdfe844f9763d5a09b3cdaa68b44916b16f6ebcf92481837860ad010c82.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30840"
"*8d9a8c8e646b26d5242d8fa7018bc58147435076d8b9c19fb3df35be786fa2da*",".{0,1000}8d9a8c8e646b26d5242d8fa7018bc58147435076d8b9c19fb3df35be786fa2da.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","30841"
"*8db3577c9f2403b2a1de27558998bacc3a2572d05046993116f7e99974c30eb4*",".{0,1000}8db3577c9f2403b2a1de27558998bacc3a2572d05046993116f7e99974c30eb4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30846"
"*8dbf95ef1a8e2f9071b37445a940ef42dc1edab61897a0616741e51f0f57b841*",".{0,1000}8dbf95ef1a8e2f9071b37445a940ef42dc1edab61897a0616741e51f0f57b841.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30849"
"*8dc4871ac544d2cd0ff7ccd84b8862eaf9ba0af18bd5b71e29146b17e4b13783*",".{0,1000}8dc4871ac544d2cd0ff7ccd84b8862eaf9ba0af18bd5b71e29146b17e4b13783.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","30850"
"*8dc635e8706d5cfe7bd8cafbd8a0885431f57b4b4a2804076796cdf2aea633cc*",".{0,1000}8dc635e8706d5cfe7bd8cafbd8a0885431f57b4b4a2804076796cdf2aea633cc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30851"
"*8dcd8560184c700cf3800cbfa76639d1e3eeda602963c40f56390626c51f9aa6*",".{0,1000}8dcd8560184c700cf3800cbfa76639d1e3eeda602963c40f56390626c51f9aa6.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30855"
"*8ddb3051c0e78a09fdeb747ecc8c10ab027b760e354f07fb7255ff1879d5ca10*",".{0,1000}8ddb3051c0e78a09fdeb747ecc8c10ab027b760e354f07fb7255ff1879d5ca10.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30858"
"*8ddb38319fb34f580a0f3732fcf3f40b13c2b562fd676b189481e1cc0e361381*",".{0,1000}8ddb38319fb34f580a0f3732fcf3f40b13c2b562fd676b189481e1cc0e361381.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30859"
"*8ddef07fe02333400b850d0893f14117ee05dd831c877a08e54a247da9e2fdbc*",".{0,1000}8ddef07fe02333400b850d0893f14117ee05dd831c877a08e54a247da9e2fdbc.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30860"
"*8e05baa844d928b6239bd9f43cd3e065fc2af971930bc6344e2c899d7eea14db*",".{0,1000}8e05baa844d928b6239bd9f43cd3e065fc2af971930bc6344e2c899d7eea14db.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30869"
"*8e0c49fad69525d1219415d2f0651fd243ddf02291fd95e91d2b074d4858c31f*",".{0,1000}8e0c49fad69525d1219415d2f0651fd243ddf02291fd95e91d2b074d4858c31f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30873"
"*8e1229aa0b2e52959717025d100a4884d531c280c29f02d67ee09d1cadbc3450*",".{0,1000}8e1229aa0b2e52959717025d100a4884d531c280c29f02d67ee09d1cadbc3450.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30875"
"*8e24b029f4c9625430ab652fd81f3250c0f6d04390f7c5e7f7f19b4a7b9273d0*",".{0,1000}8e24b029f4c9625430ab652fd81f3250c0f6d04390f7c5e7f7f19b4a7b9273d0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30880"
"*8e24ddb5034a5040734272416b8b504a547967cbddb203a44990570e3996ba7a*",".{0,1000}8e24ddb5034a5040734272416b8b504a547967cbddb203a44990570e3996ba7a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30881"
"*8e293b5a49ada7798b6d681ec267efecd5c6fbd12163ac13b042707b80f56c50*",".{0,1000}8e293b5a49ada7798b6d681ec267efecd5c6fbd12163ac13b042707b80f56c50.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","30883"
"*8e300a72a7e181e970c8fd89e9c5678c3083ef72a9ab61378b61b5159c23713d*",".{0,1000}8e300a72a7e181e970c8fd89e9c5678c3083ef72a9ab61378b61b5159c23713d.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","30885"
"*8e306bcd87bb1fbfe39a22da9ab02751cd9289b721da818a7b0cbc2916e98493*",".{0,1000}8e306bcd87bb1fbfe39a22da9ab02751cd9289b721da818a7b0cbc2916e98493.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30886"
"*8e325e200b07f05667d65277b96f3c3acd02f54466a3ffbda27a5f4ec5fb8776*",".{0,1000}8e325e200b07f05667d65277b96f3c3acd02f54466a3ffbda27a5f4ec5fb8776.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30887"
"*8e3342af739a94b7574d90e940bd22d5d81cf45739c73dc5f9b3060d8cb20360*",".{0,1000}8e3342af739a94b7574d90e940bd22d5d81cf45739c73dc5f9b3060d8cb20360.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30888"
"*8e34869d0ba4e0fce056c0c000758541cb48a494ee6e7b516cb3085ded7e44c7*",".{0,1000}8e34869d0ba4e0fce056c0c000758541cb48a494ee6e7b516cb3085ded7e44c7.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","30889"
"*8e3a219286ad2715712ada61697d622cf5eb597a05bab126546101cc48e0991b*",".{0,1000}8e3a219286ad2715712ada61697d622cf5eb597a05bab126546101cc48e0991b.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","30891"
"*8e454334de0de74a6e53ee1d26e24cd2b0f41427922d9e92e6d49cf5db942a3c*",".{0,1000}8e454334de0de74a6e53ee1d26e24cd2b0f41427922d9e92e6d49cf5db942a3c.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","#filehash","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","30894"
"*8e459ac9f01ef6901b45681fe24dd1abc411a2e35a85a108f9e209d1b0182321*",".{0,1000}8e459ac9f01ef6901b45681fe24dd1abc411a2e35a85a108f9e209d1b0182321.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","30896"
"*8e4a98c04bf869e228ca6d7abf130eb2307aa41c6ac920cceb31591f485c1a56*",".{0,1000}8e4a98c04bf869e228ca6d7abf130eb2307aa41c6ac920cceb31591f485c1a56.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","30898"
"*8e4e8c65009ee13aec866c4f188e8c1db49eb1b88ecad222abfe2a1249d629a6*",".{0,1000}8e4e8c65009ee13aec866c4f188e8c1db49eb1b88ecad222abfe2a1249d629a6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30901"
"*8e52ca779ef1c3d2bc568eb729c3e2452cb767e091348ec45d374dcc4ddf6ec3*",".{0,1000}8e52ca779ef1c3d2bc568eb729c3e2452cb767e091348ec45d374dcc4ddf6ec3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30902"
"*8e596f227367e273468b5833ab4169b6994bbfc5c1a2a3b85796a769f9444836*",".{0,1000}8e596f227367e273468b5833ab4169b6994bbfc5c1a2a3b85796a769f9444836.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","30905"
"*8e61b9221dd7aeab8c362c7d580eec35e192317bb8c645909e0ce95b91c1332a*",".{0,1000}8e61b9221dd7aeab8c362c7d580eec35e192317bb8c645909e0ce95b91c1332a.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","30906"
"*8e63f8fb62f2dd2f310bf619ab65c97d5dd1835d97cced5eb8cebddd293d2d06*",".{0,1000}8e63f8fb62f2dd2f310bf619ab65c97d5dd1835d97cced5eb8cebddd293d2d06.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","30907"
"*8e7cd66e174744da7d7c8ec0d9caee4a0b1a57d9f51d9967ae1e8fc78f938a82*",".{0,1000}8e7cd66e174744da7d7c8ec0d9caee4a0b1a57d9f51d9967ae1e8fc78f938a82.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30913"
"*8e8bb13fb0d7beb316487ecde8ead5426784cdcdbf8b4d8dd381c6fe8c7d92a0*",".{0,1000}8e8bb13fb0d7beb316487ecde8ead5426784cdcdbf8b4d8dd381c6fe8c7d92a0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30917"
"*8eb3e6b0ac776c819158b0127631f860223f5fe80cc7297d01626252562cb866*",".{0,1000}8eb3e6b0ac776c819158b0127631f860223f5fe80cc7297d01626252562cb866.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","30926"
"*8ecf30ac7c14f85da20c1761c6418979282bff12db4d82ade2f4a1a8037bdf6e*",".{0,1000}8ecf30ac7c14f85da20c1761c6418979282bff12db4d82ade2f4a1a8037bdf6e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","30931"
"*8ee8ca3b67ad7256a43c6a7d00cee2c22ff45929cd69d75e7212c42485f37c97*",".{0,1000}8ee8ca3b67ad7256a43c6a7d00cee2c22ff45929cd69d75e7212c42485f37c97.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30936"
"*8eef0831a9aa9bbf01ae154c47595b024470c07be4c80b37b73b47590467bc32*",".{0,1000}8eef0831a9aa9bbf01ae154c47595b024470c07be4c80b37b73b47590467bc32.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","30938"
"*8f0b8c0bc95134a4de6b0e1843e4f06f895a86778eaf0ec4de037827e14a75ff*",".{0,1000}8f0b8c0bc95134a4de6b0e1843e4f06f895a86778eaf0ec4de037827e14a75ff.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30950"
"*8f0ddf90f4cc44499bbeb0f2d3ff298cd5e5d206ca759535495ee767e83b6023*",".{0,1000}8f0ddf90f4cc44499bbeb0f2d3ff298cd5e5d206ca759535495ee767e83b6023.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","30952"
"*8f1198f114049ac2a556308e557acd1ab0174bf7943b2da160be8f32873f81ea*",".{0,1000}8f1198f114049ac2a556308e557acd1ab0174bf7943b2da160be8f32873f81ea.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","30953"
"*8f28c38a0b2af6ac96c4a7e1a2c0f296b2410f845d9aca8487843a1edac4271d*",".{0,1000}8f28c38a0b2af6ac96c4a7e1a2c0f296b2410f845d9aca8487843a1edac4271d.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","30958"
"*8f4662a487860ced024b2b38e6386a97ff7986313778a54a559eb0fc52e98606*",".{0,1000}8f4662a487860ced024b2b38e6386a97ff7986313778a54a559eb0fc52e98606.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","30966"
"*8f614310b7de7c1d7e19932a82f40a91e7c328966f9b3dec08fe8266bbcfdc7d*",".{0,1000}8f614310b7de7c1d7e19932a82f40a91e7c328966f9b3dec08fe8266bbcfdc7d.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","30970"
"*8f68e92980c29558c0ad80dd89fb6823a710c7545a08ea061318f67e4fedc6db*",".{0,1000}8f68e92980c29558c0ad80dd89fb6823a710c7545a08ea061318f67e4fedc6db.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30971"
"*8f722963b5b107b2856cb4169ed16aaf5b823df9795bf4dd11b97d644fa39347*",".{0,1000}8f722963b5b107b2856cb4169ed16aaf5b823df9795bf4dd11b97d644fa39347.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30976"
"*8f72c5927a494dd87792908f62fbe8860e2f0c10c1ff1f622c5a484fcd78ad2e*",".{0,1000}8f72c5927a494dd87792908f62fbe8860e2f0c10c1ff1f622c5a484fcd78ad2e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30977"
"*8f73adfa8bd478c3cb11768d32d7578fd57eaaa3f1d72458f008aee959c95dd9*",".{0,1000}8f73adfa8bd478c3cb11768d32d7578fd57eaaa3f1d72458f008aee959c95dd9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30978"
"*8f776a7b5ddd0bde673a03e6bdd55274e6e2e3766df080e7c6b5effe9cb95e4c*",".{0,1000}8f776a7b5ddd0bde673a03e6bdd55274e6e2e3766df080e7c6b5effe9cb95e4c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30979"
"*8f798e081ea1cb1e106552ab9a7241994d3c05dd18970f3e1ad8329d3738bd7e*",".{0,1000}8f798e081ea1cb1e106552ab9a7241994d3c05dd18970f3e1ad8329d3738bd7e.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","30981"
"*8f8eee3e9651b9f7384a323ba3c26a5667a6388ab2ef8e6d869d3cd69b9f7c95*",".{0,1000}8f8eee3e9651b9f7384a323ba3c26a5667a6388ab2ef8e6d869d3cd69b9f7c95.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","30982"
"*8f904a5fd2b5c821121ad0003e3f4021cc5f1c2969d14e64e67ce35721ab6f70*",".{0,1000}8f904a5fd2b5c821121ad0003e3f4021cc5f1c2969d14e64e67ce35721ab6f70.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","30983"
"*8faa1748975d3557974c240d1f30bfc6f100a4ec3a9c2f405c0814dfd45fe384*",".{0,1000}8faa1748975d3557974c240d1f30bfc6f100a4ec3a9c2f405c0814dfd45fe384.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","30990"
"*8fbd69db6654ae517ffe8cc2d2750d41b4507f840fe928a5f5f3b6003b85fc5d*",".{0,1000}8fbd69db6654ae517ffe8cc2d2750d41b4507f840fe928a5f5f3b6003b85fc5d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","30992"
"*8fc95d849e66592d8a52f98f28c2d7443b8b2057fc6bafe2a5fca05251507300*",".{0,1000}8fc95d849e66592d8a52f98f28c2d7443b8b2057fc6bafe2a5fca05251507300.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","30999"
"*8fcc7cb6eee6a29804ae22281e0477c47de9a924bd7beb9bed24f7c1d84d8a9d*",".{0,1000}8fcc7cb6eee6a29804ae22281e0477c47de9a924bd7beb9bed24f7c1d84d8a9d.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","31001"
"*8fd62fc653cef0bf765a71cf20a917c8440689e9f5ff77e95a5fea7be6818c66*",".{0,1000}8fd62fc653cef0bf765a71cf20a917c8440689e9f5ff77e95a5fea7be6818c66.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","31002"
"*8fe928a203b33b847646d9d0e9dcf825903f7379266fab08ec5e44ddec9aa4ed*",".{0,1000}8fe928a203b33b847646d9d0e9dcf825903f7379266fab08ec5e44ddec9aa4ed.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31004"
"*9010d659ebb3159009acff108d94c8347aa48f1c41c12176a6c7142ef7ddfd05*",".{0,1000}9010d659ebb3159009acff108d94c8347aa48f1c41c12176a6c7142ef7ddfd05.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31011"
"*9033c6def481bde4bf7f2361966ae0ea92dfda5763a167460dcf0e231a2d02b8*",".{0,1000}9033c6def481bde4bf7f2361966ae0ea92dfda5763a167460dcf0e231a2d02b8.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31020"
"*9043fcb49a3326bc9887c4a8cff27560c53edf4792fc94024f756a5791da38a8*",".{0,1000}9043fcb49a3326bc9887c4a8cff27560c53edf4792fc94024f756a5791da38a8.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31026"
"*904b906cc465dd679a00487497e3891d33fca6b6e25c184400bccfb248344f39*",".{0,1000}904b906cc465dd679a00487497e3891d33fca6b6e25c184400bccfb248344f39.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31030"
"*905332f37ef23c8e8313a76e89ef3388329427c9136de626ae4f7cc5876c584e*",".{0,1000}905332f37ef23c8e8313a76e89ef3388329427c9136de626ae4f7cc5876c584e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31031"
"*905a3126b66ae96cf8171b13f7b727d44971636c1504a496fbd1b7250a491711*",".{0,1000}905a3126b66ae96cf8171b13f7b727d44971636c1504a496fbd1b7250a491711.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","31032"
"*905bda9ca65d9b7f6151de763a7c3ce2dd15a69b8410d89b04dd5bb68d17dece*",".{0,1000}905bda9ca65d9b7f6151de763a7c3ce2dd15a69b8410d89b04dd5bb68d17dece.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","31033"
"*906172da211b4b657ad01652ffa8911d5add169b3eca2c77f5f1b79a178fe977*",".{0,1000}906172da211b4b657ad01652ffa8911d5add169b3eca2c77f5f1b79a178fe977.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","31034"
"*9061caad3082f4d275d90f2975ef120fb71f6537ed88d08db1a3b5404db5ae49*",".{0,1000}9061caad3082f4d275d90f2975ef120fb71f6537ed88d08db1a3b5404db5ae49.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31035"
"*9062e56b98173ae9b000e2cf867d388577442863c83ac3b6a48e90a776cf75ad*",".{0,1000}9062e56b98173ae9b000e2cf867d388577442863c83ac3b6a48e90a776cf75ad.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31036"
"*906b60debb9c88e649118409185663b29d3f29f668ca58de314890743a2c7277*",".{0,1000}906b60debb9c88e649118409185663b29d3f29f668ca58de314890743a2c7277.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","31040"
"*906c39d77d4fab235031fb83f0dc40657c4c25251be92de4236551c15033e997*",".{0,1000}906c39d77d4fab235031fb83f0dc40657c4c25251be92de4236551c15033e997.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31041"
"*907fa204febdb90eb266bb824eea4e81ebeb3257eabc1c127b8dd17882c4ea8d*",".{0,1000}907fa204febdb90eb266bb824eea4e81ebeb3257eabc1c127b8dd17882c4ea8d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31045"
"*90803cb7a60a71766d20b494eb85e92789c3b0f6212f67595540ab706cb734d6*",".{0,1000}90803cb7a60a71766d20b494eb85e92789c3b0f6212f67595540ab706cb734d6.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","31046"
"*9084acb8a61d051af66cad27ceb81976c45c4378e9846a22d8befe3294217e7d*",".{0,1000}9084acb8a61d051af66cad27ceb81976c45c4378e9846a22d8befe3294217e7d.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","#filehash","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","31047"
"*908fe7bf70340eb71df77a54c9fbcedf514573e81f6efd15a9110b4a25d9b878*",".{0,1000}908fe7bf70340eb71df77a54c9fbcedf514573e81f6efd15a9110b4a25d9b878.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31051"
"*90bd1055ada3023d8d6ffbf9d1458bb71817c51e152b004afa51ebb1d812b2f9*",".{0,1000}90bd1055ada3023d8d6ffbf9d1458bb71817c51e152b004afa51ebb1d812b2f9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31061"
"*90e0acfe005774296f6b39b88bda3819bb29f0debd6340bc048bfcca38898c8a*",".{0,1000}90e0acfe005774296f6b39b88bda3819bb29f0debd6340bc048bfcca38898c8a.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","31070"
"*90e1610b1a020875e5d02774f28770a32787cd4379ce184890979e8f241b904d*",".{0,1000}90e1610b1a020875e5d02774f28770a32787cd4379ce184890979e8f241b904d.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","31071"
"*90e1610b1a020875e5d02774f28770a32787cd4379ce184890979e8f241b904d*",".{0,1000}90e1610b1a020875e5d02774f28770a32787cd4379ce184890979e8f241b904d.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","31072"
"*90e1610b1a020875e5d02774f28770a32787cd4379ce184890979e8f241b904d*",".{0,1000}90e1610b1a020875e5d02774f28770a32787cd4379ce184890979e8f241b904d.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","31073"
"*90eff64c5a742c7d96d87648a15bcb33145ebebab593f0c0161dae22880b90a0*",".{0,1000}90eff64c5a742c7d96d87648a15bcb33145ebebab593f0c0161dae22880b90a0.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","31078"
"*90f66748d7cafe4e995a0ebcb7e7e10b84454618f02cc9dfdcb0bdfa01000642*",".{0,1000}90f66748d7cafe4e995a0ebcb7e7e10b84454618f02cc9dfdcb0bdfa01000642.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","31081"
"*90ff7409de18be284f8b8e1babe716d653f74b225b37704448fc46edb4b04c3a*",".{0,1000}90ff7409de18be284f8b8e1babe716d653f74b225b37704448fc46edb4b04c3a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31083"
"*910a62b83b8cf94db949509d93246ba48c7ff85588c344ddde09a7389879d2df*",".{0,1000}910a62b83b8cf94db949509d93246ba48c7ff85588c344ddde09a7389879d2df.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31085"
"*911a1b84f2100d2ac691c0bb28955fd2ab65e76cb2dbe651b21f6072a508e2be*",".{0,1000}911a1b84f2100d2ac691c0bb28955fd2ab65e76cb2dbe651b21f6072a508e2be.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31088"
"*9135fc8890e155d1a3dac0907b5081e171cbbfddb6e19e238741d719c951d2ef*",".{0,1000}9135fc8890e155d1a3dac0907b5081e171cbbfddb6e19e238741d719c951d2ef.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","31103"
"*913a779a64c4488167dd4d0e43427498ac2bb64b63ad6075b38c5c4af4f2e768*",".{0,1000}913a779a64c4488167dd4d0e43427498ac2bb64b63ad6075b38c5c4af4f2e768.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","31105"
"*91402feaab59a5c836e1f2a5ee6f0eb3569bc63cd6f8c374693fc9b76bc8ff05*",".{0,1000}91402feaab59a5c836e1f2a5ee6f0eb3569bc63cd6f8c374693fc9b76bc8ff05.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31107"
"*9147ff5871fe6cfb56f5ad85e69570ef5d904a20b4cf8135a59ea687e9efe7b0*",".{0,1000}9147ff5871fe6cfb56f5ad85e69570ef5d904a20b4cf8135a59ea687e9efe7b0.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31109"
"*914948948e8f1914d9292ebdc18b3cd876bc6acc9177eedbd8908a03d12c73aa*",".{0,1000}914948948e8f1914d9292ebdc18b3cd876bc6acc9177eedbd8908a03d12c73aa.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31110"
"*917759e1b76b72229b5dc928b07af4a4d1f99b41111da42580aeb28ef2aefd3e*",".{0,1000}917759e1b76b72229b5dc928b07af4a4d1f99b41111da42580aeb28ef2aefd3e.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31117"
"*9183f495b28acb12c872175c6af1f6ba8ca677650cb9d2774caefea273294c8a*",".{0,1000}9183f495b28acb12c872175c6af1f6ba8ca677650cb9d2774caefea273294c8a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31118"
"*9195ca93854a739d434ec0ce62ef7b6fa159402624cd49b41a5ad1f3ad8f138b*",".{0,1000}9195ca93854a739d434ec0ce62ef7b6fa159402624cd49b41a5ad1f3ad8f138b.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","31123"
"*9198c43abd08b3a09ea59226282447316e13da579713dda2d81a28c37902d2c8*",".{0,1000}9198c43abd08b3a09ea59226282447316e13da579713dda2d81a28c37902d2c8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31124"
"*91a81f86738737dbda68c20ba8622121302ca0b81b7a9f926fd04aa13607fef5*",".{0,1000}91a81f86738737dbda68c20ba8622121302ca0b81b7a9f926fd04aa13607fef5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31128"
"*91ab146f1353958d24cc4d3c909de7bfb2d83abc348e5aa96dd57262c38a024f*",".{0,1000}91ab146f1353958d24cc4d3c909de7bfb2d83abc348e5aa96dd57262c38a024f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31129"
"*91aceb4ee71ac847521007ac796e718ad5bb6577c28b5c992e810e2f4e402046*",".{0,1000}91aceb4ee71ac847521007ac796e718ad5bb6577c28b5c992e810e2f4e402046.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31131"
"*91b1b306c1a538dd6d60857a1da9019241034bcaf0cc19e0c07abfaa8f6a8f75*",".{0,1000}91b1b306c1a538dd6d60857a1da9019241034bcaf0cc19e0c07abfaa8f6a8f75.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31135"
"*91b92f7f1c87b8b7ebf5ccc9b986fff74322cb349492852f6bfe7eb44bf8b3d1*",".{0,1000}91b92f7f1c87b8b7ebf5ccc9b986fff74322cb349492852f6bfe7eb44bf8b3d1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31137"
"*91bc0b2cabb6618b228003f1f7f4467b1867eae3c3f42081ee8c4e30e937e77e*",".{0,1000}91bc0b2cabb6618b228003f1f7f4467b1867eae3c3f42081ee8c4e30e937e77e.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","31138"
"*91c60eb7b5f95951e96a2437ee51dbae7821377e8e4864279b41c53791481b6a*",".{0,1000}91c60eb7b5f95951e96a2437ee51dbae7821377e8e4864279b41c53791481b6a.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","31141"
"*91d383deb3cd0128ba1237af0173f0c1a90255aab5d03b8f2be1e454cfb243ae*",".{0,1000}91d383deb3cd0128ba1237af0173f0c1a90255aab5d03b8f2be1e454cfb243ae.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31143"
"*91e79ff8d9ef358c1f73113ae2f280d4fe73302a2d2871f1c13430ea9fd96157*",".{0,1000}91e79ff8d9ef358c1f73113ae2f280d4fe73302a2d2871f1c13430ea9fd96157.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31147"
"*91e7b6bf8831219775f176389103295d7065a7e6eb74c68c1093416be508ba14*",".{0,1000}91e7b6bf8831219775f176389103295d7065a7e6eb74c68c1093416be508ba14.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31148"
"*91f46654fd8eae9fcc5a7189c6629a7e4b8f49654d996bbb45432cb4a46ac8f7*",".{0,1000}91f46654fd8eae9fcc5a7189c6629a7e4b8f49654d996bbb45432cb4a46ac8f7.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31153"
"*921cf5b205e08c55b7d72439f0f27c4436cad9624493adedaec15a0283608d37*",".{0,1000}921cf5b205e08c55b7d72439f0f27c4436cad9624493adedaec15a0283608d37.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","31163"
"*921e9e63dabdae842d71d8f7e856d50e0bb25fa9e4e8aa40ac248b88fb4cb808*",".{0,1000}921e9e63dabdae842d71d8f7e856d50e0bb25fa9e4e8aa40ac248b88fb4cb808.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","31164"
"*9242f2e59ea99bd890e8f92b95a91a4237df9572fc93c6bc64997d5705ae03bc*",".{0,1000}9242f2e59ea99bd890e8f92b95a91a4237df9572fc93c6bc64997d5705ae03bc.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31173"
"*9245cafed0bc3f0531950cb8f31e3b7c2711a2785c79ec088d554bb8fe16ae81*",".{0,1000}9245cafed0bc3f0531950cb8f31e3b7c2711a2785c79ec088d554bb8fe16ae81.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31174"
"*926cd10478e0da5ccfa5dcc0bd04701f4107d50e8cc6c33f665a62e9543504e8*",".{0,1000}926cd10478e0da5ccfa5dcc0bd04701f4107d50e8cc6c33f665a62e9543504e8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31182"
"*926dd1743afb553ef123f185b1ea1a0a463a25b4c4d0635142fa4ee4d5aceedb*",".{0,1000}926dd1743afb553ef123f185b1ea1a0a463a25b4c4d0635142fa4ee4d5aceedb.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","31183"
"*9275bf1e2cdc8a8c9c3bb6a1c808d64e55e03493194792503c2119fd5c8e7345*",".{0,1000}9275bf1e2cdc8a8c9c3bb6a1c808d64e55e03493194792503c2119fd5c8e7345.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31185"
"*929081341e76319dc5209b58611cc5304b940bed099b2b63589534d1963afab7*",".{0,1000}929081341e76319dc5209b58611cc5304b940bed099b2b63589534d1963afab7.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","31198"
"*9292fadcd27e41de30c6cd2356f882a53488ff91f60999170dfd4be311af37fb*",".{0,1000}9292fadcd27e41de30c6cd2356f882a53488ff91f60999170dfd4be311af37fb.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31199"
"*9299c297f6c75c6aa2bbbb5de27172e367328b6f5bbb6f8d1c4ca73c4c4af415*",".{0,1000}9299c297f6c75c6aa2bbbb5de27172e367328b6f5bbb6f8d1c4ca73c4c4af415.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31203"
"*92a11c9ee2af4ffb55d05210813c7ff309f90274a1d211018acc2643367b2534*",".{0,1000}92a11c9ee2af4ffb55d05210813c7ff309f90274a1d211018acc2643367b2534.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","31207"
"*92a895f1fc289a338ff9008045e94525099421d66829dece14c9eb880f685280*",".{0,1000}92a895f1fc289a338ff9008045e94525099421d66829dece14c9eb880f685280.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31208"
"*92aa5912f3ba113f7a763afae465ec6cae0542db7e81a544e84db144526ca887*",".{0,1000}92aa5912f3ba113f7a763afae465ec6cae0542db7e81a544e84db144526ca887.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31209"
"*92ba52da6b5b623559117809305a93ee9ad6da07ea6352efec349e8d2760d307*",".{0,1000}92ba52da6b5b623559117809305a93ee9ad6da07ea6352efec349e8d2760d307.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","31211"
"*92c11dc911a2dd27aab2a607f55135cfe30da9fe68d3604b2efd798faf640a76*",".{0,1000}92c11dc911a2dd27aab2a607f55135cfe30da9fe68d3604b2efd798faf640a76.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31213"
"*92c129a8547733e8de54b84e7e0a233cdd1330083a07cb1309926eb8dd678db9*",".{0,1000}92c129a8547733e8de54b84e7e0a233cdd1330083a07cb1309926eb8dd678db9.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31214"
"*92c70b09d49bef20ae730c579e125f4f7c66d85ef2249c77694f0066a3156b26*",".{0,1000}92c70b09d49bef20ae730c579e125f4f7c66d85ef2249c77694f0066a3156b26.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","0","#filehash","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","31217"
"*92cc3feb57149c0b4dba7ec198dbda26c4831cde0a7c74a7d9f51e0002f65ead*",".{0,1000}92cc3feb57149c0b4dba7ec198dbda26c4831cde0a7c74a7d9f51e0002f65ead.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","31219"
"*92ceaf15be171e0e426f88ecb0fb5e13e27817c4c4126ce1452dc09940e3ac27*",".{0,1000}92ceaf15be171e0e426f88ecb0fb5e13e27817c4c4126ce1452dc09940e3ac27.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31221"
"*92d2460414d1b79ae54466442eae7628bbb343c70948e8c2f9afa4d158a0f3ef*",".{0,1000}92d2460414d1b79ae54466442eae7628bbb343c70948e8c2f9afa4d158a0f3ef.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","31222"
"*92db559fbecc1fa2cc3bd5ed4c34c7f4e65fcf5fcb9186d1c8403a503f025c4f*",".{0,1000}92db559fbecc1fa2cc3bd5ed4c34c7f4e65fcf5fcb9186d1c8403a503f025c4f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31225"
"*92dfe587c369ed8afad29bcb4ae5ed9a313cb563b2e52ff0b0494f15dcd5fd33*",".{0,1000}92dfe587c369ed8afad29bcb4ae5ed9a313cb563b2e52ff0b0494f15dcd5fd33.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31226"
"*92e23b3baec268e8b8eea8833e0d1aa5c2cf337ca20be4ceb2880d8aaaf89d4a*",".{0,1000}92e23b3baec268e8b8eea8833e0d1aa5c2cf337ca20be4ceb2880d8aaaf89d4a.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","31227"
"*92e6621b5b0f2972111efcfc6e09c3102e1872d2358350901deea1d2d363776a*",".{0,1000}92e6621b5b0f2972111efcfc6e09c3102e1872d2358350901deea1d2d363776a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31229"
"*92f34dca0bd5715dbfffcdceeb89ffab9cd8115c2faf07cbd1e34071795cdb44*",".{0,1000}92f34dca0bd5715dbfffcdceeb89ffab9cd8115c2faf07cbd1e34071795cdb44.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31232"
"*92f384f789dae517d1da7493322db430f5a7d4a6b7d7b74ca3b075bfac881b15*",".{0,1000}92f384f789dae517d1da7493322db430f5a7d4a6b7d7b74ca3b075bfac881b15.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","31233"
"*92f9a5bbfd116c4e20227af72b651b95a4190b346cb391762d0d50f5245d3355*",".{0,1000}92f9a5bbfd116c4e20227af72b651b95a4190b346cb391762d0d50f5245d3355.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31235"
"*93050aec30d7f0268e4fa3ac695a1131f838fe19a625bf574c322c1914b76c93*",".{0,1000}93050aec30d7f0268e4fa3ac695a1131f838fe19a625bf574c322c1914b76c93.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","31237"
"*930fd8e9878e8e96b022a9ab62f3471938c8c93898914df46a02d49f246abb22*",".{0,1000}930fd8e9878e8e96b022a9ab62f3471938c8c93898914df46a02d49f246abb22.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31240"
"*931899dfc6ec5692d5795ff883ccd8353f65ffbbbb4fd2edd7eefd02fe61aa8a*",".{0,1000}931899dfc6ec5692d5795ff883ccd8353f65ffbbbb4fd2edd7eefd02fe61aa8a.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","31241"
"*932b8b4b1eb134c644a3edb0536db25a65e9c703d61f28f7efff5fa13de1d8e8*",".{0,1000}932b8b4b1eb134c644a3edb0536db25a65e9c703d61f28f7efff5fa13de1d8e8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31243"
"*932c73eab9396ea8804470d3877d844f29c2e45ea3826792e3fd40e2c455b34c*",".{0,1000}932c73eab9396ea8804470d3877d844f29c2e45ea3826792e3fd40e2c455b34c.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31244"
"*932e8b9e1041cc300cbfa5f6203d906d8ce93974f88054af515024d32c29d0ba*",".{0,1000}932e8b9e1041cc300cbfa5f6203d906d8ce93974f88054af515024d32c29d0ba.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31245"
"*933c42cc2516eb49b1af6e7a601b79e3e993c192ed3c50b7a96d22398197dc96*",".{0,1000}933c42cc2516eb49b1af6e7a601b79e3e993c192ed3c50b7a96d22398197dc96.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","31251"
"*93502803691a7c14ccd0c0132ac8b12dafb621e7840243887150c3e68836b998*",".{0,1000}93502803691a7c14ccd0c0132ac8b12dafb621e7840243887150c3e68836b998.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31256"
"*935c0c6c3eee84d0550edaf387712dd24924d94ae327244ae36611c4ebbeda49*",".{0,1000}935c0c6c3eee84d0550edaf387712dd24924d94ae327244ae36611c4ebbeda49.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31259"
"*937e41a72f88eb49c60782807ff44014c16d4ccf348d4ddd03741124ac7cab8d*",".{0,1000}937e41a72f88eb49c60782807ff44014c16d4ccf348d4ddd03741124ac7cab8d.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","31266"
"*93ac87327b298ef599f47868fa285215cf574671b421c9759ba0f966908320ac*",".{0,1000}93ac87327b298ef599f47868fa285215cf574671b421c9759ba0f966908320ac.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31275"
"*93afeb34c835796508383b70028216eb3d43b2bf63bb3f7493acd1ec533d588e*",".{0,1000}93afeb34c835796508383b70028216eb3d43b2bf63bb3f7493acd1ec533d588e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31277"
"*93bd89817c42e31310485eaa1532e6431b557e2b2850f9dcbfa5cd6b4b60b189*",".{0,1000}93bd89817c42e31310485eaa1532e6431b557e2b2850f9dcbfa5cd6b4b60b189.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31283"
"*93c99378e20e88a9b81826b6619fde2bf261b278cfc2cdb79697a1575f9120fc*",".{0,1000}93c99378e20e88a9b81826b6619fde2bf261b278cfc2cdb79697a1575f9120fc.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","31285"
"*93f78fad351a6fe69b67f2802f74d96f1c7706d364c37eb4bafcbe4d3e3e6bff*",".{0,1000}93f78fad351a6fe69b67f2802f74d96f1c7706d364c37eb4bafcbe4d3e3e6bff.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31294"
"*94004895c51abc532d7bddc290fa71d5b390dec2daa7d4b9ecc6e257896ac564*",".{0,1000}94004895c51abc532d7bddc290fa71d5b390dec2daa7d4b9ecc6e257896ac564.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","31295"
"*940b828e6701c3692a43eb30c3adca158194098f8ad78d7685c05d39b14d175b*",".{0,1000}940b828e6701c3692a43eb30c3adca158194098f8ad78d7685c05d39b14d175b.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31299"
"*940d75fcbce367cd600b46e2cdf9bae1481e6e977064996e11782b8da58fb106*",".{0,1000}940d75fcbce367cd600b46e2cdf9bae1481e6e977064996e11782b8da58fb106.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","31300"
"*94158766003e207f843092ba29787aeb83800799fe9f605682c761d8c75deba7*",".{0,1000}94158766003e207f843092ba29787aeb83800799fe9f605682c761d8c75deba7.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","31302"
"*94169b8d725d30bb0ddf19db73d18b99544dcc52521507419eb7fb42823ea8ac*",".{0,1000}94169b8d725d30bb0ddf19db73d18b99544dcc52521507419eb7fb42823ea8ac.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31303"
"*94253480a0f1e3be221902d60f94463420057f8d84f9136abd6b7448332a1fe6*",".{0,1000}94253480a0f1e3be221902d60f94463420057f8d84f9136abd6b7448332a1fe6.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31308"
"*9426eb3d0fe973759d8337e545a88489798fe415c608c0fe29cceabeac8f63ab*",".{0,1000}9426eb3d0fe973759d8337e545a88489798fe415c608c0fe29cceabeac8f63ab.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31309"
"*9456bf9d11fd8cee55619fc0a2ffe3443f9bfea51589af5c3b1282dfa50eb2a7*",".{0,1000}9456bf9d11fd8cee55619fc0a2ffe3443f9bfea51589af5c3b1282dfa50eb2a7.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31316"
"*9468c5f983186a7d50d82bd7591bd2f6080fbb1fcfb63c0a2ded18ba359d9f2f*",".{0,1000}9468c5f983186a7d50d82bd7591bd2f6080fbb1fcfb63c0a2ded18ba359d9f2f.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31321"
"*947895eee1492a0f6da5c69fe68361b97359f52f99ac72f7947a456618f0ec7f*",".{0,1000}947895eee1492a0f6da5c69fe68361b97359f52f99ac72f7947a456618f0ec7f.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31324"
"*94946b5d24521ce4b32bc67219ea8d24c930c8a65c1723a39478959ab1a909df*",".{0,1000}94946b5d24521ce4b32bc67219ea8d24c930c8a65c1723a39478959ab1a909df.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31331"
"*94a3f1629cf89a01895fbace61e1533c0e7541b39a223581ec247e409ef4c329*",".{0,1000}94a3f1629cf89a01895fbace61e1533c0e7541b39a223581ec247e409ef4c329.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","31333"
"*94ac6a42a165d913b79a0dcfb2d55a686e81b776697580e113aecd8815607076*",".{0,1000}94ac6a42a165d913b79a0dcfb2d55a686e81b776697580e113aecd8815607076.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31335"
"*94c211a1a14f81bdc2ec004ff3a433ad860520c731ac54ddf38435e2512cba4b*",".{0,1000}94c211a1a14f81bdc2ec004ff3a433ad860520c731ac54ddf38435e2512cba4b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31343"
"*94c231beaa3b89d98562c264ce1038e346dd68a46abefe80c5ec4e095317303f*",".{0,1000}94c231beaa3b89d98562c264ce1038e346dd68a46abefe80c5ec4e095317303f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31344"
"*94cab34fa8eb8eb60a16b06fcd22263098de0309791aab44f9f5b0a42e584a46*",".{0,1000}94cab34fa8eb8eb60a16b06fcd22263098de0309791aab44f9f5b0a42e584a46.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31347"
"*94cf1f7fafa3445476831a500cd9ee9cac37ee7b405e6c7f99ee2d5cfe841168*",".{0,1000}94cf1f7fafa3445476831a500cd9ee9cac37ee7b405e6c7f99ee2d5cfe841168.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31349"
"*94d14e87eee41566909017eb8847693a2c1d81c3d448e8c01b1042be30757924*",".{0,1000}94d14e87eee41566909017eb8847693a2c1d81c3d448e8c01b1042be30757924.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31350"
"*94DE5045-4D09-437B-BDE3-679FCAF07A2D*",".{0,1000}94DE5045\-4D09\-437B\-BDE3\-679FCAF07A2D.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#GUIDproject","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","31354"
"*94e608af6d6f96619de403bf3aed4db8ab602999e0335380279e0d8aca1c6040*",".{0,1000}94e608af6d6f96619de403bf3aed4db8ab602999e0335380279e0d8aca1c6040.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31356"
"*94e9de0688840caca05e9d77b64b3c1e5ff94d9c45cb5715395d419ae09c7559*",".{0,1000}94e9de0688840caca05e9d77b64b3c1e5ff94d9c45cb5715395d419ae09c7559.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31357"
"*94fd39762f3351b03852fcb6e6c28e5ee0a98eb27fae35feeb65997ebc9c26f0*",".{0,1000}94fd39762f3351b03852fcb6e6c28e5ee0a98eb27fae35feeb65997ebc9c26f0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31363"
"*9506632b80989310f2d2cca6a35e036d21213776cfff6623c28f1c5d3b8588c7*",".{0,1000}9506632b80989310f2d2cca6a35e036d21213776cfff6623c28f1c5d3b8588c7.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31364"
"*9507e23a60968916342e626ca86fdde847cb30dafbe12a3f50f8854efef0f62e*",".{0,1000}9507e23a60968916342e626ca86fdde847cb30dafbe12a3f50f8854efef0f62e.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31365"
"*9509da528a842ad647f557e84ec00afbaf345222bf7d6219031bf176e4bba80e*",".{0,1000}9509da528a842ad647f557e84ec00afbaf345222bf7d6219031bf176e4bba80e.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","31366"
"*950ecb779365ffc85a6eba98a8d8dd5dfad765692385a2f59bc93ddbf13a489a*",".{0,1000}950ecb779365ffc85a6eba98a8d8dd5dfad765692385a2f59bc93ddbf13a489a.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31370"
"*95124c125ab9185d2895ee5462d67235f7391e79288ddef6f3ffb3c918da6fcb*",".{0,1000}95124c125ab9185d2895ee5462d67235f7391e79288ddef6f3ffb3c918da6fcb.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31372"
"*95142d0b33c50fe5fcdd5d9d1a1ec7951bf662b06f09d83438410cba625aa411*",".{0,1000}95142d0b33c50fe5fcdd5d9d1a1ec7951bf662b06f09d83438410cba625aa411.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","31373"
"*951507c02248df0f93ee0282da390673a32188c3d3e4c48b0800f2742f19da8f*",".{0,1000}951507c02248df0f93ee0282da390673a32188c3d3e4c48b0800f2742f19da8f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31374"
"*95223c891d9b253c9e73803713ab32b7058674d3db6b305ea5a035d84713c9ec*",".{0,1000}95223c891d9b253c9e73803713ab32b7058674d3db6b305ea5a035d84713c9ec.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31379"
"*95305891495b6d7a676bd0500e4aa921a1297278eee4c957a5b0c4e18018ac30*",".{0,1000}95305891495b6d7a676bd0500e4aa921a1297278eee4c957a5b0c4e18018ac30.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31382"
"*9535fa6343e5fdf4456b753f662e952cba63f52633a351e52ef2c550e7353fbe*",".{0,1000}9535fa6343e5fdf4456b753f662e952cba63f52633a351e52ef2c550e7353fbe.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31383"
"*954903a1202b2a256a526839733dd2c3e676b58e68817aec11fd60743dab57ee*",".{0,1000}954903a1202b2a256a526839733dd2c3e676b58e68817aec11fd60743dab57ee.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31386"
"*954e01f392b21020cb6cb21c13199d8768ee00e24ebf32566bfdad3a212036bd*",".{0,1000}954e01f392b21020cb6cb21c13199d8768ee00e24ebf32566bfdad3a212036bd.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31390"
"*95583f7a979910ff4e65a5d9802df699063472a67a1f9e6d6fd6c2fcff448a14*",".{0,1000}95583f7a979910ff4e65a5d9802df699063472a67a1f9e6d6fd6c2fcff448a14.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31395"
"*955854f00a41ee91d047e520aa445035d881f9cb214de1ed49fac829e1caf829*",".{0,1000}955854f00a41ee91d047e520aa445035d881f9cb214de1ed49fac829e1caf829.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","31396"
"*955e8412ad58aa45ee195deaf5cd8cacbb9b823ad3b17e1817a03143034da878*",".{0,1000}955e8412ad58aa45ee195deaf5cd8cacbb9b823ad3b17e1817a03143034da878.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31397"
"*95663244ae0b98220f0e0075980c0da70094a06638fb4498515857e92e3f8b56*",".{0,1000}95663244ae0b98220f0e0075980c0da70094a06638fb4498515857e92e3f8b56.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","31399"
"*95699dfcbe694396000eeeeb2df293590741f0b912ce5f31c5844b0011407d44*",".{0,1000}95699dfcbe694396000eeeeb2df293590741f0b912ce5f31c5844b0011407d44.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","31402"
"*956c78246b4873877ac8e1a0ee7eed3ff7f9068826696f40f8a0577c55c8f184*",".{0,1000}956c78246b4873877ac8e1a0ee7eed3ff7f9068826696f40f8a0577c55c8f184.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","31403"
"*957ab0bb1ca7a7c7ea3df8baab6fa4fef75ba9044ef46825e9986daeabc353bf*",".{0,1000}957ab0bb1ca7a7c7ea3df8baab6fa4fef75ba9044ef46825e9986daeabc353bf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31406"
"*9590b53e0fb6f32911ba12dd08129a125fda9f2be61225233d851570655cd962*",".{0,1000}9590b53e0fb6f32911ba12dd08129a125fda9f2be61225233d851570655cd962.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31409"
"*95937bf936a10b7d1da017905d221288f712fdc50dab8f88251a5db981e27b38*",".{0,1000}95937bf936a10b7d1da017905d221288f712fdc50dab8f88251a5db981e27b38.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31410"
"*9599ecbaa7954a040c9a1a4a56d726f921e40b4b9cf56e9ea22547aa7724cf64*",".{0,1000}9599ecbaa7954a040c9a1a4a56d726f921e40b4b9cf56e9ea22547aa7724cf64.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31413"
"*959bfdfe33740591330185406539399037eace2cd21bad62dc057db6ffd30656*",".{0,1000}959bfdfe33740591330185406539399037eace2cd21bad62dc057db6ffd30656.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31414"
"*959dfbb8cd213bd33aa99fcf4494c61397dc39685f43806ddd9804798d4c94cb*",".{0,1000}959dfbb8cd213bd33aa99fcf4494c61397dc39685f43806ddd9804798d4c94cb.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","31415"
"*95c0695cdf0cd8d399cabdccdff93b25aa7deb97e950bd3702bbbaf9a2baf87a*",".{0,1000}95c0695cdf0cd8d399cabdccdff93b25aa7deb97e950bd3702bbbaf9a2baf87a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31424"
"*95d33e96934486c49553d1c4f2371d92b257795dc8318ffcbded329117e83145*",".{0,1000}95d33e96934486c49553d1c4f2371d92b257795dc8318ffcbded329117e83145.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31430"
"*95e521afe5ae87d811ad4a201d594f0c8f3421a3dbf30473fc6d677460d45219*",".{0,1000}95e521afe5ae87d811ad4a201d594f0c8f3421a3dbf30473fc6d677460d45219.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31436"
"*95eadd9a35d11abd017c6355f1b1cfbe7b566cee62bead208c64931c25f610e6*",".{0,1000}95eadd9a35d11abd017c6355f1b1cfbe7b566cee62bead208c64931c25f610e6.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31438"
"*95f005945eac00f3412ffc59d7c6bdfce751fcaac307f4b599ae917e98841766*",".{0,1000}95f005945eac00f3412ffc59d7c6bdfce751fcaac307f4b599ae917e98841766.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","31439"
"*95f0d8c8f4781fc8e42b7d644024c647032e3f6cd0ffe425e8f7d5a46d601557*",".{0,1000}95f0d8c8f4781fc8e42b7d644024c647032e3f6cd0ffe425e8f7d5a46d601557.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31440"
"*95f26fd9f185436a9dbab6c31c094bdf789405e7297aa799c672bc3f007a24c5*",".{0,1000}95f26fd9f185436a9dbab6c31c094bdf789405e7297aa799c672bc3f007a24c5.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31442"
"*95f952dc059b842bd40338458b77657f7b5a1680c4ca837a3adcf83b63c8fda1*",".{0,1000}95f952dc059b842bd40338458b77657f7b5a1680c4ca837a3adcf83b63c8fda1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31443"
"*96167e823996cae90da9da2c7e686d966028b8204d0cb92f12535e055d15cb9a*",".{0,1000}96167e823996cae90da9da2c7e686d966028b8204d0cb92f12535e055d15cb9a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31451"
"*96257ac3f78ba98e844960d52a2341815c3c9af0d5293cf0dc253a1b7f2a7c55*",".{0,1000}96257ac3f78ba98e844960d52a2341815c3c9af0d5293cf0dc253a1b7f2a7c55.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31452"
"*963469d1df890bd548f39b09d42d5fe2b81bad1ebc9089987ae95bdc0b02cce7*",".{0,1000}963469d1df890bd548f39b09d42d5fe2b81bad1ebc9089987ae95bdc0b02cce7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31458"
"*9640265ebb87a16317f5c3d2fbb4d96181373b8233d430c46c8f41988b4583c0*",".{0,1000}9640265ebb87a16317f5c3d2fbb4d96181373b8233d430c46c8f41988b4583c0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31460"
"*9651f7478e5ce54362e10b452e69b858edfb1589a4c0d23404707088b271c8f0*",".{0,1000}9651f7478e5ce54362e10b452e69b858edfb1589a4c0d23404707088b271c8f0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31463"
"*9684712e7ea18e0e82bbdf8b990173349ac97423ab59b0daa265a222cfbef816*",".{0,1000}9684712e7ea18e0e82bbdf8b990173349ac97423ab59b0daa265a222cfbef816.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","31473"
"*9697ee3ddb8efa374f1efcdafaf21849173831c6b3ab5eee5d11d551b58778ed*",".{0,1000}9697ee3ddb8efa374f1efcdafaf21849173831c6b3ab5eee5d11d551b58778ed.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","31480"
"*969a0ad64c9d99f21d8e8a8201fa19b0be3a757d220e89492a4d2f532eeae126*",".{0,1000}969a0ad64c9d99f21d8e8a8201fa19b0be3a757d220e89492a4d2f532eeae126.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","31481"
"*969e56154298f0996396bf310bb745cfa549b2396765a49dc1611db1f118d2ca*",".{0,1000}969e56154298f0996396bf310bb745cfa549b2396765a49dc1611db1f118d2ca.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31482"
"*969f92d8c70737c5c3e3bff8379c3d432188ebacd379428b8a49def2ca8fd582*",".{0,1000}969f92d8c70737c5c3e3bff8379c3d432188ebacd379428b8a49def2ca8fd582.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31483"
"*96ac901e030641264cde78441b64bb6e20e2e1eb33b55b79408ecfd23bacbc7d*",".{0,1000}96ac901e030641264cde78441b64bb6e20e2e1eb33b55b79408ecfd23bacbc7d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31488"
"*96af0b4438274122ca3a69e9556e91c3d2f05af16e74890dee567eebe3ac101a*",".{0,1000}96af0b4438274122ca3a69e9556e91c3d2f05af16e74890dee567eebe3ac101a.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","31489"
"*96c82ea18a4d63d57c4ae10b16e9761fd7a29f92e0704850783768f561e9b85a*",".{0,1000}96c82ea18a4d63d57c4ae10b16e9761fd7a29f92e0704850783768f561e9b85a.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","31493"
"*96cbd0021e8b4b1e95aac299b5ec1209877d84db49f71beb16358f0f2f908953*",".{0,1000}96cbd0021e8b4b1e95aac299b5ec1209877d84db49f71beb16358f0f2f908953.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31495"
"*96d4cb5937b2b5a38dbe2721ea427ca64ffcd745ecaace820fb4daa1c322f696*",".{0,1000}96d4cb5937b2b5a38dbe2721ea427ca64ffcd745ecaace820fb4daa1c322f696.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","31497"
"*96e1cc96595bc8486dfef57f78f680c49e7b19d12649d43fc6501d7a599b4657*",".{0,1000}96e1cc96595bc8486dfef57f78f680c49e7b19d12649d43fc6501d7a599b4657.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","31500"
"*96f6e9c220b74cce941797d7019d76343c94e257c21b3e92869c0d124d49eab8*",".{0,1000}96f6e9c220b74cce941797d7019d76343c94e257c21b3e92869c0d124d49eab8.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","31503"
"*96fb297f3cba18a95a7228a4853a0641d193859999a5488b0cbae6efe708e89c*",".{0,1000}96fb297f3cba18a95a7228a4853a0641d193859999a5488b0cbae6efe708e89c.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","31504"
"*96fc55faff503465ff38e6bbbb21fc6365f11b52756d0b82db3a52b3f5487af7*",".{0,1000}96fc55faff503465ff38e6bbbb21fc6365f11b52756d0b82db3a52b3f5487af7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31505"
"*96fdb400532a73654187a30dd0af5d345bf3eb3aa68133aaed8585cee03c7014*",".{0,1000}96fdb400532a73654187a30dd0af5d345bf3eb3aa68133aaed8585cee03c7014.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31506"
"*9704b24b5a58144293f7c7715b095b1ebf43b90e501050dfb9477094e6dca41b*",".{0,1000}9704b24b5a58144293f7c7715b095b1ebf43b90e501050dfb9477094e6dca41b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31507"
"*971a9d100a6bed85f54fa61064075260f64396b2977e716cdd5537f5ab3c5e92*",".{0,1000}971a9d100a6bed85f54fa61064075260f64396b2977e716cdd5537f5ab3c5e92.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31512"
"*9722e8ce213b1c7571ef7c1df9f5777be11289e3bcf9911e0af45a622b5d50c1*",".{0,1000}9722e8ce213b1c7571ef7c1df9f5777be11289e3bcf9911e0af45a622b5d50c1.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","31515"
"*9730d3b8e639662a479982dbb6e6828ba70258620a2613dd939a2cfe90f260ff*",".{0,1000}9730d3b8e639662a479982dbb6e6828ba70258620a2613dd939a2cfe90f260ff.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31517"
"*974aa1a4d6ec99c9db926c0d46c76e7158c5d554a1b5a46cc36620244a27f39e*",".{0,1000}974aa1a4d6ec99c9db926c0d46c76e7158c5d554a1b5a46cc36620244a27f39e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31524"
"*974b582afcd5cb78733171a0b1a532b3d06203f5f2731acfe3958e68716c0b3c*",".{0,1000}974b582afcd5cb78733171a0b1a532b3d06203f5f2731acfe3958e68716c0b3c.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31525"
"*975722db63d783f39f712552dbed318d5e4e7e4a68c5822ad44edf79ba0afd5b*",".{0,1000}975722db63d783f39f712552dbed318d5e4e7e4a68c5822ad44edf79ba0afd5b.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","31527"
"*976161d326f8980972cfbbde397c28176cff14d5fe23c963283fdf5b25d2a32c*",".{0,1000}976161d326f8980972cfbbde397c28176cff14d5fe23c963283fdf5b25d2a32c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31529"
"*9774490a0a4f822960a8da99a214cec6e2320622c2c20cd6b713e0e52806031c*",".{0,1000}9774490a0a4f822960a8da99a214cec6e2320622c2c20cd6b713e0e52806031c.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31533"
"*9790d2ca4e5bae3d83a3f53b22027862388ae0057649beff8d74418993956c42*",".{0,1000}9790d2ca4e5bae3d83a3f53b22027862388ae0057649beff8d74418993956c42.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31536"
"*9796b2639dcac4c2a68c53344b8382ce959d1b1e68798a9bf7877353c9ad2a3b*",".{0,1000}9796b2639dcac4c2a68c53344b8382ce959d1b1e68798a9bf7877353c9ad2a3b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31537"
"*97b4d3555734cba2af59b72b960ce10891b584dcf8d9e3db9f4f099c0a64131d*",".{0,1000}97b4d3555734cba2af59b72b960ce10891b584dcf8d9e3db9f4f099c0a64131d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31541"
"*97C056B0-2AEB-4467-AAC9-E0FE0639BA9E*",".{0,1000}97C056B0\-2AEB\-4467\-AAC9\-E0FE0639BA9E.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#GUIDproject","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","31545"
"*97c1afbdfbe31e7fed17143d9885be6588be294488cffc83661a5ef55655d3d2*",".{0,1000}97c1afbdfbe31e7fed17143d9885be6588be294488cffc83661a5ef55655d3d2.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","31547"
"*97c9f305d684472b85157d1a2acc15364fa1999a25ddf50b40f5e76ef2fb8961*",".{0,1000}97c9f305d684472b85157d1a2acc15364fa1999a25ddf50b40f5e76ef2fb8961.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31549"
"*97d7f49d98113060066976048b4711332b6df96ce6b7db127c2317b64b78eab0*",".{0,1000}97d7f49d98113060066976048b4711332b6df96ce6b7db127c2317b64b78eab0.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#filehash","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","31554"
"*97fc48554850cc143f262d6cc01fa415c7ff3bc517d2505795b70f447b0de993*",".{0,1000}97fc48554850cc143f262d6cc01fa415c7ff3bc517d2505795b70f447b0de993.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","31560"
"*980b74c1c6056bf545ab7bcd5c7699162b11a653931e910e61d8649f7a2dcb26*",".{0,1000}980b74c1c6056bf545ab7bcd5c7699162b11a653931e910e61d8649f7a2dcb26.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31563"
"*9827be6db4d39ec8963785cc91b176304d9cf7896820b65dbabe6bbe8eaef0bf*",".{0,1000}9827be6db4d39ec8963785cc91b176304d9cf7896820b65dbabe6bbe8eaef0bf.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31567"
"*9827e63054ddec1ffe0f246f9bb0c0de0d30deac2055481b44304d13cc928fe2*",".{0,1000}9827e63054ddec1ffe0f246f9bb0c0de0d30deac2055481b44304d13cc928fe2.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","31568"
"*9834dd77457930e3d90e08bb26c0d14c29fd01dd9fb51292c1ac16cc93041abc*",".{0,1000}9834dd77457930e3d90e08bb26c0d14c29fd01dd9fb51292c1ac16cc93041abc.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31570"
"*983582e34fcec444e33dafa6b533ba974086c16520631cd2f07fef6f523a8efc*",".{0,1000}983582e34fcec444e33dafa6b533ba974086c16520631cd2f07fef6f523a8efc.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31571"
"*98394683d8f30ce9fb313100f593dc16e97a52723b18d534cf586391a97cdc1d*",".{0,1000}98394683d8f30ce9fb313100f593dc16e97a52723b18d534cf586391a97cdc1d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31573"
"*9847ecb1315ea779736dc3fbf00edeb3a9c42613200bd538092c4b0987d90f35*",".{0,1000}9847ecb1315ea779736dc3fbf00edeb3a9c42613200bd538092c4b0987d90f35.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31579"
"*98552bc999333d460171ad07f72dc6c30bd017c7baef2cdfa6c9f1f5d661f312*",".{0,1000}98552bc999333d460171ad07f72dc6c30bd017c7baef2cdfa6c9f1f5d661f312.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31581"
"*986555b1498329e66785f700ed25f84d0fb67fbf398215a4049d9846f23100a4*",".{0,1000}986555b1498329e66785f700ed25f84d0fb67fbf398215a4049d9846f23100a4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31587"
"*9871de1742c1132c9b3171c4ae970e66b6ebe3a6cf31c35db881a32e33cc4016*",".{0,1000}9871de1742c1132c9b3171c4ae970e66b6ebe3a6cf31c35db881a32e33cc4016.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","31591"
"*987f353f6ea282e259738eeb90c20b70fe20e1a49aca498b02acc47200c082bd*",".{0,1000}987f353f6ea282e259738eeb90c20b70fe20e1a49aca498b02acc47200c082bd.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31597"
"*987f7e9147612ea1182fe989fd19c70cead695da16ee63dd26458ebb43c7b556*",".{0,1000}987f7e9147612ea1182fe989fd19c70cead695da16ee63dd26458ebb43c7b556.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31598"
"*9887df54ec10a12b986c325675b360e2c43924618104c7914928520ede514fa0*",".{0,1000}9887df54ec10a12b986c325675b360e2c43924618104c7914928520ede514fa0.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31599"
"*9897be0c0beaddb4b8b81adb5fca1a0e7e702725086cfdda8b1e909febca2c05*",".{0,1000}9897be0c0beaddb4b8b81adb5fca1a0e7e702725086cfdda8b1e909febca2c05.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31602"
"*9899ffecf141ab4535ec702facbf2b4233903b428b862f3a87e635d09c6244de*",".{0,1000}9899ffecf141ab4535ec702facbf2b4233903b428b862f3a87e635d09c6244de.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","#filehash","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","31603"
"*98ab35f179091726b739c9fbb6643cc7328076bfbddd09732bb68b1cdf1b7435*",".{0,1000}98ab35f179091726b739c9fbb6643cc7328076bfbddd09732bb68b1cdf1b7435.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31611"
"*98b39f9470d2ed0cbf458c04e94dc5762c8b72cf4fb51ba2bf641fdc4462668e*",".{0,1000}98b39f9470d2ed0cbf458c04e94dc5762c8b72cf4fb51ba2bf641fdc4462668e.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","31614"
"*98ba5fe44ef68256a7e5692d45f2ad434b64eece32859ce3723803f36a6e4d55*",".{0,1000}98ba5fe44ef68256a7e5692d45f2ad434b64eece32859ce3723803f36a6e4d55.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","31616"
"*98c408337b29f4a45a14339a1e1ff0124be1446aa784ec5089ed2ed07e14cf43*",".{0,1000}98c408337b29f4a45a14339a1e1ff0124be1446aa784ec5089ed2ed07e14cf43.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31617"
"*98d3073aff25e6cdb287e366be5de18f461b7e820176a5211dfcf203e8ef6680*",".{0,1000}98d3073aff25e6cdb287e366be5de18f461b7e820176a5211dfcf203e8ef6680.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","31621"
"*98f818a90ad8640c5f56c5d73ce5bc45ac0857d8a9d8d173d0101ee7e4aa19fe*",".{0,1000}98f818a90ad8640c5f56c5d73ce5bc45ac0857d8a9d8d173d0101ee7e4aa19fe.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31627"
"*98ff939169135f9fa2a57e48ef52a97eea050abc42a6362da8a180e56e118f54*",".{0,1000}98ff939169135f9fa2a57e48ef52a97eea050abc42a6362da8a180e56e118f54.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31630"
"*9906fa1de74605a1fa79132c436722654c4b0c941053f07eb3aa85ac4f09123f*",".{0,1000}9906fa1de74605a1fa79132c436722654c4b0c941053f07eb3aa85ac4f09123f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31632"
"*99142A50-E046-4F18-9C52-9855ABADA9B3*",".{0,1000}99142A50\-E046\-4F18\-9C52\-9855ABADA9B3.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#GUIDproject","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","31635"
"*99196195845422f6ac5962782fa3676f34fff343e0fed0f354cb6600d894afd8*",".{0,1000}99196195845422f6ac5962782fa3676f34fff343e0fed0f354cb6600d894afd8.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31639"
"*9919f925721fc891959663daa9b9f472f75d97396bf60c1baf9ee3c10a89f73b*",".{0,1000}9919f925721fc891959663daa9b9f472f75d97396bf60c1baf9ee3c10a89f73b.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31640"
"*995dc125d29852e24beacc8f61871fb3c51859d0130d904da9d81fced3779a51*",".{0,1000}995dc125d29852e24beacc8f61871fb3c51859d0130d904da9d81fced3779a51.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31655"
"*99711b2b9f9da1f166dd69dc4542365edc60adefb2e8863bb8cae2bcd01ad15c*",".{0,1000}99711b2b9f9da1f166dd69dc4542365edc60adefb2e8863bb8cae2bcd01ad15c.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","31664"
"*99736bcb172f9cbed127f25a80a6b91fe355c4673461878962d7b5ac94782db1*",".{0,1000}99736bcb172f9cbed127f25a80a6b91fe355c4673461878962d7b5ac94782db1.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","#filehash","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","31665"
"*99759813456c7857b5792debb24f09d98f946bf012f8436e94420c7195701bbd*",".{0,1000}99759813456c7857b5792debb24f09d98f946bf012f8436e94420c7195701bbd.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31666"
"*997e2ae3d49570976fdf7c1e743d23e619f8d8f3fd6fcc689545e5c357ec95a6*",".{0,1000}997e2ae3d49570976fdf7c1e743d23e619f8d8f3fd6fcc689545e5c357ec95a6.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31670"
"*99833f7e6a8120d3f1df7098d8314d6469439a6dca2841ddeffe570e1f14bed2*",".{0,1000}99833f7e6a8120d3f1df7098d8314d6469439a6dca2841ddeffe570e1f14bed2.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31672"
"*99daaa95867cdf0758ec1d5d7f2ebdb3bf74c8c8602e2aaf888e637163d2ebdd*",".{0,1000}99daaa95867cdf0758ec1d5d7f2ebdb3bf74c8c8602e2aaf888e637163d2ebdd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31689"
"*99e0f20ad43baaff5a1a38d9bb0e98a2b2269b8fc6ac3c3ff6fb70b802fb6911*",".{0,1000}99e0f20ad43baaff5a1a38d9bb0e98a2b2269b8fc6ac3c3ff6fb70b802fb6911.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","31694"
"*99e3e313b62bb8b55e2637fc14a78adb6f33632a3c722486416252e2630cfdf6*",".{0,1000}99e3e313b62bb8b55e2637fc14a78adb6f33632a3c722486416252e2630cfdf6.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","#filehash","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","31696"
"*99eb1eb28b32a783c6619409988dc8fc70ecc9d1ebc05f286ec4c503d4853cbf*",".{0,1000}99eb1eb28b32a783c6619409988dc8fc70ecc9d1ebc05f286ec4c503d4853cbf.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","31698"
"*99ed8964fc153ac4984eb94f82bd51b2eda463d6483bb3e7e97d6d2b69b71196*",".{0,1000}99ed8964fc153ac4984eb94f82bd51b2eda463d6483bb3e7e97d6d2b69b71196.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","31700"
"*99fbf23aa2b2c348551cd4071c26e0612318fdf92f2699c6ca416368d43d9d21*",".{0,1000}99fbf23aa2b2c348551cd4071c26e0612318fdf92f2699c6ca416368d43d9d21.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","31702"
"*9a12912bfbf7dad0ebe5fb3b0229b318a8670d078137f2384f81c1aa87bc0fb0*",".{0,1000}9a12912bfbf7dad0ebe5fb3b0229b318a8670d078137f2384f81c1aa87bc0fb0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31708"
"*9a22c27e8df3ce1c62a160488a7cddba8c14696c0e0eb406c0c85eab8c243a06*",".{0,1000}9a22c27e8df3ce1c62a160488a7cddba8c14696c0e0eb406c0c85eab8c243a06.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","31713"
"*9a2a18d4f18f7a64c52cfe036a86f5bb2f7f7770d70031a8773df3856895a082*",".{0,1000}9a2a18d4f18f7a64c52cfe036a86f5bb2f7f7770d70031a8773df3856895a082.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31714"
"*9a2d9073b4ad268a2bce887596f5008c8c92cb74fec88b54f2152a3bed181b25*",".{0,1000}9a2d9073b4ad268a2bce887596f5008c8c92cb74fec88b54f2152a3bed181b25.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31715"
"*9a2f0cd9aa7f2380f9d9b3eaca844d9e05219eee732329d544e4b76b75b5d018*",".{0,1000}9a2f0cd9aa7f2380f9d9b3eaca844d9e05219eee732329d544e4b76b75b5d018.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31717"
"*9a468a1e3f8e645593dc25d5cb45d6b640da574e07afcc518e07eb1738a68510*",".{0,1000}9a468a1e3f8e645593dc25d5cb45d6b640da574e07afcc518e07eb1738a68510.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","31723"
"*9a49111f3b3fcd8f1f7c1ecfe79c3d10dc6ba4e7595e0bc776fb328f70f68705*",".{0,1000}9a49111f3b3fcd8f1f7c1ecfe79c3d10dc6ba4e7595e0bc776fb328f70f68705.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","31725"
"*9a52905fb9c6ed8f3c34111f905d0da5f54dbe6868f10023d5551dd2897e22c4*",".{0,1000}9a52905fb9c6ed8f3c34111f905d0da5f54dbe6868f10023d5551dd2897e22c4.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","31728"
"*9a560a6c7ad81192188dad3e3eb2cd752f552739876009f15e8aa31f8be45f39*",".{0,1000}9a560a6c7ad81192188dad3e3eb2cd752f552739876009f15e8aa31f8be45f39.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31730"
"*9a56f4e3bf3a276c7be0b2f180a4d6ffbad1258dc09fe2d6637666dee9c840f6*",".{0,1000}9a56f4e3bf3a276c7be0b2f180a4d6ffbad1258dc09fe2d6637666dee9c840f6.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31731"
"*9a688243e33a6cddb1bb4807277e352118141e7321385024cbff655a00b7b660*",".{0,1000}9a688243e33a6cddb1bb4807277e352118141e7321385024cbff655a00b7b660.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#filehash","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","31736"
"*9a6975a16e6abee257353caa0216c7ee50aed1618cb05c73ee105ecd07e0bdf3*",".{0,1000}9a6975a16e6abee257353caa0216c7ee50aed1618cb05c73ee105ecd07e0bdf3.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","31737"
"*9a6f666b2d691d7c6aadd7b854b26cffd76735e9622f3613577b556fe29eb6a1*",".{0,1000}9a6f666b2d691d7c6aadd7b854b26cffd76735e9622f3613577b556fe29eb6a1.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","31738"
"*9a94ed9833a76fa0b3a54b54d22d28a7afbc7061085e6a4a136597f272857955*",".{0,1000}9a94ed9833a76fa0b3a54b54d22d28a7afbc7061085e6a4a136597f272857955.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31750"
"*9a9f29ed242baec12d423e4cf21b1322ebac1fe738d72f64a3b1b4a45c94b4bf*",".{0,1000}9a9f29ed242baec12d423e4cf21b1322ebac1fe738d72f64a3b1b4a45c94b4bf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31752"
"*9aa4b36654c9a2d7883a745ab791bcfc723ddcf793c4109529c1b8d8bbea41f0*",".{0,1000}9aa4b36654c9a2d7883a745ab791bcfc723ddcf793c4109529c1b8d8bbea41f0.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","31754"
"*9aa60c69492c8b3ef312ec4410e0574eb054cf7ca9785f7c4d89d83277143785*",".{0,1000}9aa60c69492c8b3ef312ec4410e0574eb054cf7ca9785f7c4d89d83277143785.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31755"
"*9aa8a85153861516996a7c38d282bce08be9fb8d1d5ea707173fc6d43c5c8e8a*",".{0,1000}9aa8a85153861516996a7c38d282bce08be9fb8d1d5ea707173fc6d43c5c8e8a.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","31756"
"*9aab5a4936295d13f2602c8e087fd789a7910b3b3c9a47b9fb799ec99020192b*",".{0,1000}9aab5a4936295d13f2602c8e087fd789a7910b3b3c9a47b9fb799ec99020192b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31757"
"*9ac9cf037b5413fd2fea88b73a4f1d412b41d64352cf4e9860edf13bb01c7ac3*",".{0,1000}9ac9cf037b5413fd2fea88b73a4f1d412b41d64352cf4e9860edf13bb01c7ac3.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31763"
"*9acc803db3f5e4b87282da31d1f402958f6344c90afd74abd5609bd0a9449b56*",".{0,1000}9acc803db3f5e4b87282da31d1f402958f6344c90afd74abd5609bd0a9449b56.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31764"
"*9af5233ce7294cec25fa60e36a47dd8d0eac6fe4d0f6ab1180291545f4dcf5b6*",".{0,1000}9af5233ce7294cec25fa60e36a47dd8d0eac6fe4d0f6ab1180291545f4dcf5b6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31774"
"*9af57a343f42da2250dd4499d6dcff61a7a6395eae77eaab0ddddbe544743116*",".{0,1000}9af57a343f42da2250dd4499d6dcff61a7a6395eae77eaab0ddddbe544743116.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#filehash","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","31775"
"*9b02d76d0ae71f8fe680010e3e9174c67c437ae9d76bce7615be4a3161654a0e*",".{0,1000}9b02d76d0ae71f8fe680010e3e9174c67c437ae9d76bce7615be4a3161654a0e.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31776"
"*9b08ea44ec7fa2954c60c82ad8c4d54cdf84f3ea336639445b2b8b1d978551e0*",".{0,1000}9b08ea44ec7fa2954c60c82ad8c4d54cdf84f3ea336639445b2b8b1d978551e0.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31777"
"*9b0fea977dd10dc9e428350ca1d93bb1fe6fc865abb0f37b0975821c45cb6c65*",".{0,1000}9b0fea977dd10dc9e428350ca1d93bb1fe6fc865abb0f37b0975821c45cb6c65.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#filehash","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","31780"
"*9b3dde2aa24d611f7042f7248ec066f29d243b8b351a1530d5b2cea145c6dfaa*",".{0,1000}9b3dde2aa24d611f7042f7248ec066f29d243b8b351a1530d5b2cea145c6dfaa.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31790"
"*9b3e4c64089c3b78ea1f666f11551e4ae6a435fc0797e39ab4fb07fd633b400c*",".{0,1000}9b3e4c64089c3b78ea1f666f11551e4ae6a435fc0797e39ab4fb07fd633b400c.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31791"
"*9b473206df119def590d2f515c19cb3db7084c1d3a2ec1199313f551bd6013ec*",".{0,1000}9b473206df119def590d2f515c19cb3db7084c1d3a2ec1199313f551bd6013ec.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31793"
"*9b4d79ab99acc97ca17ba9125218aac2374e37fdf071edd871294f2a493e68d9*",".{0,1000}9b4d79ab99acc97ca17ba9125218aac2374e37fdf071edd871294f2a493e68d9.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","31797"
"*9b50261daa62f2440c9e3ae0399615fe0b4d5dc807f4f9f1fdcd8a80bc0ab22f*",".{0,1000}9b50261daa62f2440c9e3ae0399615fe0b4d5dc807f4f9f1fdcd8a80bc0ab22f.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","31798"
"*9b5ac6a354462e1d547aa65f9c29632092a93861190b3c0a03534b1ec016a5e1*",".{0,1000}9b5ac6a354462e1d547aa65f9c29632092a93861190b3c0a03534b1ec016a5e1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31801"
"*9b5afa6ac3aadfbfd33f053fdfd1808175b2e4767503f957e81004b54ff70a25*",".{0,1000}9b5afa6ac3aadfbfd33f053fdfd1808175b2e4767503f957e81004b54ff70a25.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","31802"
"*9b61fc30930c67b9afd24f6e028579bb81f72c3fe750cbc9aaf747c233effa70*",".{0,1000}9b61fc30930c67b9afd24f6e028579bb81f72c3fe750cbc9aaf747c233effa70.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31803"
"*9b6df8785bfcc71ad646fd17f581744eff6993490e5cfc1505850117eee701ab*",".{0,1000}9b6df8785bfcc71ad646fd17f581744eff6993490e5cfc1505850117eee701ab.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31804"
"*9b6ebca62874fff570d19b1d7eeee8eca39f0e9fe1c5496930413527fceaf85a*",".{0,1000}9b6ebca62874fff570d19b1d7eeee8eca39f0e9fe1c5496930413527fceaf85a.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","31805"
"*9b7e9ebb1641ab9798d06e550317afc5999c25eff3abe28a8f21b6344fab7622*",".{0,1000}9b7e9ebb1641ab9798d06e550317afc5999c25eff3abe28a8f21b6344fab7622.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31812"
"*9b8819db42c86e4b7adb6b9fbc1bb8acd178fa05f74c4cdda27f3b5aa64deb4c*",".{0,1000}9b8819db42c86e4b7adb6b9fbc1bb8acd178fa05f74c4cdda27f3b5aa64deb4c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31814"
"*9b8973d38cfee2c1e90385a1d25741dd4d9a72f426252719ac46bc8b89975618*",".{0,1000}9b8973d38cfee2c1e90385a1d25741dd4d9a72f426252719ac46bc8b89975618.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","31816"
"*9b8c27cbcbae9c1ec6fe4265c15a9122806b0b0bf9d1173c499d7d2ccb714e17*",".{0,1000}9b8c27cbcbae9c1ec6fe4265c15a9122806b0b0bf9d1173c499d7d2ccb714e17.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","31818"
"*9baa9ae150749a196e3cd03765655c6a9c9731fbdfcb11efc22d14a4b10f7346*",".{0,1000}9baa9ae150749a196e3cd03765655c6a9c9731fbdfcb11efc22d14a4b10f7346.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31821"
"*9bb03c64894f76241a0c97d210a95a8a5d538a660b8067b1748dd157b1ddeaa6*",".{0,1000}9bb03c64894f76241a0c97d210a95a8a5d538a660b8067b1748dd157b1ddeaa6.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","31823"
"*9bb687cca974dcb711e07739d9eaa8ed124519c2531a4442a0c0d320a75d8584*",".{0,1000}9bb687cca974dcb711e07739d9eaa8ed124519c2531a4442a0c0d320a75d8584.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","31827"
"*9bc358f934bfbeb12347083aef6b7a6efe26846b83ce0e653a4b89c64ba89073*",".{0,1000}9bc358f934bfbeb12347083aef6b7a6efe26846b83ce0e653a4b89c64ba89073.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","31828"
"*9bc4890f95874f3f6931e15694b0e7f37f2a7a18daf460ea109fb5f0c8886800*",".{0,1000}9bc4890f95874f3f6931e15694b0e7f37f2a7a18daf460ea109fb5f0c8886800.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","31829"
"*9bc9e19e782030fdd219ef29607658de9b197adc9427cbc4517cb9884b7e7c07*",".{0,1000}9bc9e19e782030fdd219ef29607658de9b197adc9427cbc4517cb9884b7e7c07.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","31831"
"*9bde1bf43cd8dc8d67f5e2b773d4315344315b4a52d2be26dd49c484678bdaaa*",".{0,1000}9bde1bf43cd8dc8d67f5e2b773d4315344315b4a52d2be26dd49c484678bdaaa.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31834"
"*9bf17e192c1d67d3116bee309c16ccdeaae36a68e53db5b555ccaf9455a255b1*",".{0,1000}9bf17e192c1d67d3116bee309c16ccdeaae36a68e53db5b555ccaf9455a255b1.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","31839"
"*9bfd1f0cb077ba95935c260cf66554142867486a42c8d84920e09dd3c6117ed1*",".{0,1000}9bfd1f0cb077ba95935c260cf66554142867486a42c8d84920e09dd3c6117ed1.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","31841"
"*9c0ae5d41ec30487350699a26406dbb0893b639f4702630ac9d735ad6c15aa5a*",".{0,1000}9c0ae5d41ec30487350699a26406dbb0893b639f4702630ac9d735ad6c15aa5a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31848"
"*9c1f64c5353fef38a4f90ee34a6b670f5e38a21cd629960c7eb7de50ed5ad460*",".{0,1000}9c1f64c5353fef38a4f90ee34a6b670f5e38a21cd629960c7eb7de50ed5ad460.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31852"
"*9c20d2016bd5f7437ec4b304ed39e17ccd1c0882c29f9ee37dfe81c9f1ea6015*",".{0,1000}9c20d2016bd5f7437ec4b304ed39e17ccd1c0882c29f9ee37dfe81c9f1ea6015.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31853"
"*9c3262961652f77177675bb812a2e5037223505b780999dc4a57c656afe9e1e6*",".{0,1000}9c3262961652f77177675bb812a2e5037223505b780999dc4a57c656afe9e1e6.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31856"
"*9c3286d0cb644bc2ffdff9dacb89b6d1b87dabbde373a52e45b73717fcc97664*",".{0,1000}9c3286d0cb644bc2ffdff9dacb89b6d1b87dabbde373a52e45b73717fcc97664.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","31857"
"*9c3aa9197679d1cee2f74e0e1938ebc759648520d3cfb02dfb7f0422bd234e2b*",".{0,1000}9c3aa9197679d1cee2f74e0e1938ebc759648520d3cfb02dfb7f0422bd234e2b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31858"
"*9c5f80d8b37be0d48a0c13a3838db1455aed0c3e23500ac7d9293bb779544e59*",".{0,1000}9c5f80d8b37be0d48a0c13a3838db1455aed0c3e23500ac7d9293bb779544e59.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","31866"
"*9c61fb474707f74a2bd8529b5ee56a26baf315458c07cc8aff66d117081f1aea*",".{0,1000}9c61fb474707f74a2bd8529b5ee56a26baf315458c07cc8aff66d117081f1aea.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31867"
"*9c78d685436d461ec75c3bdfcd09503eb86ce64ac58c13da6a8c82bdc2e80703*",".{0,1000}9c78d685436d461ec75c3bdfcd09503eb86ce64ac58c13da6a8c82bdc2e80703.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31871"
"*9c86d0fbe739883dc37c81ff6a9e4fa7f06417c56fa52ad6ceb6ba7bc3e9f420*",".{0,1000}9c86d0fbe739883dc37c81ff6a9e4fa7f06417c56fa52ad6ceb6ba7bc3e9f420.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","31877"
"*9c8b1aecaf1bdded80bec98ec5ab5b9b9754cbce9439dd9eacc7d1774d1438f8*",".{0,1000}9c8b1aecaf1bdded80bec98ec5ab5b9b9754cbce9439dd9eacc7d1774d1438f8.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","31879"
"*9cab3486e77ce43ae5295dcb724e1a25b1db2f8ea10bbbb0cd0b81709fc20db7*",".{0,1000}9cab3486e77ce43ae5295dcb724e1a25b1db2f8ea10bbbb0cd0b81709fc20db7.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31885"
"*9cb6e00ae09b73b289f3a447cc5ebbd16fabc4134c606bc25c0f4a70f715485f*",".{0,1000}9cb6e00ae09b73b289f3a447cc5ebbd16fabc4134c606bc25c0f4a70f715485f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31887"
"*9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE*",".{0,1000}9CD1DDB78ED05282353B20CDFE8FA0A4FB6C1ECE.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage - compromised certificate - https://anydesk.com/en/changelog/windows","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","#certificate","compromised certificate","8","8","N/A","N/A","N/A","N/A","31894"
"*9cd1f8564ff1c66d969b01e117e922063213eeaaae20fd5c725cdbf7041e4831*",".{0,1000}9cd1f8564ff1c66d969b01e117e922063213eeaaae20fd5c725cdbf7041e4831.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","31895"
"*9cd5f8810741b08aac49f12898dc623ce070f21f39820b1916361acd2522b982*",".{0,1000}9cd5f8810741b08aac49f12898dc623ce070f21f39820b1916361acd2522b982.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31896"
"*9cfa910939a8af2fbf84786f386cb38d801981d9eb85337ac9694411e8133114*",".{0,1000}9cfa910939a8af2fbf84786f386cb38d801981d9eb85337ac9694411e8133114.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","31902"
"*9d0597a638eabb7fff63dc41d6449d47fce11f4491a703d0447e78d53387fe38*",".{0,1000}9d0597a638eabb7fff63dc41d6449d47fce11f4491a703d0447e78d53387fe38.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31907"
"*9d0c7f0c88518e5d682763f7697796846ba0c4156371bfc8df612f38b33b77e3*",".{0,1000}9d0c7f0c88518e5d682763f7697796846ba0c4156371bfc8df612f38b33b77e3.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31910"
"*9d0edb290dc290f8cb748123558db11a3477269f810618a86ff8e81f30830e08*",".{0,1000}9d0edb290dc290f8cb748123558db11a3477269f810618a86ff8e81f30830e08.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31911"
"*9d1fb01df8a856d1bc633277add91aedeec15f773192a8733de3ed747784c916*",".{0,1000}9d1fb01df8a856d1bc633277add91aedeec15f773192a8733de3ed747784c916.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","31919"
"*9d2ce0345f4ee5798a49a8a13e33c7502a2ac655*",".{0,1000}9d2ce0345f4ee5798a49a8a13e33c7502a2ac655.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","31923"
"*9d2f44538ea0c6309426cb290d3a6b8b0b85de5de7f1496ff40c843b36bf8a8d*",".{0,1000}9d2f44538ea0c6309426cb290d3a6b8b0b85de5de7f1496ff40c843b36bf8a8d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31924"
"*9d3a9deeeac5f53514e20f1a6dacd125ddec7e17e18d27c23a276ed5eb608878*",".{0,1000}9d3a9deeeac5f53514e20f1a6dacd125ddec7e17e18d27c23a276ed5eb608878.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","#filehash","N/A","7","10","N/A","N/A","N/A","N/A","31928"
"*9d3d2e4222e2352d476cfe71afba982fcabd38e2e5c27a43bc126de2c33e353b*",".{0,1000}9d3d2e4222e2352d476cfe71afba982fcabd38e2e5c27a43bc126de2c33e353b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","31930"
"*9d4c213bbc51347764c8b62223c50da024037f63150d7f57ec12e22d1eaf0dfc*",".{0,1000}9d4c213bbc51347764c8b62223c50da024037f63150d7f57ec12e22d1eaf0dfc.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31935"
"*9d64672adf39e728aabe327e344f0735ed2d8cfd8d96a39ca4848a771f48e42d*",".{0,1000}9d64672adf39e728aabe327e344f0735ed2d8cfd8d96a39ca4848a771f48e42d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31939"
"*9d6d883e78e055575e91b222042d50bb7a9d9e4f046257bc7c38e7f57deb552e*",".{0,1000}9d6d883e78e055575e91b222042d50bb7a9d9e4f046257bc7c38e7f57deb552e.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","31941"
"*9d71d19aa4fa05a8829650c03387de1e7aea56635a1568e725463a8db3457708*",".{0,1000}9d71d19aa4fa05a8829650c03387de1e7aea56635a1568e725463a8db3457708.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31942"
"*9d756b853f27ac18d6b0b321e1dacef18d98fdbb3fa7d7500fce5d09cb63dd52*",".{0,1000}9d756b853f27ac18d6b0b321e1dacef18d98fdbb3fa7d7500fce5d09cb63dd52.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31943"
"*9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF*",".{0,1000}9D7620A4CEBA92370E8828B3CB1007AEFF63AB36A2CBE5F044FDDE14ABAB1EBF.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage - compromised certificate - https://anydesk.com/en/changelog/windows","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","#certificate","compromised certificate","8","8","N/A","N/A","N/A","N/A","31944"
"*9d7c62cfabf136368543cab714f0ba1ba1165a8d4fd5e535736976ebb95303c5*",".{0,1000}9d7c62cfabf136368543cab714f0ba1ba1165a8d4fd5e535736976ebb95303c5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31948"
"*9dc3c784b09c7e143046fee8b0b96f2b2c92fa95aad96679e0ab79383e20647c*",".{0,1000}9dc3c784b09c7e143046fee8b0b96f2b2c92fa95aad96679e0ab79383e20647c.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","31960"
"*9dd63128c55bdc6f062713958960f7bdec1983051df3114d9cfc2037089686c3*",".{0,1000}9dd63128c55bdc6f062713958960f7bdec1983051df3114d9cfc2037089686c3.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","31963"
"*9dea73ffa9687042001217d5dd36ce8083f36849cadfd88945cd55f669e9bb70*",".{0,1000}9dea73ffa9687042001217d5dd36ce8083f36849cadfd88945cd55f669e9bb70.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","31966"
"*9dfed608d8c377ee0d9fc5aefcfb535155fd0693b9bc804c1f8311b2ac1dcad1*",".{0,1000}9dfed608d8c377ee0d9fc5aefcfb535155fd0693b9bc804c1f8311b2ac1dcad1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31969"
"*9dffd0600ac3634e75d99c867d2ca3791cd3a302513c42b4465c6300977d824c*",".{0,1000}9dffd0600ac3634e75d99c867d2ca3791cd3a302513c42b4465c6300977d824c.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31970"
"*9e032a335a7b50b69fec9d0b8ec9c64ae3d9986a6d78c79a013d97920809a282*",".{0,1000}9e032a335a7b50b69fec9d0b8ec9c64ae3d9986a6d78c79a013d97920809a282.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","31971"
"*9e0fcc92b00eb9657979f4492584959b702e5d3f3e50c3cdb4a55c76f55693a7*",".{0,1000}9e0fcc92b00eb9657979f4492584959b702e5d3f3e50c3cdb4a55c76f55693a7.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","31973"
"*9e1cb4b50f43e8d7041feb056466e078b124b485cbd708c98604460314602ee3*",".{0,1000}9e1cb4b50f43e8d7041feb056466e078b124b485cbd708c98604460314602ee3.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31976"
"*9e1f0fe87d08779bfcf0b5253b92af92250dbd2db6f99d6ca747510ec87cf308*",".{0,1000}9e1f0fe87d08779bfcf0b5253b92af92250dbd2db6f99d6ca747510ec87cf308.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31978"
"*9e3476f783250e1fd848c17fb9d5a6c32e151ff1382bcde09a0ac903dea8a16f*",".{0,1000}9e3476f783250e1fd848c17fb9d5a6c32e151ff1382bcde09a0ac903dea8a16f.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","31980"
"*9e3640e44bcdcb5ce5efb6fa63a306e63077427539ebe9a0c6d829808731c73f*",".{0,1000}9e3640e44bcdcb5ce5efb6fa63a306e63077427539ebe9a0c6d829808731c73f.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","31982"
"*9e3c014399ad61b61a1fa5fa58de95a4ddfded6ff863c413cea089f2d92f9d70*",".{0,1000}9e3c014399ad61b61a1fa5fa58de95a4ddfded6ff863c413cea089f2d92f9d70.{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","31986"
"*9e3c014399ad61b61a1fa5fa58de95a4ddfded6ff863c413cea089f2d92f9d70*",".{0,1000}9e3c014399ad61b61a1fa5fa58de95a4ddfded6ff863c413cea089f2d92f9d70.{0,1000}","greyware_tool_keyword","tunnel.pyjam.as","SSL-terminated ephemeral HTTP tunnels to your local machine - no custom software required (thanks to wireguard)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#filehash #linux","N/A","10","10","N/A","N/A","N/A","N/A","31987"
"*9e4a589aa9658c35abbcca54036c9cc0070d05f0708b8df2d8e9030bbb9f541a*",".{0,1000}9e4a589aa9658c35abbcca54036c9cc0070d05f0708b8df2d8e9030bbb9f541a.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","31993"
"*9e4c4e615928ccbce23648a08fc6861be46474c7effbb9fed5e607f5f2501abc*",".{0,1000}9e4c4e615928ccbce23648a08fc6861be46474c7effbb9fed5e607f5f2501abc.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","31994"
"*9e54ead1385e23d4b5c663545001d13db7c653225fe997fcf7d6092ccd2a221a*",".{0,1000}9e54ead1385e23d4b5c663545001d13db7c653225fe997fcf7d6092ccd2a221a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","31996"
"*9e66f8414c42c546b1d73672929a13285681ab0862f8ed9aa75d048dd5aa00e7*",".{0,1000}9e66f8414c42c546b1d73672929a13285681ab0862f8ed9aa75d048dd5aa00e7.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","32000"
"*9e68d5982934294b5ef4bd570efd96b170d6a2aec1507cb4f248911da72380be*",".{0,1000}9e68d5982934294b5ef4bd570efd96b170d6a2aec1507cb4f248911da72380be.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32002"
"*9e71f08fe3818175111038f681747563b50d4673ec9b4404446bd2a7bb7d5063*",".{0,1000}9e71f08fe3818175111038f681747563b50d4673ec9b4404446bd2a7bb7d5063.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32005"
"*9e7b19f19410ca164f057020918c128e8b6cf603c24386f80ddd7ef3cd9ae5bc*",".{0,1000}9e7b19f19410ca164f057020918c128e8b6cf603c24386f80ddd7ef3cd9ae5bc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32006"
"*9e900a0da021bf0cc58e16ccaea35d8ffc115aed8fb99d0deed5b3c01e822ad0*",".{0,1000}9e900a0da021bf0cc58e16ccaea35d8ffc115aed8fb99d0deed5b3c01e822ad0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32010"
"*9eb625cc9e117d567ed568453ab0e5d9d1c9af2584338fb78640a1fb03dcd1c1*",".{0,1000}9eb625cc9e117d567ed568453ab0e5d9d1c9af2584338fb78640a1fb03dcd1c1.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32020"
"*9ec893fc952f4e45307f8cd603b6de2f396e1ad757af6847c00a148257c0dfb7*",".{0,1000}9ec893fc952f4e45307f8cd603b6de2f396e1ad757af6847c00a148257c0dfb7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32027"
"*9eca862c8cb8490e6b853171d95c9db07d3f306b3018b0ee5e567d3346d8b2d5*",".{0,1000}9eca862c8cb8490e6b853171d95c9db07d3f306b3018b0ee5e567d3346d8b2d5.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","32029"
"*9ed99f3c7be08a47125d73169959a738b152b8c2dcfac42fca34e5edb0448a88*",".{0,1000}9ed99f3c7be08a47125d73169959a738b152b8c2dcfac42fca34e5edb0448a88.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32032"
"*9ee0e699972c2614e3b1eb3c803caff659a64bb8d2c14ba07d520944758cf0a6*",".{0,1000}9ee0e699972c2614e3b1eb3c803caff659a64bb8d2c14ba07d520944758cf0a6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32034"
"*9ef83833296876f3182b87030b4f2e851b56621bad4ca4d7a14753553bb8b640*",".{0,1000}9ef83833296876f3182b87030b4f2e851b56621bad4ca4d7a14753553bb8b640.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32039"
"*9efbe8b459a63d573e27712d030b3c36e7cdc92c1f33461c401ca81cdb0e8e71*",".{0,1000}9efbe8b459a63d573e27712d030b3c36e7cdc92c1f33461c401ca81cdb0e8e71.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32042"
"*9f1af621fb39dac8f826f5c5dd50cc8ef3539be72ae9b06a5607eadc23d4dc0a*",".{0,1000}9f1af621fb39dac8f826f5c5dd50cc8ef3539be72ae9b06a5607eadc23d4dc0a.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","32052"
"*9f1df2f4b8d5719321755917aa858e159ead67978a568196bde136759e9dcb2b*",".{0,1000}9f1df2f4b8d5719321755917aa858e159ead67978a568196bde136759e9dcb2b.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32053"
"*9f229bb988451fb20a2a307f6d6e598822a8e9bfa69dcf4b31fd67a7f7f4d3ad*",".{0,1000}9f229bb988451fb20a2a307f6d6e598822a8e9bfa69dcf4b31fd67a7f7f4d3ad.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","32054"
"*9f27cec3b7e600c0223c0de06b65feafa9ed6bf82a8b1dfe338aef6b03bac097*",".{0,1000}9f27cec3b7e600c0223c0de06b65feafa9ed6bf82a8b1dfe338aef6b03bac097.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32057"
"*9f29ce88a53096c66bdd2dcb1b1e04b305358bef7aaa681a5fa8cd8ef406e63b*",".{0,1000}9f29ce88a53096c66bdd2dcb1b1e04b305358bef7aaa681a5fa8cd8ef406e63b.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32059"
"*9f2bbb3d0ecd30411181adfe61a09f64e7d3003e55703d5ab5433cb68b905038*",".{0,1000}9f2bbb3d0ecd30411181adfe61a09f64e7d3003e55703d5ab5433cb68b905038.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32060"
"*9f2c7f990c554ba286616dd08e59ac32d543e80eef335f5c65762c020234bc1b*",".{0,1000}9f2c7f990c554ba286616dd08e59ac32d543e80eef335f5c65762c020234bc1b.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","#filehash","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","32061"
"*9f5839d8901177b6ba08b744d561d51a8c4fb8ae7e492cf2e4408b90e49497df*",".{0,1000}9f5839d8901177b6ba08b744d561d51a8c4fb8ae7e492cf2e4408b90e49497df.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","32067"
"*9F5CF56A-DDB2-4F40-AB99-2A1DC47588E1*",".{0,1000}9F5CF56A\-DDB2\-4F40\-AB99\-2A1DC47588E1.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","#GUIDproject","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","32070"
"*9f6b80fa0ffaad84c92776eaa2af7a16d5fcb724ac12ed9a07dffd88565c6397*",".{0,1000}9f6b80fa0ffaad84c92776eaa2af7a16d5fcb724ac12ed9a07dffd88565c6397.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","32075"
"*9f6ee8fe7fea7bb68fed2ca7626a9277af8990ff8ee565c03ca3eecc083717df*",".{0,1000}9f6ee8fe7fea7bb68fed2ca7626a9277af8990ff8ee565c03ca3eecc083717df.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","32076"
"*9f6fbc95920e22acace881c5702a9fda81104d98ff5f37ed2c343898d371c8b3*",".{0,1000}9f6fbc95920e22acace881c5702a9fda81104d98ff5f37ed2c343898d371c8b3.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32077"
"*9f7050d57a380a76aab9f89fa7d44884db808b526261fad94a62797c831e1cbf*",".{0,1000}9f7050d57a380a76aab9f89fa7d44884db808b526261fad94a62797c831e1cbf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32078"
"*9f78f3485dab3247717aef7f603bbeeaa7369f1b8bbd9acd1c4416f25d956493*",".{0,1000}9f78f3485dab3247717aef7f603bbeeaa7369f1b8bbd9acd1c4416f25d956493.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","32079"
"*9f829612db928e5c7e7b08a9bf596b908d09c4f242b7454802e87dd2c2dc3f89*",".{0,1000}9f829612db928e5c7e7b08a9bf596b908d09c4f242b7454802e87dd2c2dc3f89.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","32084"
"*9fa3d83395b5d3ed3b9ab096aababbbddd71ebf90ae37ddfd24f168d9f909bad*",".{0,1000}9fa3d83395b5d3ed3b9ab096aababbbddd71ebf90ae37ddfd24f168d9f909bad.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32097"
"*9fa8e04f74d61da484201db9a063cc22f95c76197dbe31326c73ab7c6792957d*",".{0,1000}9fa8e04f74d61da484201db9a063cc22f95c76197dbe31326c73ab7c6792957d.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","32100"
"*9fb81c3c3003985257be77b5ff0e531de79ecc35fc84c98a92a59e8ca88e25f1*",".{0,1000}9fb81c3c3003985257be77b5ff0e531de79ecc35fc84c98a92a59e8ca88e25f1.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32103"
"*9fc2a410869d7c8ec6e01cccc1b5013b512a22982bc9675ff2f6443976f1b59b*",".{0,1000}9fc2a410869d7c8ec6e01cccc1b5013b512a22982bc9675ff2f6443976f1b59b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32106"
"*9fc57548ab7ea8aed9b35ff5a6ceee11afd5707139f98333381fcc1442bc45aa*",".{0,1000}9fc57548ab7ea8aed9b35ff5a6ceee11afd5707139f98333381fcc1442bc45aa.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","32108"
"*9fc6416952495e1c0a13f2b1af1bf774e6dc5a90fcf0a50c942bba56709cb921*",".{0,1000}9fc6416952495e1c0a13f2b1af1bf774e6dc5a90fcf0a50c942bba56709cb921.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32109"
"*9fefe059c5e2a23b4f92bc8b292f5942543a28e265bf06f123686483a8241b4a*",".{0,1000}9fefe059c5e2a23b4f92bc8b292f5942543a28e265bf06f123686483a8241b4a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32118"
"*9ffa244293433033702bbbbddf85e116221a7ff75c0b2bd152d9da8b6263ea6f*",".{0,1000}9ffa244293433033702bbbbddf85e116221a7ff75c0b2bd152d9da8b6263ea6f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32122"
"*A client side encrypted PasteBin*",".{0,1000}A\sclient\sside\sencrypted\sPasteBin.{0,1000}","greyware_tool_keyword","0bin.net","Accessing a paste on 0bin.net","T1213 - T1190","TA0001 - TA0009 - TA0010","N/A","N/A","Collection","https://0bin.net","1","0","#content #PastebinLike","N/A","5","10","N/A","N/A","N/A","N/A","32125"
"*A little service to steal the AD FS DKM secret :)*",".{0,1000}A\slittle\sservice\sto\ssteal\sthe\sAD\sFS\sDKM\ssecret\s\:\).{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","32131"
"*a.aomeisoftware.com*",".{0,1000}a\.aomeisoftware\.com.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","32143"
"*a0005f263f682b7623cf12d1ca7d47d3c4108591019131e413a49566c7458081*",".{0,1000}a0005f263f682b7623cf12d1ca7d47d3c4108591019131e413a49566c7458081.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","32144"
"*a0038697d35fbe64f1d9edc3493da99bdd0f27f7a79502134605c3064b2c704e*",".{0,1000}a0038697d35fbe64f1d9edc3493da99bdd0f27f7a79502134605c3064b2c704e.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32147"
"*a003f5539bcf1c36e9d8f0565857dc8478015da4f97fa64bcb91f6495bbfc105*",".{0,1000}a003f5539bcf1c36e9d8f0565857dc8478015da4f97fa64bcb91f6495bbfc105.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32148"
"*a028984075f63af783a3a261c58350a9d153e63c277db78614fb4b3aca780631*",".{0,1000}a028984075f63af783a3a261c58350a9d153e63c277db78614fb4b3aca780631.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","32156"
"*a03578a6b28aff267f20a87755696a91a1d5b923e815b2989e4afcc8915cc357*",".{0,1000}a03578a6b28aff267f20a87755696a91a1d5b923e815b2989e4afcc8915cc357.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","#filehash","N/A","7","10","N/A","N/A","N/A","N/A","32157"
"*a040131b51b4e124e4ac5a2cfa2e66adf3f7f279f98c86359870285bff228f42*",".{0,1000}a040131b51b4e124e4ac5a2cfa2e66adf3f7f279f98c86359870285bff228f42.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32161"
"*a0503d04e1f71f6856503024b70552eeeb6954e4aac61040a008f3917b38a684*",".{0,1000}a0503d04e1f71f6856503024b70552eeeb6954e4aac61040a008f3917b38a684.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32164"
"*a059a3d56743994d8f3996e05725957ebb5099c97bdd8ee92ed739f552073f46*",".{0,1000}a059a3d56743994d8f3996e05725957ebb5099c97bdd8ee92ed739f552073f46.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","32168"
"*a05b247f1368ac7c4e08b63300ec27ce5ff6e8cd306c0f7fa75eff9e89d0fc92*",".{0,1000}a05b247f1368ac7c4e08b63300ec27ce5ff6e8cd306c0f7fa75eff9e89d0fc92.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","32169"
"*a094d80528b9c413de86e56ff9e8617ff6b8855e8e95bc9c1826dea339033eba*",".{0,1000}a094d80528b9c413de86e56ff9e8617ff6b8855e8e95bc9c1826dea339033eba.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32183"
"*a09787812790b59ec3d36120788ae9f80b7bdda1e2d7a17a46d8112324632737",".{0,1000}a09787812790b59ec3d36120788ae9f80b7bdda1e2d7a17a46d8112324632737","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","#filehash","N/A","7","10","N/A","N/A","N/A","N/A","32184"
"*a0b1523b50b26c6ceb479513d2278d448d9e826cebbaf2af7decd3e01b5d7a59*",".{0,1000}a0b1523b50b26c6ceb479513d2278d448d9e826cebbaf2af7decd3e01b5d7a59.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32188"
"*a0c293a144cb66f4b07d8bd7d52a489b89c2ff30af9427c399e400bc3d374505*",".{0,1000}a0c293a144cb66f4b07d8bd7d52a489b89c2ff30af9427c399e400bc3d374505.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","32196"
"*a0d678feb4b1d5460a2b6dc94cbf1168db92da55a52064d452f6046f6fb8b3ab*",".{0,1000}a0d678feb4b1d5460a2b6dc94cbf1168db92da55a52064d452f6046f6fb8b3ab.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32198"
"*a0e7d15b84357f97ac46b469e179a9932682d5763204ea90590ea71ac90aa515*",".{0,1000}a0e7d15b84357f97ac46b469e179a9932682d5763204ea90590ea71ac90aa515.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","32207"
"*a0f82a1dfbc7ff306b986ef88ecd57d1ab08f499cee267184bd5cdb5d9bad6a6*",".{0,1000}a0f82a1dfbc7ff306b986ef88ecd57d1ab08f499cee267184bd5cdb5d9bad6a6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32210"
"*a0ffaba8096c1c103f4cadbf7e373d838f5ebca0b1f4a1b4fc600d623c7d4640*",".{0,1000}a0ffaba8096c1c103f4cadbf7e373d838f5ebca0b1f4a1b4fc600d623c7d4640.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32213"
"*a10a179116e873452ca3323ce17ae870ea2a240c754b696dcfd3442e7bbc16a7*",".{0,1000}a10a179116e873452ca3323ce17ae870ea2a240c754b696dcfd3442e7bbc16a7.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","32217"
"*a10a8b566860339bfd6832fc9073862c8689a1645236ad3d4eafa500f9c536a4*",".{0,1000}a10a8b566860339bfd6832fc9073862c8689a1645236ad3d4eafa500f9c536a4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32218"
"*a10f6df2968d892ca277eeddb104dce0bda26aaf47b6a29fa37f6ef7b9b4b330*",".{0,1000}a10f6df2968d892ca277eeddb104dce0bda26aaf47b6a29fa37f6ef7b9b4b330.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","32219"
"*a111b6db4f1609e4d1c0f03d4350918f7cba997edda438c159fed9ababc2057f*",".{0,1000}a111b6db4f1609e4d1c0f03d4350918f7cba997edda438c159fed9ababc2057f.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","32220"
"*a111d393d4f49bc4f3969a399962a576f142f58ea165f84186970e24e5c9eeba*",".{0,1000}a111d393d4f49bc4f3969a399962a576f142f58ea165f84186970e24e5c9eeba.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32221"
"*a11a44666cbdc5c56112cdb109e37c7f4f466f947500efce2192007d553a07f5*",".{0,1000}a11a44666cbdc5c56112cdb109e37c7f4f466f947500efce2192007d553a07f5.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","32222"
"*a12da8d4bdf8a29cdb41d332b700ac882f5d9c2352cb7696636e56ecbae3a883*",".{0,1000}a12da8d4bdf8a29cdb41d332b700ac882f5d9c2352cb7696636e56ecbae3a883.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32231"
"*a12f1b3315057920742569bb98f5031bfd200c52c6a808b327e5048a4f4991a4*",".{0,1000}a12f1b3315057920742569bb98f5031bfd200c52c6a808b327e5048a4f4991a4.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32234"
"*a131448308aacfd65d51f1a3861ccee0fd68640ed2694421871d46cd1216367b*",".{0,1000}a131448308aacfd65d51f1a3861ccee0fd68640ed2694421871d46cd1216367b.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32235"
"*a148f12a5261ef3186322b08cf1b1907d987505ec5485adb290a350bb2083f63*",".{0,1000}a148f12a5261ef3186322b08cf1b1907d987505ec5485adb290a350bb2083f63.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32240"
"*a17504a9ca029f89214959636206e22292ed49c26a28dd530a883c12d9ac1977*",".{0,1000}a17504a9ca029f89214959636206e22292ed49c26a28dd530a883c12d9ac1977.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32247"
"*a17972b286ec9492e224a2adcc4ec7487615caec87a04be7d7a1c0bbfc0f0b43*",".{0,1000}a17972b286ec9492e224a2adcc4ec7487615caec87a04be7d7a1c0bbfc0f0b43.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","32249"
"*a18c0916da1f5900730a30f152c36bd706cbd1e2f9f8bb042207de5ac3ef8097*",".{0,1000}a18c0916da1f5900730a30f152c36bd706cbd1e2f9f8bb042207de5ac3ef8097.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","32256"
"*a1a3bb9524011ce83b48f12ef28ad35dbf7f6022a8875a040d4c5d0dc982458a*",".{0,1000}a1a3bb9524011ce83b48f12ef28ad35dbf7f6022a8875a040d4c5d0dc982458a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32260"
"*a1ad8df9d1ea7ad06e8d124238448640fdaadc708b61e38ca378de15aac47e5a*",".{0,1000}a1ad8df9d1ea7ad06e8d124238448640fdaadc708b61e38ca378de15aac47e5a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32262"
"*a1bc2b5bd61ba0f7babdec16c86b0715156d3577dbdbcd2863a2b2fa19df7606*",".{0,1000}a1bc2b5bd61ba0f7babdec16c86b0715156d3577dbdbcd2863a2b2fa19df7606.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32269"
"*a1c31dc6e3e65461a52bb7f161f8c48e807ccd91d34f3382574d66314eac538d*",".{0,1000}a1c31dc6e3e65461a52bb7f161f8c48e807ccd91d34f3382574d66314eac538d.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","32271"
"*a1cb3625445b64b0302323e1f751ae23885d31e5a260766f85f492498cc43362*",".{0,1000}a1cb3625445b64b0302323e1f751ae23885d31e5a260766f85f492498cc43362.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","32274"
"*a1d79ad7af2af9ffbcad20b0b5555f6a64d46eb19deada41d93e8becbd4866e3*",".{0,1000}a1d79ad7af2af9ffbcad20b0b5555f6a64d46eb19deada41d93e8becbd4866e3.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32276"
"*a1d89c9d81a2e9c7558e8f0c91ec8652d40af94726f3125f9fe31206adb528de*",".{0,1000}a1d89c9d81a2e9c7558e8f0c91ec8652d40af94726f3125f9fe31206adb528de.{0,1000}","greyware_tool_keyword","RpcView","RpcView is a free tool to explore and decompile Microsoft RPC interfaces","T1082 - T1016 - T1046 - T1622","TA0007 - TA0008","N/A","Dispossessor","Discovery","https://github.com/silverf0x/RpcView","1","0","#filehash","N/A","6","10","965","255","2023-09-24T19:58:04Z","2017-03-14T19:14:45Z","32277"
"*a1f3b5d701bc32776e8a37bcda5a73dbde9d5b1de9f6037aac09cbbb2542d1cf*",".{0,1000}a1f3b5d701bc32776e8a37bcda5a73dbde9d5b1de9f6037aac09cbbb2542d1cf.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","32284"
"*a1fb68b35a61692176728a943a95433fb26263a3a6439239a122eb6e6918d2cd*",".{0,1000}a1fb68b35a61692176728a943a95433fb26263a3a6439239a122eb6e6918d2cd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32287"
"*a1fccf26ba0a2f7ae387b9e639c8e87885ac5fca39e9eb3a24d7386d296252c2*",".{0,1000}a1fccf26ba0a2f7ae387b9e639c8e87885ac5fca39e9eb3a24d7386d296252c2.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32288"
"*a1fec79b3327cadea501d3dda9437a38184fc2ef3981f1b8d92245aaf8213007*",".{0,1000}a1fec79b3327cadea501d3dda9437a38184fc2ef3981f1b8d92245aaf8213007.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32290"
"*a1-server-prod-even.action1.com*",".{0,1000}a1\-server\-prod\-even\.action1\.com.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","32291"
"*a2031a3ae2df3902ff26bfeff68f5c04a852e0d815b8e8dcbb2085f08b23656f*",".{0,1000}a2031a3ae2df3902ff26bfeff68f5c04a852e0d815b8e8dcbb2085f08b23656f.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32293"
"*a20cd9ca2f6e691c531cf7d30c46bfadce77e609c90a5fe4b37254f14e5a934f*",".{0,1000}a20cd9ca2f6e691c531cf7d30c46bfadce77e609c90a5fe4b37254f14e5a934f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32297"
"*a20fb6cf0d1e9c86de68b8665fbbf0974b04c69beccd41d7123f6b3004221beb*",".{0,1000}a20fb6cf0d1e9c86de68b8665fbbf0974b04c69beccd41d7123f6b3004221beb.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","32299"
"*a21da11f4b13fe90291c32e009c9aa97784650634b8be5db08d075a43453b72d*",".{0,1000}a21da11f4b13fe90291c32e009c9aa97784650634b8be5db08d075a43453b72d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32301"
"*a220124d70563eb4e79926b0b7ff4bfab36fc29d58b21152455ae1c63bbd5a28*",".{0,1000}a220124d70563eb4e79926b0b7ff4bfab36fc29d58b21152455ae1c63bbd5a28.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32302"
"*a22417b2eccc3ab5a32aecee8bd004cbbef73fe80d58119d23223163985d1f6b*",".{0,1000}a22417b2eccc3ab5a32aecee8bd004cbbef73fe80d58119d23223163985d1f6b.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","32305"
"*a226d27b749d8376ceb696401bd3186e9942d5ed055aba2a37cff5d835aa510a*",".{0,1000}a226d27b749d8376ceb696401bd3186e9942d5ed055aba2a37cff5d835aa510a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32306"
"*a2299ebe21ea5937b4a8b561f951eb0baab03299431b2142af521ff7f230045b*",".{0,1000}a2299ebe21ea5937b4a8b561f951eb0baab03299431b2142af521ff7f230045b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32307"
"*a2325e3fae41452930747860e4bcc8e6767b55d041788a4e1d583ec1c63ed648*",".{0,1000}a2325e3fae41452930747860e4bcc8e6767b55d041788a4e1d583ec1c63ed648.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32308"
"*a237c330ee6a0a63a4604457b51440f9b34b8782a044ee247d8eba0bb4353dda*",".{0,1000}a237c330ee6a0a63a4604457b51440f9b34b8782a044ee247d8eba0bb4353dda.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32311"
"*a249c503a622599ba68330f323de22a457e058157cb8e38cd3e59581993c03d2*",".{0,1000}a249c503a622599ba68330f323de22a457e058157cb8e38cd3e59581993c03d2.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32316"
"*a2551565a931107db6e9ed883c7252bcfb51b185f95d598cffc30dc7997c4d61*",".{0,1000}a2551565a931107db6e9ed883c7252bcfb51b185f95d598cffc30dc7997c4d61.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","32318"
"*a25a28812d135f5a5dbc0a5a697cce19d94acd80913472d3dcc61178f9479e40*",".{0,1000}a25a28812d135f5a5dbc0a5a697cce19d94acd80913472d3dcc61178f9479e40.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32319"
"*a262487a6bac019c52f1ada940aa357f0be3c69cf1232a052115e74723a65ade*",".{0,1000}a262487a6bac019c52f1ada940aa357f0be3c69cf1232a052115e74723a65ade.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#filehash","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","32323"
"*a26411f870a108af946d0b0298a2af36b88a3de21af299e71211e6da101f8e41*",".{0,1000}a26411f870a108af946d0b0298a2af36b88a3de21af299e71211e6da101f8e41.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32324"
"*a26d3db2560ca9d7c85ba716c7df74d53a6a10166ab88f338a73a19bf4ea04d8*",".{0,1000}a26d3db2560ca9d7c85ba716c7df74d53a6a10166ab88f338a73a19bf4ea04d8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32325"
"*a2749791478d33e10f88bba9c8191f42614e8606189f3a01a1406a2b47227a79*",".{0,1000}a2749791478d33e10f88bba9c8191f42614e8606189f3a01a1406a2b47227a79.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32327"
"*a2798030e4a1455864158becf472780f95d347588b681031366fb776741c0880*",".{0,1000}a2798030e4a1455864158becf472780f95d347588b681031366fb776741c0880.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","32330"
"*a27ce45798527f143d059cfecd0d2c8e976da75ae6c70f4eaeced862062f044d*",".{0,1000}a27ce45798527f143d059cfecd0d2c8e976da75ae6c70f4eaeced862062f044d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32331"
"*a2832e8890afc52378378b32a90719a1183d1323c957a87c54fcd9329e702033*",".{0,1000}a2832e8890afc52378378b32a90719a1183d1323c957a87c54fcd9329e702033.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32334"
"*a2a15e31637a92f08e230895fff885e377a611ca7b422c2fe40abd6d7e29dfe6*",".{0,1000}a2a15e31637a92f08e230895fff885e377a611ca7b422c2fe40abd6d7e29dfe6.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","32339"
"*a2a4ca5c8cbd085efefb71b5ff652d12425d6b16cdd3f22426c0a6f32d109942*",".{0,1000}a2a4ca5c8cbd085efefb71b5ff652d12425d6b16cdd3f22426c0a6f32d109942.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32340"
"*a2a82a2374bd7e6ade1645b0460c385b124bc7cce906c736f0b067ab21f0edaf*",".{0,1000}a2a82a2374bd7e6ade1645b0460c385b124bc7cce906c736f0b067ab21f0edaf.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32342"
"*a2af16bc6414fd3ce32d31efb76128bc14408027e654eada6569ee99df350a35*",".{0,1000}a2af16bc6414fd3ce32d31efb76128bc14408027e654eada6569ee99df350a35.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32345"
"*a2ca44232694b093a519194ef60da00ba8a0ab33de579105c1945b9dc00097cc*",".{0,1000}a2ca44232694b093a519194ef60da00ba8a0ab33de579105c1945b9dc00097cc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32352"
"*a2e65bd4579385605e7233852bea4627cf94a2ee83e6233d462740b7e930c284*",".{0,1000}a2e65bd4579385605e7233852bea4627cf94a2ee83e6233d462740b7e930c284.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","32357"
"*a2fa034d006bdbc3ee2a15e55eb647f8097355c288a858da1e309fe8ac1cf0a3*",".{0,1000}a2fa034d006bdbc3ee2a15e55eb647f8097355c288a858da1e309fe8ac1cf0a3.{0,1000}","greyware_tool_keyword","AnyplaceControl","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyplace-control[.]com","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","32359"
"*a32362b2769cb3cd8caa10722c50208b7170fe82d3663e85425df416422b4d22*",".{0,1000}a32362b2769cb3cd8caa10722c50208b7170fe82d3663e85425df416422b4d22.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","32366"
"*a343c8f23ba35c943e1c9311df17eb12f84c682d2ba0e965e244a49759b65f28*",".{0,1000}a343c8f23ba35c943e1c9311df17eb12f84c682d2ba0e965e244a49759b65f28.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32375"
"*a3441775e9833939a238c5b13fe8564b225ef0def7983fc9ef1746e48f3f82ed*",".{0,1000}a3441775e9833939a238c5b13fe8564b225ef0def7983fc9ef1746e48f3f82ed.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","32376"
"*A3454AF1-12AF-4952-B26D-FF0930DB779E*",".{0,1000}A3454AF1\-12AF\-4952\-B26D\-FF0930DB779E.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","#GUIDproject","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","32377"
"*a347a180847fa3dca00bc28dd1321f5b332fdf574c73ea2b30ef3fab63b2380b*",".{0,1000}a347a180847fa3dca00bc28dd1321f5b332fdf574c73ea2b30ef3fab63b2380b.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","32378"
"*a34e20b1abe27f830bdc259a6d9813a521bab31004cc9de8924fbc9833d9f3f5*",".{0,1000}a34e20b1abe27f830bdc259a6d9813a521bab31004cc9de8924fbc9833d9f3f5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32379"
"*a35294253d487a15fd813da9ec51e1f9c71e6ba81a5e19caf2401a87572627de*",".{0,1000}a35294253d487a15fd813da9ec51e1f9c71e6ba81a5e19caf2401a87572627de.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","32380"
"*a355fed40b126e5a6fe1963d63bb12397f6fd5a88f0e67a4325dafa925229e56*",".{0,1000}a355fed40b126e5a6fe1963d63bb12397f6fd5a88f0e67a4325dafa925229e56.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32383"
"*a37163c7c31a96ed6d72fb1b9e792ca8245c2bea5504fa87178fda29f00a0e6f*",".{0,1000}a37163c7c31a96ed6d72fb1b9e792ca8245c2bea5504fa87178fda29f00a0e6f.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","32388"
"*a37e18adcfa7a9faa14430814c622ad6a321cfa65d53d8ca54fed7a55f7c2806*",".{0,1000}a37e18adcfa7a9faa14430814c622ad6a321cfa65d53d8ca54fed7a55f7c2806.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","32391"
"*a393bd2a8a781b63fd58b3b343222ff70c8f7669be23078f844a101144368800*",".{0,1000}a393bd2a8a781b63fd58b3b343222ff70c8f7669be23078f844a101144368800.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32397"
"*a3ac47f75e01e2efedea26ee4cf9ef3b4f45d12c45dd429438e03224c055832c*",".{0,1000}a3ac47f75e01e2efedea26ee4cf9ef3b4f45d12c45dd429438e03224c055832c.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32401"
"*a3e6acda8965a5770977ec13a0431d2c544d12bc3f0c898a7c76cdf81ae33a69*",".{0,1000}a3e6acda8965a5770977ec13a0431d2c544d12bc3f0c898a7c76cdf81ae33a69.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32415"
"*a3eacf76e0d6b305982cba0115dff905c8de86bd2768011b41338f8d276e0c1c*",".{0,1000}a3eacf76e0d6b305982cba0115dff905c8de86bd2768011b41338f8d276e0c1c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32416"
"*a3f01a59bca7cb330bf680019595bbbf5f8167494fab4c46eaaf836fdc3a1902*",".{0,1000}a3f01a59bca7cb330bf680019595bbbf5f8167494fab4c46eaaf836fdc3a1902.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32419"
"*a3f300ec99b3dc8666396091067c8a7ccc224d05d1ce67f66b67f88cd0d3b279*",".{0,1000}a3f300ec99b3dc8666396091067c8a7ccc224d05d1ce67f66b67f88cd0d3b279.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32420"
"*a3f949008272bef1ec57519e2417f80fcdfcb633eda2c0c0e102062ffe37e62f*",".{0,1000}a3f949008272bef1ec57519e2417f80fcdfcb633eda2c0c0e102062ffe37e62f.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","32421"
"*a40a7980c5fbe507c565bfd7dc5ce979b287ace92ffacb4e5209deef2d2bf5fa*",".{0,1000}a40a7980c5fbe507c565bfd7dc5ce979b287ace92ffacb4e5209deef2d2bf5fa.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32427"
"*a41466714ba9463978139a62d241893a034425235b61ecf2efd868857e1c83b5*",".{0,1000}a41466714ba9463978139a62d241893a034425235b61ecf2efd868857e1c83b5.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32431"
"*a41b226ee731ac6c200b17e4367a5f57515f826896aed0a37f0595f9fe68b979*",".{0,1000}a41b226ee731ac6c200b17e4367a5f57515f826896aed0a37f0595f9fe68b979.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32433"
"*a41b7612e1057aff1743cdd0c9cf2dddd07f7e4e0340d419f05c42612b118a02*",".{0,1000}a41b7612e1057aff1743cdd0c9cf2dddd07f7e4e0340d419f05c42612b118a02.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32434"
"*a4239ce6da7f2934b3d732865bbfe7a866efbdcda80258bc4a247d3def967f9c*",".{0,1000}a4239ce6da7f2934b3d732865bbfe7a866efbdcda80258bc4a247d3def967f9c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32437"
"*a42f8bc0fa9c489ea06896d74810c9bfab10738b137bc567c3e656ec6f8f5d1d*",".{0,1000}a42f8bc0fa9c489ea06896d74810c9bfab10738b137bc567c3e656ec6f8f5d1d.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","32440"
"*a44b8353ce6c74595c2426c02d79495ffdd4b2472286b8622a901a430ed25251*",".{0,1000}a44b8353ce6c74595c2426c02d79495ffdd4b2472286b8622a901a430ed25251.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","32446"
"*a44ba10f3e101f1118ea65ff2272e1b2da2d0ac96ceb0043bf3c9c75ad4a53a7*",".{0,1000}a44ba10f3e101f1118ea65ff2272e1b2da2d0ac96ceb0043bf3c9c75ad4a53a7.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","32447"
"*a45f1250e0125326747fcd299ef10b98e39b4fa7e6d6865dabe0a6c8225013ef*",".{0,1000}a45f1250e0125326747fcd299ef10b98e39b4fa7e6d6865dabe0a6c8225013ef.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","32452"
"*a460000e3b3b1aa7da1909db5743f6b90b4df8ca8ead740e47136d3abeffbaec*",".{0,1000}a460000e3b3b1aa7da1909db5743f6b90b4df8ca8ead740e47136d3abeffbaec.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32453"
"*a4623a06a0787afdbebf56aa1f406229d7457beb36c316e67ea90346e6921bb6*",".{0,1000}a4623a06a0787afdbebf56aa1f406229d7457beb36c316e67ea90346e6921bb6.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32454"
"*a46a1cfc06ed9eb2276a879dcc949fe0256d511cf0925ab2343b9e92542fb8f2*",".{0,1000}a46a1cfc06ed9eb2276a879dcc949fe0256d511cf0925ab2343b9e92542fb8f2.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","32456"
"*a47c13e667e16a8598e32ae5ed11e2d04dc8846af682ea3aebe42716e964a278*",".{0,1000}a47c13e667e16a8598e32ae5ed11e2d04dc8846af682ea3aebe42716e964a278.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32460"
"*a47d75d634790109eaa5768d4e5cb504988e3754dcfe458072ef0b46d9aea419*",".{0,1000}a47d75d634790109eaa5768d4e5cb504988e3754dcfe458072ef0b46d9aea419.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32461"
"*a483e9f06a8e03c3a09028279f8a03380dfc41c5ee85327763e684c866f9019f*",".{0,1000}a483e9f06a8e03c3a09028279f8a03380dfc41c5ee85327763e684c866f9019f.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","32463"
"*a48dfc0e20bd69e3774d74860f2a74691addf9fbaae42c71450561a4d526f92a*",".{0,1000}a48dfc0e20bd69e3774d74860f2a74691addf9fbaae42c71450561a4d526f92a.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","32467"
"*a48e07ec7e49b7db108e6491d061d118b5c0b52dcf3bbc60390d4b2b9011f8dc*",".{0,1000}a48e07ec7e49b7db108e6491d061d118b5c0b52dcf3bbc60390d4b2b9011f8dc.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","32468"
"*a49b64c34c17e2f94a789517960f3438cab8b92f8e21560320be9ef68065c9fa*",".{0,1000}a49b64c34c17e2f94a789517960f3438cab8b92f8e21560320be9ef68065c9fa.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","32472"
"*a4b0f3f35a5fb57515736985a37f348b9a3303515d5c381ecf95f3422f124da5*",".{0,1000}a4b0f3f35a5fb57515736985a37f348b9a3303515d5c381ecf95f3422f124da5.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32475"
"*a4c1317ecb23efbf995cdf4b05c514fcd005d08ea50284e7c5b50f2ae312d88d*",".{0,1000}a4c1317ecb23efbf995cdf4b05c514fcd005d08ea50284e7c5b50f2ae312d88d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32478"
"*a4c9bcf5a748e432e6ae84393c4d174d7f1b7cc6a3e7308183ac829970b73e6e*",".{0,1000}a4c9bcf5a748e432e6ae84393c4d174d7f1b7cc6a3e7308183ac829970b73e6e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32479"
"*a4e37ca2c83f78a36945b82a7779749ecbf9661e9e6e4e881ab6d41666e1f669*",".{0,1000}a4e37ca2c83f78a36945b82a7779749ecbf9661e9e6e4e881ab6d41666e1f669.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32486"
"*a4e6692b22ae9d6e230116f6f530c9775ab4d38743c460dc099f948e92cf075d*",".{0,1000}a4e6692b22ae9d6e230116f6f530c9775ab4d38743c460dc099f948e92cf075d.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32487"
"*a4ea0ed17ef1028ac4a9f18bc7fc1aae6e3dd741cdaee8c073c66b8316ba2fc1*",".{0,1000}a4ea0ed17ef1028ac4a9f18bc7fc1aae6e3dd741cdaee8c073c66b8316ba2fc1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32490"
"*a5077f2fed33c896f464b7e3122debb2cbf0e3a4a69b848313113f8ec06d1aae*",".{0,1000}a5077f2fed33c896f464b7e3122debb2cbf0e3a4a69b848313113f8ec06d1aae.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32495"
"*a50a1a9bd8b387a4e1762adb62f09c416835aa15de9a27e79815b5b62c5951ec*",".{0,1000}a50a1a9bd8b387a4e1762adb62f09c416835aa15de9a27e79815b5b62c5951ec.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32496"
"*a51ca6422305b85196bb505e9f7e3ba390af7cd442254b10753dc2c101ff5165*",".{0,1000}a51ca6422305b85196bb505e9f7e3ba390af7cd442254b10753dc2c101ff5165.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","32504"
"*a5209d425fa5e65dc69e5187454446b5a035b3762a325b6ba0606fc168041c76*",".{0,1000}a5209d425fa5e65dc69e5187454446b5a035b3762a325b6ba0606fc168041c76.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","32505"
"*a522a8bfbf83bf52cde85edb32577d6b9acddac6e3a432726f659ae7dd5a6a96*",".{0,1000}a522a8bfbf83bf52cde85edb32577d6b9acddac6e3a432726f659ae7dd5a6a96.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","32506"
"*a539e169941f55d687ca44c90a5a90715dd23871a04a64f1712e08e758df0ec0*",".{0,1000}a539e169941f55d687ca44c90a5a90715dd23871a04a64f1712e08e758df0ec0.{0,1000}","greyware_tool_keyword","rsocks","reverse socks5 client & server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/brimstone/rsocks","1","0","#filehash","N/A","10","10","85","29","2020-01-09T20:45:32Z","2018-01-05T03:09:07Z","32510"
"*a5496a0364e4e071aa6a1cbcfd519e35ac8dcb4eac9a24e6a22340c4d4cf1914*",".{0,1000}a5496a0364e4e071aa6a1cbcfd519e35ac8dcb4eac9a24e6a22340c4d4cf1914.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32515"
"*a54e83a923cedcae9c948e438cc3213c49e2c207f3914fdb5254d213d62604eb*",".{0,1000}a54e83a923cedcae9c948e438cc3213c49e2c207f3914fdb5254d213d62604eb.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","32516"
"*a55808e01d6b1dfb6776665e566a8e434b0ff2846451909fd8748a7ce0d4c031*",".{0,1000}a55808e01d6b1dfb6776665e566a8e434b0ff2846451909fd8748a7ce0d4c031.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32521"
"*a5581e05f792ca9ddec49004a9e3c9d203663e1b2ab330364d1e6ccb32bd8226*",".{0,1000}a5581e05f792ca9ddec49004a9e3c9d203663e1b2ab330364d1e6ccb32bd8226.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32522"
"*a55f8d6661a379fe2992f0054da97667d021f6bcbc5a5aa6c5b91828e8112711*",".{0,1000}a55f8d6661a379fe2992f0054da97667d021f6bcbc5a5aa6c5b91828e8112711.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32524"
"*a5644b66bdcff05e69196f812127199c85dad1e65a34d62a8d50030a176b3bce*",".{0,1000}a5644b66bdcff05e69196f812127199c85dad1e65a34d62a8d50030a176b3bce.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","32525"
"*a5656349a6b98aba519b6222ad470fdb2a95903ae5ebf0b90819c441cd8dba8b*",".{0,1000}a5656349a6b98aba519b6222ad470fdb2a95903ae5ebf0b90819c441cd8dba8b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32526"
"*a56d026e58a0dd62c8104fc9deb5a60ab7a531ae657a950f5f4fa8bc9765931e*",".{0,1000}a56d026e58a0dd62c8104fc9deb5a60ab7a531ae657a950f5f4fa8bc9765931e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32530"
"*a56d443310f333dae0b4900ca18d0f903f5076369ae4053c035d9c39d76f59b2*",".{0,1000}a56d443310f333dae0b4900ca18d0f903f5076369ae4053c035d9c39d76f59b2.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","32531"
"*a577a27e8304b63365699d0220bade895000da9fde1b29fdb0925292dcff0b4f*",".{0,1000}a577a27e8304b63365699d0220bade895000da9fde1b29fdb0925292dcff0b4f.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","32533"
"*a578c81ce8548ef3f5f92a572c15aba6369fe262f19e0bfd74b694b3609380f9*",".{0,1000}a578c81ce8548ef3f5f92a572c15aba6369fe262f19e0bfd74b694b3609380f9.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","32535"
"*a581c3c813327c36e97ca933d0169224d82a428b596b1d64492b06108ac4b97d*",".{0,1000}a581c3c813327c36e97ca933d0169224d82a428b596b1d64492b06108ac4b97d.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32537"
"*a58286cef52371c6103a194d90224cd693e69b544e06fa40784de35af6277512*",".{0,1000}a58286cef52371c6103a194d90224cd693e69b544e06fa40784de35af6277512.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","32538"
"*a583e31f6c18a593b681896402295f35a903df7bc34faae45914679b3e9751b9*",".{0,1000}a583e31f6c18a593b681896402295f35a903df7bc34faae45914679b3e9751b9.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","32540"
"*a58c0cd4b456e360cfda39c325137343484606e93b500142a2a6730dd0b9dae1*",".{0,1000}a58c0cd4b456e360cfda39c325137343484606e93b500142a2a6730dd0b9dae1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32544"
"*a59970f075f30ba38301eb4eafd5eb0149f86c84649c99488394d4e01d08aa25*",".{0,1000}a59970f075f30ba38301eb4eafd5eb0149f86c84649c99488394d4e01d08aa25.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32550"
"*a5c16b96d4df537cdc307206b955f7808b58fc2fb425a327bcd6e0bccf95c1ba*",".{0,1000}a5c16b96d4df537cdc307206b955f7808b58fc2fb425a327bcd6e0bccf95c1ba.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","32558"
"*a5cde52a2ed2746ee659faac3008f1cdfdc0c6bf3d13d1a673cf4ebdbbd7cbe1*",".{0,1000}a5cde52a2ed2746ee659faac3008f1cdfdc0c6bf3d13d1a673cf4ebdbbd7cbe1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32561"
"*a5dd833c5c1f9ac79705b4fddd9d9e7dde9b25f5bbf79a7dc1c00537f181f47a*",".{0,1000}a5dd833c5c1f9ac79705b4fddd9d9e7dde9b25f5bbf79a7dc1c00537f181f47a.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","32566"
"*a5e57662131399ad586e4b5c4a942bc9029104331953fdbdbfd6e8a0cdad9ccc*",".{0,1000}a5e57662131399ad586e4b5c4a942bc9029104331953fdbdbfd6e8a0cdad9ccc.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","32568"
"*a5e9856fc84492bf129cca06659842ccc9705f7e24eaa9bd6ec5d529f7c61abb*",".{0,1000}a5e9856fc84492bf129cca06659842ccc9705f7e24eaa9bd6ec5d529f7c61abb.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","32571"
"*a5fa4d3e02ec0196dd34d81d21118e6bf4014405cefd9a8e99b3fec15d4bf057*",".{0,1000}a5fa4d3e02ec0196dd34d81d21118e6bf4014405cefd9a8e99b3fec15d4bf057.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","32574"
"*a63ba98cc13645f84549367e1a0d5efb18da9fb0d7203c3c1c3f366331204758*",".{0,1000}a63ba98cc13645f84549367e1a0d5efb18da9fb0d7203c3c1c3f366331204758.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32598"
"*a644c87ef0ae3fda790a705dae60cb7c7d2c1153ea3def2fe6f56a822d2e4e9e*",".{0,1000}a644c87ef0ae3fda790a705dae60cb7c7d2c1153ea3def2fe6f56a822d2e4e9e.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","32603"
"*a660a94c158cb280974447efd174d3525d806ac7235f6546abeb1a57660a1125*",".{0,1000}a660a94c158cb280974447efd174d3525d806ac7235f6546abeb1a57660a1125.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32613"
"*a66fa8f23507c11444e52e58ea00e3b38e972a5d95fdb51a824967fd8183460a*",".{0,1000}a66fa8f23507c11444e52e58ea00e3b38e972a5d95fdb51a824967fd8183460a.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32615"
"*a67a2d20c217e9923d9a614870d54152379c8d4f2232114a158d5e88f9ccd4b1*",".{0,1000}a67a2d20c217e9923d9a614870d54152379c8d4f2232114a158d5e88f9ccd4b1.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","32619"
"*a6990ac66bfbbfeaef787dff39ec08610cca7c77d33747b5a76583e7f7916f2c*",".{0,1000}a6990ac66bfbbfeaef787dff39ec08610cca7c77d33747b5a76583e7f7916f2c.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","32622"
"*a6adb2db09d7d3a546e55248375ec27eb235caff4707c3e5c5c669f5365edbb1*",".{0,1000}a6adb2db09d7d3a546e55248375ec27eb235caff4707c3e5c5c669f5365edbb1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32624"
"*a6b04710778f15b52322aed66b7e6dde036af3a8e208ba65e7a79d905bce764c*",".{0,1000}a6b04710778f15b52322aed66b7e6dde036af3a8e208ba65e7a79d905bce764c.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","32625"
"*a6c8218887fdb66cefdced3195f1424a714add1f6fe369ba7ddbfe1e7434191b*",".{0,1000}a6c8218887fdb66cefdced3195f1424a714add1f6fe369ba7ddbfe1e7434191b.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","32628"
"*a6d0d66175c5968762fcb0cb5b967cb7add0ca4b11fa276899cf8de9a1c20c7f*",".{0,1000}a6d0d66175c5968762fcb0cb5b967cb7add0ca4b11fa276899cf8de9a1c20c7f.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32630"
"*a6d7077ea6b3c4aeb393c266652682661f77e334b1809372eb260f9d24d2e648*",".{0,1000}a6d7077ea6b3c4aeb393c266652682661f77e334b1809372eb260f9d24d2e648.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32631"
"*a6d80ede0043ee980ff8f7f70acabb0e318c18d4514f90a131250232b33f2933*",".{0,1000}a6d80ede0043ee980ff8f7f70acabb0e318c18d4514f90a131250232b33f2933.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32632"
"*a6e07cccc0d66a5894500a057fe92440f1e372bda4856f148244ba369bf521de*",".{0,1000}a6e07cccc0d66a5894500a057fe92440f1e372bda4856f148244ba369bf521de.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","32633"
"*a6e54383b67446523cb54671b2ce35167bd8c4b9a507025862fed74f0ebe27f2*",".{0,1000}a6e54383b67446523cb54671b2ce35167bd8c4b9a507025862fed74f0ebe27f2.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32634"
"*a6ebeb84345adc07ff6fad6bc4e8f404dbad73c106a6e2f8a7f635e062efe9ed*",".{0,1000}a6ebeb84345adc07ff6fad6bc4e8f404dbad73c106a6e2f8a7f635e062efe9ed.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32635"
"*a6f3ff605f199266c8472781574921fed6c22885666216ad0ce41e2ed3cf404b*",".{0,1000}a6f3ff605f199266c8472781574921fed6c22885666216ad0ce41e2ed3cf404b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32637"
"*a70208a1f564cce41472dc8e87cd9e4d9bff7feb6ca03407282ffdd935967ba3*",".{0,1000}a70208a1f564cce41472dc8e87cd9e4d9bff7feb6ca03407282ffdd935967ba3.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32646"
"*a706b0c389ebfbd01cbdf08359c81497eda81c315a7963960ed8968a2173c866*",".{0,1000}a706b0c389ebfbd01cbdf08359c81497eda81c315a7963960ed8968a2173c866.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32647"
"*a71ed4cf45715b2934a723bdf6342b23fa7c467fc374d54e7f94fbd817829a6e*",".{0,1000}a71ed4cf45715b2934a723bdf6342b23fa7c467fc374d54e7f94fbd817829a6e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32654"
"*a7266ba33c7873fcacfaa675551204bbc56549ec7d859635822009e0e2bda9d3*",".{0,1000}a7266ba33c7873fcacfaa675551204bbc56549ec7d859635822009e0e2bda9d3.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","#filehash","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","32656"
"*a729d963fcf9c8fa5dab77203d950fe091b15477c8ec598e5604acb2e191c8cf*",".{0,1000}a729d963fcf9c8fa5dab77203d950fe091b15477c8ec598e5604acb2e191c8cf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32658"
"*a73a39cce96e40c9e574607561cabeb8f0b46ffa5b996c1071d434e6a72e34bf*",".{0,1000}a73a39cce96e40c9e574607561cabeb8f0b46ffa5b996c1071d434e6a72e34bf.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","32660"
"*a73d83dd80d910135838437fc31497f5a865c8021c38cebe29805c237115a995*",".{0,1000}a73d83dd80d910135838437fc31497f5a865c8021c38cebe29805c237115a995.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32661"
"*a7446e282755e5340b33572986e83bffa2a984d04d6f465d0a30da9538f9cea4*",".{0,1000}a7446e282755e5340b33572986e83bffa2a984d04d6f465d0a30da9538f9cea4.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32662"
"*a748cb077987a0a404222a7a817c2326b42cd55d24e3c0a03ebfa06176a1c28d*",".{0,1000}a748cb077987a0a404222a7a817c2326b42cd55d24e3c0a03ebfa06176a1c28d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32666"
"*a74c5c5699517281aa37e2b00acb36a32b33d7d7c686a41c8d6fc2a1594d3611*",".{0,1000}a74c5c5699517281aa37e2b00acb36a32b33d7d7c686a41c8d6fc2a1594d3611.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32669"
"*a75a10d43c1ec77f2e59232d6c4f66662d7d3c9d28195d3b4aa9e201d0d28ae6*",".{0,1000}a75a10d43c1ec77f2e59232d6c4f66662d7d3c9d28195d3b4aa9e201d0d28ae6.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32675"
"*a7626329b690c269d640555033e156a55cffb967f11556eb782ff130d0ad7982*",".{0,1000}a7626329b690c269d640555033e156a55cffb967f11556eb782ff130d0ad7982.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32679"
"*a77d3fa9419c5dc12ebd94eb5b97be3cff2c12b00dbe3884adc9ffcedf73909e*",".{0,1000}a77d3fa9419c5dc12ebd94eb5b97be3cff2c12b00dbe3884adc9ffcedf73909e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32684"
"*a792cd515589050d475a28b714276a2960ed7ef8e0e5baeea3d38301a775fbb4*",".{0,1000}a792cd515589050d475a28b714276a2960ed7ef8e0e5baeea3d38301a775fbb4.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","32691"
"*a79a4c3ae4ecd33b7c078631d3424137ff332d7897ecd6e9ddee28df138a0064*",".{0,1000}a79a4c3ae4ecd33b7c078631d3424137ff332d7897ecd6e9ddee28df138a0064.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","32693"
"*a79bc1f4c36a377d1beb707300e47c0ba6c3bea953f77f6e2a0435a5a23f1cd3*",".{0,1000}a79bc1f4c36a377d1beb707300e47c0ba6c3bea953f77f6e2a0435a5a23f1cd3.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32694"
"*a7a2808a64b5ee630b2ce13597623de03ca5d7a27870aa72f3e0f8156f20d10c*",".{0,1000}a7a2808a64b5ee630b2ce13597623de03ca5d7a27870aa72f3e0f8156f20d10c.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","32697"
"*a7a82eca050224c9cd070fea1d4208fe92358c5942321d6e01eff84a77839fb8*",".{0,1000}a7a82eca050224c9cd070fea1d4208fe92358c5942321d6e01eff84a77839fb8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32699"
"*a7b789b5fbd81fafca5a5dca4671de13c6bf3b54b807c513d03bd1ee3f5290a9*",".{0,1000}a7b789b5fbd81fafca5a5dca4671de13c6bf3b54b807c513d03bd1ee3f5290a9.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","32706"
"*a7c2394f127db053d7da7e57353e017b319406f6474ff0318a8545c85cf55d80*",".{0,1000}a7c2394f127db053d7da7e57353e017b319406f6474ff0318a8545c85cf55d80.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32710"
"*a7c3d70099b1df9cb3165a8b5885fa727a778f3b3526811c0b5f16c30dccc492*",".{0,1000}a7c3d70099b1df9cb3165a8b5885fa727a778f3b3526811c0b5f16c30dccc492.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","32711"
"*a7c7396da9d14ba531ea5c09d8920ad52eb2300b2d48ed368413cb77c5035ce4*",".{0,1000}a7c7396da9d14ba531ea5c09d8920ad52eb2300b2d48ed368413cb77c5035ce4.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32712"
"*a7db865b054314d253293a1f427d3a155da5164060804aac431020e26a40e1ad*",".{0,1000}a7db865b054314d253293a1f427d3a155da5164060804aac431020e26a40e1ad.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","32715"
"*a7dff33a69fd314049f9b1ad78340c875ba5681eb4a828d1cebc79e6f09bf35c*",".{0,1000}a7dff33a69fd314049f9b1ad78340c875ba5681eb4a828d1cebc79e6f09bf35c.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","32717"
"*a7e554c6cc81ad47e14924815e282b319b5c877aa05aad093eafb8252a940af3*",".{0,1000}a7e554c6cc81ad47e14924815e282b319b5c877aa05aad093eafb8252a940af3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32719"
"*a7eec25a26998f786481137e8bca3b7fce2275502cec2221a01113c7811fbf48*",".{0,1000}a7eec25a26998f786481137e8bca3b7fce2275502cec2221a01113c7811fbf48.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32722"
"*a8048a99c160781dd4b323d3751f9717663265416de4495fd9c7227bbee8a2f8*",".{0,1000}a8048a99c160781dd4b323d3751f9717663265416de4495fd9c7227bbee8a2f8.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32728"
"*a8135d2e58969e12d4bd99bbd3bd8866fca9a151b4cb6a0615e602dd9cfa5e3a*",".{0,1000}a8135d2e58969e12d4bd99bbd3bd8866fca9a151b4cb6a0615e602dd9cfa5e3a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32731"
"*a819a2e3e513712ec9dcba8129b7471aafc70ca6631561a8f6a4881a51ffa2c4*",".{0,1000}a819a2e3e513712ec9dcba8129b7471aafc70ca6631561a8f6a4881a51ffa2c4.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","32734"
"*a81e90b8c56431c28537a4232b76cd55cf44217eabc106d359840f10be32d465*",".{0,1000}a81e90b8c56431c28537a4232b76cd55cf44217eabc106d359840f10be32d465.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32735"
"*a81eb95cde4ef661850546c816e9884b8adabf279a84e779b4e0b6bf6a02649e*",".{0,1000}a81eb95cde4ef661850546c816e9884b8adabf279a84e779b4e0b6bf6a02649e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32736"
"*a8392f36da158c474403c3fee97076c704714db05735b0c23bec268d591e27b2*",".{0,1000}a8392f36da158c474403c3fee97076c704714db05735b0c23bec268d591e27b2.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32743"
"*a853e1ad13c03ed6e28dba69cd407bfb2bdde3401c83abe79ab57a42fbd8968a*",".{0,1000}a853e1ad13c03ed6e28dba69cd407bfb2bdde3401c83abe79ab57a42fbd8968a.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","32753"
"*a857a9f7a34b247348439a6b13dda18e4aafa381eb7d50215610d9d360d68485*",".{0,1000}a857a9f7a34b247348439a6b13dda18e4aafa381eb7d50215610d9d360d68485.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","32755"
"*a85ff11195be3386ea7d68cb9bf2fa7c43896ce22b8a5f95b63b5737a6fb388e*",".{0,1000}a85ff11195be3386ea7d68cb9bf2fa7c43896ce22b8a5f95b63b5737a6fb388e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32756"
"*a8813d25c4640e52495fee83e525e76283c63f01d1cce8fbb58d8486b0c20c8a*",".{0,1000}a8813d25c4640e52495fee83e525e76283c63f01d1cce8fbb58d8486b0c20c8a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32760"
"*a88ca09d1dd051d470965667a224a2b81930c6628a0566b7b17868be40207dc8*",".{0,1000}a88ca09d1dd051d470965667a224a2b81930c6628a0566b7b17868be40207dc8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32763"
"*a892f70b16b239a1f6caea1877c3f5d3747c1b3e3f5d94d49e21050d5b873ecc*",".{0,1000}a892f70b16b239a1f6caea1877c3f5d3747c1b3e3f5d94d49e21050d5b873ecc.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","32766"
"*a8a01db928e625521789fb4187b72857049ea2542d1795afbe581ed6d77e6bc1*",".{0,1000}a8a01db928e625521789fb4187b72857049ea2542d1795afbe581ed6d77e6bc1.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","32770"
"*a8a5a27b5051f5079b3a62d0e3b26c8346a7208059c6ab85dc9c7534f96dc7c0*",".{0,1000}a8a5a27b5051f5079b3a62d0e3b26c8346a7208059c6ab85dc9c7534f96dc7c0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32771"
"*a8a9b5fd7a0cc44f6874c90b4170009a46a88adc92367fcafb2acd32958afc98*",".{0,1000}a8a9b5fd7a0cc44f6874c90b4170009a46a88adc92367fcafb2acd32958afc98.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32772"
"*a8ab4a99f65193c1bba3f8864a0f1d39e8d7c97843b4ac0fbacc98fe1d2ec161*",".{0,1000}a8ab4a99f65193c1bba3f8864a0f1d39e8d7c97843b4ac0fbacc98fe1d2ec161.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","32773"
"*a8d276db0a9f5d22cd2757538f19b4fc1e234db045d7355aa656326ae8acece3*",".{0,1000}a8d276db0a9f5d22cd2757538f19b4fc1e234db045d7355aa656326ae8acece3.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","32779"
"*a8d8afce93bf8e3328ba6e223d22649fd8756cc4b39d38d72c278152fad2e435*",".{0,1000}a8d8afce93bf8e3328ba6e223d22649fd8756cc4b39d38d72c278152fad2e435.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32780"
"*a8dc7da67b4c6211d0486ba8b5bed5a0fdf894109f8861acf43db8a1e87e5d74*",".{0,1000}a8dc7da67b4c6211d0486ba8b5bed5a0fdf894109f8861acf43db8a1e87e5d74.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","32781"
"*a8ea3cb39c602716d396076e7621a61e3df77e4e08377f33c6aebf4cc970f26c*",".{0,1000}a8ea3cb39c602716d396076e7621a61e3df77e4e08377f33c6aebf4cc970f26c.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","32786"
"*a8ebccf2cc342e1b5154989cd784691b5740a7f3df77cd8adb785f67384a93de*",".{0,1000}a8ebccf2cc342e1b5154989cd784691b5740a7f3df77cd8adb785f67384a93de.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","32788"
"*a8effdadf86dd52ed13ab8051982927ea464500c36b4d0c1fff5158da2b4abed*",".{0,1000}a8effdadf86dd52ed13ab8051982927ea464500c36b4d0c1fff5158da2b4abed.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","32789"
"*a8f5766e5cb04c12e405ed4b8a1c984f1a0963d77529e2e20793e777dc7dd742*",".{0,1000}a8f5766e5cb04c12e405ed4b8a1c984f1a0963d77529e2e20793e777dc7dd742.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32792"
"*a8f7aaf03146c6e41799154fccf90e1ac4ffa48b76d582accfd0dd4649b1e652*",".{0,1000}a8f7aaf03146c6e41799154fccf90e1ac4ffa48b76d582accfd0dd4649b1e652.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","32793"
"*a907b585267cc24f1b884ace352eaca2f987c0aaf72b344a6b0da8264c5cf6a9*",".{0,1000}a907b585267cc24f1b884ace352eaca2f987c0aaf72b344a6b0da8264c5cf6a9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32796"
"*a9080fc18d6015126864873dba3307b2b9c8ab5ecf79da3c1ae25cb2988fc9bd*",".{0,1000}a9080fc18d6015126864873dba3307b2b9c8ab5ecf79da3c1ae25cb2988fc9bd.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32797"
"*a908c8a15c730ce061360bcbb351135484b0f6e0a1fd19847888818bdab73d86*",".{0,1000}a908c8a15c730ce061360bcbb351135484b0f6e0a1fd19847888818bdab73d86.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32799"
"*a91962e86f2b0b0a3a75a097ad056c5595dce4a66a204d15507d03da6eec699c*",".{0,1000}a91962e86f2b0b0a3a75a097ad056c5595dce4a66a204d15507d03da6eec699c.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","32803"
"*a920c6b7605a82318a7f60f4a2bcab191359f6187983bbb82e56a6fe2cd7418d*",".{0,1000}a920c6b7605a82318a7f60f4a2bcab191359f6187983bbb82e56a6fe2cd7418d.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","32805"
"*a930c85fbceaf955c9ae865893b20a7164b0f8020b0a61ecee56d1a1490cc285*",".{0,1000}a930c85fbceaf955c9ae865893b20a7164b0f8020b0a61ecee56d1a1490cc285.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32810"
"*a94d6c1feb0034fcff3e8b4f2d65c0678f906fc21a1cf2d435341f69e7e7af52*",".{0,1000}a94d6c1feb0034fcff3e8b4f2d65c0678f906fc21a1cf2d435341f69e7e7af52.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32818"
"*a94fff0ac12fea9c27ea48726b7cfa94067884e0c0dff6b1f7abb2ecccee0220*",".{0,1000}a94fff0ac12fea9c27ea48726b7cfa94067884e0c0dff6b1f7abb2ecccee0220.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","32819"
"*a9507a67b50c7e4ab38c2334ef037a78ca5cc257decf1d78b8afbdc0fa73ee18*",".{0,1000}a9507a67b50c7e4ab38c2334ef037a78ca5cc257decf1d78b8afbdc0fa73ee18.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32820"
"*a95f17316afad267ca57989a4480fc157aa50618868cb19defe14e45cda7e23b*",".{0,1000}a95f17316afad267ca57989a4480fc157aa50618868cb19defe14e45cda7e23b.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32822"
"*a95fbce75c24a2262a98fe462872b23207c9c445ac08ea729236d29231ae3562*",".{0,1000}a95fbce75c24a2262a98fe462872b23207c9c445ac08ea729236d29231ae3562.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","32823"
"*a96191ac73f7407bf98729738792ba5aaf0395665aeff5a98127a2a5bc629cde*",".{0,1000}a96191ac73f7407bf98729738792ba5aaf0395665aeff5a98127a2a5bc629cde.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32824"
"*a974d7a0717319394a473b04e6c227cf30158140fe2546ca9210acbaa1630518*",".{0,1000}a974d7a0717319394a473b04e6c227cf30158140fe2546ca9210acbaa1630518.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","32829"
"*a99cbde533415b845c99754a3f454d205d6e31b11fe03e7dca01a8ff32f42646*",".{0,1000}a99cbde533415b845c99754a3f454d205d6e31b11fe03e7dca01a8ff32f42646.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32842"
"*a9a87bdcf06a8b5ee41a1eec95c0f9c813a5f29ba6d8eec28b07d8331aa5eb85*",".{0,1000}a9a87bdcf06a8b5ee41a1eec95c0f9c813a5f29ba6d8eec28b07d8331aa5eb85.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","#filehash","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","32848"
"*a9aae83a121f855ea420850fe6bb8b01e80e3dcbafcb50d819cb2f71de8fbeb7*",".{0,1000}a9aae83a121f855ea420850fe6bb8b01e80e3dcbafcb50d819cb2f71de8fbeb7.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32849"
"*a9b64e47ef85ace30ca6ea6e9d79fdc665a7eb7b0a4763a659f00aa307cf7ad5*",".{0,1000}a9b64e47ef85ace30ca6ea6e9d79fdc665a7eb7b0a4763a659f00aa307cf7ad5.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","32855"
"*a9c55684d85a79c12aea4a9c4c43be98addd32f88c21b240979f47b8c04cca02*",".{0,1000}a9c55684d85a79c12aea4a9c4c43be98addd32f88c21b240979f47b8c04cca02.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","32859"
"*a9c63cf38aa31e0c152029ffe6b43c647efb81b9b2d003354ffbc8f6e65fa1c4*",".{0,1000}a9c63cf38aa31e0c152029ffe6b43c647efb81b9b2d003354ffbc8f6e65fa1c4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32860"
"*a9c88d5288ce04a6cc78afcda7590d3124966dab3daa9908de9b3e492e2925fb*",".{0,1000}a9c88d5288ce04a6cc78afcda7590d3124966dab3daa9908de9b3e492e2925fb.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32861"
"*a9cb54d1e2377be31945692f6206a98056419b6ca641a3e79eada2a259e22226*",".{0,1000}a9cb54d1e2377be31945692f6206a98056419b6ca641a3e79eada2a259e22226.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32862"
"*a9cc4cc132566b4d7ccf7def13d41d8968697033ca728d29f3eaa09074ade08b*",".{0,1000}a9cc4cc132566b4d7ccf7def13d41d8968697033ca728d29f3eaa09074ade08b.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","32863"
"*a9fd574e1f0c58461722fc1abc15cd01efb472bcdc1f703de2b918f2fa7dec64*",".{0,1000}a9fd574e1f0c58461722fc1abc15cd01efb472bcdc1f703de2b918f2fa7dec64.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","32871"
"*AA_v3.exe* -elevated*",".{0,1000}AA_v3\.exe.{0,1000}\s\-elevated.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","32872"
"*AA_v3.exe* -service -lunch*",".{0,1000}AA_v3\.exe.{0,1000}\s\-service\s\-lunch.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","32873"
"*aa00b01e21fa7c923b23ebd96a67d7938c46c1e35e7ccc5fbda33280caf14679*",".{0,1000}aa00b01e21fa7c923b23ebd96a67d7938c46c1e35e7ccc5fbda33280caf14679.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32874"
"*aa142160446a919eaba99ce15992f6e11b1fdaa7a9f569979a29068120f774cf*",".{0,1000}aa142160446a919eaba99ce15992f6e11b1fdaa7a9f569979a29068120f774cf.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","0","#filehash","N/A","7","7","N/A","N/A","N/A","N/A","32879"
"*aa244cce94120eeaef5bb7aa7e11a129662a50ecd4a0d542ae4a425b5757daf7*",".{0,1000}aa244cce94120eeaef5bb7aa7e11a129662a50ecd4a0d542ae4a425b5757daf7.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","32882"
"*aa3244dd4ccc78f549783e6f27951d294aa6a54f349bd9eef5c89830e1742505*",".{0,1000}aa3244dd4ccc78f549783e6f27951d294aa6a54f349bd9eef5c89830e1742505.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","32883"
"*aa530e906b1a52f4f72f7a0c50c1599df651cc4ce38331365d74dff9c51b98fb*",".{0,1000}aa530e906b1a52f4f72f7a0c50c1599df651cc4ce38331365d74dff9c51b98fb.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","32890"
"*aa660d59e6c7783ebb9d4244d3991392ab602cd4fcd06457656bed2f61b7b51a*",".{0,1000}aa660d59e6c7783ebb9d4244d3991392ab602cd4fcd06457656bed2f61b7b51a.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","32896"
"*aa67b66d9c4124b52e572988493b78cda3ff438dc27988ff30338c3f6d38e34b*",".{0,1000}aa67b66d9c4124b52e572988493b78cda3ff438dc27988ff30338c3f6d38e34b.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32897"
"*aa834effee692d7aed5973dee1d810420c0d3b98eb8a3b89620c207bff01f78e*",".{0,1000}aa834effee692d7aed5973dee1d810420c0d3b98eb8a3b89620c207bff01f78e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32901"
"*aa86e5667c46ab0bdf8ceca80fa3c8775da2bbc18656250a745ac8b042837a70*",".{0,1000}aa86e5667c46ab0bdf8ceca80fa3c8775da2bbc18656250a745ac8b042837a70.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32903"
"*aa89676f1368beb077bb52fe344e840456a471856273cf39172a997c34c52edf*",".{0,1000}aa89676f1368beb077bb52fe344e840456a471856273cf39172a997c34c52edf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32904"
"*aa9ef9b244e7b5d88f24211586a2e10d553a7c80f9a6d17a3d5d783d115b2f47*",".{0,1000}aa9ef9b244e7b5d88f24211586a2e10d553a7c80f9a6d17a3d5d783d115b2f47.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32909"
"*AAASCCVcEQQCADCgAAARAA4AGwABABkAAAABAAFbFgMIAEtcRlwEAAQAEgDm*",".{0,1000}AAASCCVcEQQCADCgAAARAA4AGwABABkAAAABAAFbFgMIAEtcRlwEAAQAEgDm.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#base64","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","32919"
"*AAASCCVcEQQCADCgAAARAA4AGwABABkAAAABAAFbGgMQAAAABgAIQDZbEgDm*",".{0,1000}AAASCCVcEQQCADCgAAARAA4AGwABABkAAAABAAFbGgMQAAAABgAIQDZbEgDm.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#base64","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","32920"
"*aab45aa9eac5e0b9865f44a234f6c5cddbc3b2fcb14aa4fee101cbcef2ba37d8*",".{0,1000}aab45aa9eac5e0b9865f44a234f6c5cddbc3b2fcb14aa4fee101cbcef2ba37d8.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","32922"
"*aaba6ec560adf31f057113fc8c2e0f2387c9643206f9085e4179c109afcdd396*",".{0,1000}aaba6ec560adf31f057113fc8c2e0f2387c9643206f9085e4179c109afcdd396.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","32927"
"*aacdb96cbb0320757eab5b1dc37141365180a6f31743082174530577e8c1e9c9*",".{0,1000}aacdb96cbb0320757eab5b1dc37141365180a6f31743082174530577e8c1e9c9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32929"
"*aacf0692bcac39321f5f427164f6807107ae9bc75404a07d009f553710d9bc55*",".{0,1000}aacf0692bcac39321f5f427164f6807107ae9bc75404a07d009f553710d9bc55.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","32930"
"*aada314b9afa5936d4ed401ba925106c20b07908ca39a9d363e0de57a99759ac*",".{0,1000}aada314b9afa5936d4ed401ba925106c20b07908ca39a9d363e0de57a99759ac.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","32933"
"*AADConnectProvisioningAgentWizard.exe*",".{0,1000}AADConnectProvisioningAgentWizard\.exe.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","32934"
"*AADInternals.exe*",".{0,1000}AADInternals\.exe.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","32935"
"*AADInternals.pdb*",".{0,1000}AADInternals\.pdb.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","32936"
"*AADInternals.psd1*",".{0,1000}AADInternals\.psd1.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","32937"
"*AADInternals.psm1*",".{0,1000}AADInternals\.psm1.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","32938"
"*aaf1d0a58fe9fa1978beb4f2ea62fb6082e467b1e14e3f0164a6566d9d2ec6ad*",".{0,1000}aaf1d0a58fe9fa1978beb4f2ea62fb6082e467b1e14e3f0164a6566d9d2ec6ad.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","32944"
"*aaf7e238a5c0bb2a7956e2fdca9b534f227f7b737641962fb0ed965390ace4c6*",".{0,1000}aaf7e238a5c0bb2a7956e2fdca9b534f227f7b737641962fb0ed965390ace4c6.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","#filehash","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","32946"
"*aafc9e58277f79e98ea146c55da484c7524d7e56b13cb189102e8438f510edbb*",".{0,1000}aafc9e58277f79e98ea146c55da484c7524d7e56b13cb189102e8438f510edbb.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","32948"
"*aakchaleigkohafkfjfjbblobjifikek*",".{0,1000}aakchaleigkohafkfjfjbblobjifikek.{0,1000}","greyware_tool_keyword","ProxFlow","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","32952"
"*ab0266a7c72c5ce3aec59f4fe54abcd6c4c94ad79fe8057d45580c35711c6e97*",".{0,1000}ab0266a7c72c5ce3aec59f4fe54abcd6c4c94ad79fe8057d45580c35711c6e97.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32962"
"*ab1e59c29544929e382c5d62062d64c50dbc3122ff42dd6b50c6f7a82186e039*",".{0,1000}ab1e59c29544929e382c5d62062d64c50dbc3122ff42dd6b50c6f7a82186e039.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32967"
"*ab36f1dcf6cfd93b95bf5394b1ef22deff505df685c9b0a36d25fa9c94f4b548*",".{0,1000}ab36f1dcf6cfd93b95bf5394b1ef22deff505df685c9b0a36d25fa9c94f4b548.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","32974"
"*ab464ef9bfa3735111e4fbf0e21f34feecf29a66d8effce37814df6be1d8314b*",".{0,1000}ab464ef9bfa3735111e4fbf0e21f34feecf29a66d8effce37814df6be1d8314b.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","#filehash","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","32976"
"*ab4b3257fd667f9daf4cfbe54992b99c378a1a2e6922fe5d955cdaca6da99f3b*",".{0,1000}ab4b3257fd667f9daf4cfbe54992b99c378a1a2e6922fe5d955cdaca6da99f3b.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","32980"
"*ab4be0b43fa4ace2d5caf09891b2b5cd05f7e3dcc28f35bf31e3f4af7bef59dd*",".{0,1000}ab4be0b43fa4ace2d5caf09891b2b5cd05f7e3dcc28f35bf31e3f4af7bef59dd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32981"
"*Ab4y98/VerySimpleAnyDeskBackdoor*",".{0,1000}Ab4y98\/VerySimpleAnyDeskBackdoor.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1","1","1","N/A","simple backdoor with anydesk","10","1","1","0","2025-04-17T19:04:37Z","2023-12-05T22:08:51Z","32983"
"*ab5ec32d639fa8346bf81b3c610f87a14977c7f7151b869214f43904d96915ca*",".{0,1000}ab5ec32d639fa8346bf81b3c610f87a14977c7f7151b869214f43904d96915ca.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","32985"
"*ab6763f2c25e691d68d58da97e7dbedc989cff797e69896e20308bbf65531f90*",".{0,1000}ab6763f2c25e691d68d58da97e7dbedc989cff797e69896e20308bbf65531f90.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","32988"
"*ab7142264b3a002fc8d680d5da4b75fe8e8cb0925dbb38bef87deaf409bef6f5*",".{0,1000}ab7142264b3a002fc8d680d5da4b75fe8e8cb0925dbb38bef87deaf409bef6f5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32990"
"*ab775568ac52bb1e4ceffa6ae38c7bc11d769a6ee52cf964d9ece909c5a397fe*",".{0,1000}ab775568ac52bb1e4ceffa6ae38c7bc11d769a6ee52cf964d9ece909c5a397fe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","32991"
"*ab7eed3ed5928eb01b0676183186172a6a23711c645ba6f97081efaf3b0d2fec*",".{0,1000}ab7eed3ed5928eb01b0676183186172a6a23711c645ba6f97081efaf3b0d2fec.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","32995"
"*ab803d5f91093185538c9509f575233e1a339dc92993daa05d4bb0a6f52e3b25*",".{0,1000}ab803d5f91093185538c9509f575233e1a339dc92993daa05d4bb0a6f52e3b25.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","32996"
"*ab83898f2137946267913dba2f4f3e0cb43bb418831b58e6e8ecf1d3a8dcc58d*",".{0,1000}ab83898f2137946267913dba2f4f3e0cb43bb418831b58e6e8ecf1d3a8dcc58d.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","33000"
"*ab8428de3f3f1eb1fb54c974d71296373466ccb7c9bedef96329d6fbfcc23947*",".{0,1000}ab8428de3f3f1eb1fb54c974d71296373466ccb7c9bedef96329d6fbfcc23947.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","33001"
"*ab894c2ffa7886fe889c4a35b15fc5d5558d11896550d563c299408e6d4da363*",".{0,1000}ab894c2ffa7886fe889c4a35b15fc5d5558d11896550d563c299408e6d4da363.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#filehash","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","33005"
"*ab8b178678ce6ccbfeab5183c65c4de04eb768892f5710557c297e45cd567dfe*",".{0,1000}ab8b178678ce6ccbfeab5183c65c4de04eb768892f5710557c297e45cd567dfe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","33006"
"*ab8de228f748301d39294ae37b82aa068a47c9d36b42fd23c06afcb3375da1cd*",".{0,1000}ab8de228f748301d39294ae37b82aa068a47c9d36b42fd23c06afcb3375da1cd.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","33007"
"*ab9b3d5811db36dc7f144622d4f438321713eeed0bb3aa5ce9c3bfe013b16512*",".{0,1000}ab9b3d5811db36dc7f144622d4f438321713eeed0bb3aa5ce9c3bfe013b16512.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33011"
"*aba729428bafe6508191a79e06c7399a19cf80bf0c382eecca951655aab6e00a*",".{0,1000}aba729428bafe6508191a79e06c7399a19cf80bf0c382eecca951655aab6e00a.{0,1000}","greyware_tool_keyword","localtunnels","server for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/server","1","0","#filehash","N/A","8","10","3163","1033","2024-03-20T09:14:46Z","2013-06-16T22:30:48Z","33015"
"*abb90f97b0e132f7d40af31e0935f7d15bb737d2ee59650e6846ddbca1f8afe9*",".{0,1000}abb90f97b0e132f7d40af31e0935f7d15bb737d2ee59650e6846ddbca1f8afe9.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","33018"
"*abcb9405f525c9cdbcfe8dfd97aca28e5ef32d3cc6d19dc1c225f0a87284068f*",".{0,1000}abcb9405f525c9cdbcfe8dfd97aca28e5ef32d3cc6d19dc1c225f0a87284068f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33022"
"*abd17322abc207aa3b6a2ee6155a570edce863cc743a4e55ad8c589561a017f6*",".{0,1000}abd17322abc207aa3b6a2ee6155a570edce863cc743a4e55ad8c589561a017f6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33025"
"*abdf790219be588e22ec8260139552bc1034d97d40003e2cb5873c5398c3aa35*",".{0,1000}abdf790219be588e22ec8260139552bc1034d97d40003e2cb5873c5398c3aa35.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33028"
"*abe2999a43f155a1af72ea97ef48c5c44a5e01fa3f6e1f34ac4c26c97ef17454*",".{0,1000}abe2999a43f155a1af72ea97ef48c5c44a5e01fa3f6e1f34ac4c26c97ef17454.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","33031"
"*ac i ntds* *create full*",".{0,1000}ac\si\sntds.{0,1000}\s.{0,1000}create\sfull.{0,1000}","greyware_tool_keyword","ntdsutil","creating a full backup of the Active Directory database ","T1003.001 - T1070.004 - T1059","TA0006","N/A","Rhysida - Conti - Yanluowang - Lapsus$ - APT41","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","33049"
"*ac i ntds*\\127.0.0.1\ADMIN$\*",".{0,1000}ac\si\sntds.{0,1000}\\\\127\.0\.0\.1\\ADMIN\$\\.{0,1000}","greyware_tool_keyword","wmic","The actor has executed WMIC commands [T1047] to create a copy of the ntds.dit file and SYSTEM registry hive using ntdsutil.exe","T1047 - T1005 - T1567.001","TA0002 - TA0003 - TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Credential Access","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33050"
"*ac080f7b691d31d63adb6ec24db8b66953977752fec470326e5ee3143da86751*",".{0,1000}ac080f7b691d31d63adb6ec24db8b66953977752fec470326e5ee3143da86751.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","33052"
"*ac0d5f70d705c28c1b964693a633feb9eaffd5560f5ca564f96b0552208adf5a*",".{0,1000}ac0d5f70d705c28c1b964693a633feb9eaffd5560f5ca564f96b0552208adf5a.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","33055"
"*ac15c323af68f3ff826a5f5e2324d4cd6ab94a72d160ed280e87655fa675387f*",".{0,1000}ac15c323af68f3ff826a5f5e2324d4cd6ab94a72d160ed280e87655fa675387f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33059"
"*ac1d8b0b8458ec134d5c85fa863c3d8ed016e35454dedae79698ad0818919b7f*",".{0,1000}ac1d8b0b8458ec134d5c85fa863c3d8ed016e35454dedae79698ad0818919b7f.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","33060"
"*ac1e2d8de30ae0048cfe3ae27fbddcf3e16e38dcb33d9b83c16f32831c865219*",".{0,1000}ac1e2d8de30ae0048cfe3ae27fbddcf3e16e38dcb33d9b83c16f32831c865219.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","33061"
"*ac1f545786b7014c5a247d8854f114611814ed5f63232a9098f549732fa8814d*",".{0,1000}ac1f545786b7014c5a247d8854f114611814ed5f63232a9098f549732fa8814d.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","33062"
"*ac28dbde92097b0e44afe3b47438c963845d65fa88aed27136ebca38870adda5*",".{0,1000}ac28dbde92097b0e44afe3b47438c963845d65fa88aed27136ebca38870adda5.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","33069"
"*ac3d4ecb448c66634efad135d94657a27eed4f8c30aa7f32e4ecb2da621c3d47*",".{0,1000}ac3d4ecb448c66634efad135d94657a27eed4f8c30aa7f32e4ecb2da621c3d47.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","33074"
"*ac5f344727467b6ad9743b8ffa2646ed73180dbdb97224feec6c54c5160a1984*",".{0,1000}ac5f344727467b6ad9743b8ffa2646ed73180dbdb97224feec6c54c5160a1984.{0,1000}","greyware_tool_keyword","LTProxy","Linux Transparent Proxy (Similar to Proxifiter)","T1090 - T1573.001 - T1571 - T1071.001","TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://github.com/L-codes/LTProxy","1","0","#filehash #linux","N/A","10","1","31","5","2024-11-27T05:09:47Z","2021-11-11T15:17:54Z","33081"
"*ac6ea42ae4f70b4b8bc0f1c0f6e453447d97c0f13eb5e2e1621765b304e43cdb*",".{0,1000}ac6ea42ae4f70b4b8bc0f1c0f6e453447d97c0f13eb5e2e1621765b304e43cdb.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","33085"
"*ac70a4781339956a755f46b5c1244b3318a6a879be6cda50474f5ec7996718fd*",".{0,1000}ac70a4781339956a755f46b5c1244b3318a6a879be6cda50474f5ec7996718fd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33087"
"*aca3bacd0f7f2a5e75ed74643e1fbb57ec10dc94f675dab12f8d7aeb48c3a503*",".{0,1000}aca3bacd0f7f2a5e75ed74643e1fbb57ec10dc94f675dab12f8d7aeb48c3a503.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","33092"
"*aca407659a61b8c861e960c74d66b269d69abc2d4889220379f54a2475f065b1*",".{0,1000}aca407659a61b8c861e960c74d66b269d69abc2d4889220379f54a2475f065b1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33093"
"*aca70fd97d3c7234ce29a5515db0c47c64337b6671756a0ab9e4cbe46fe81958*",".{0,1000}aca70fd97d3c7234ce29a5515db0c47c64337b6671756a0ab9e4cbe46fe81958.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33095"
"*acca7f6876516ba21180fd61ef2fb27f74b73381ccb8e049e7044a26bf14aa1b*",".{0,1000}acca7f6876516ba21180fd61ef2fb27f74b73381ccb8e049e7044a26bf14aa1b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33107"
"*acd19845a6484eee65db6f925b1d0244300831d4d5a37d147cc61e7e8c56775b*",".{0,1000}acd19845a6484eee65db6f925b1d0244300831d4d5a37d147cc61e7e8c56775b.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","33112"
"*acd40244ed0a4264f5bafafbf9ca8e4b3813b27013bce2c550cd9f5e8093c8b8*",".{0,1000}acd40244ed0a4264f5bafafbf9ca8e4b3813b27013bce2c550cd9f5e8093c8b8.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","33113"
"*acd9f040fc6fb2a595f20bfb4faa66d9244615a0feaf9d2e4b03a994ca126a32*",".{0,1000}acd9f040fc6fb2a595f20bfb4faa66d9244615a0feaf9d2e4b03a994ca126a32.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","33116"
"*ace15d24a354ec662a6e252fed6cf772de113efb57bbb390e1ac1b85f3f4c285*",".{0,1000}ace15d24a354ec662a6e252fed6cf772de113efb57bbb390e1ac1b85f3f4c285.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","33122"
"*ace8104c5e20d3ff08efbb7ccc7a17421fa620ad0130a2f96642d38bcbf2de45*",".{0,1000}ace8104c5e20d3ff08efbb7ccc7a17421fa620ad0130a2f96642d38bcbf2de45.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","33125"
"*ACLScanner.exe*",".{0,1000}ACLScanner\.exe.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner and Earth Lusca Operations Tools and commands","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf https://github.com/vletoux/pingcastle","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33142"
"*acontrol.atera.com*",".{0,1000}acontrol\.atera\.com.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33147"
"*Action1 Corporation*",".{0,1000}Action1\sCorporation.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33155"
"*Action1 Endpoint Security*",".{0,1000}Action1\sEndpoint\sSecurity.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","product name","10","10","N/A","N/A","N/A","N/A","33156"
"*Action1*'DestinationPort'>22543*",".{0,1000}Action1.{0,1000}\'DestinationPort\'\>22543.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33157"
"*Action1\batch_data\Run_Script__*",".{0,1000}Action1\\batch_data\\Run_Script__.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33158"
"*Action1\first_install.tmp*",".{0,1000}Action1\\first_install\.tmp.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33159"
"*Action1\what_is_this.txt*",".{0,1000}Action1\\what_is_this\.txt.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33160"
"*action1_agent.exe*",".{0,1000}action1_agent\.exe.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33161"
"*action1_agent.exe.connection*",".{0,1000}action1_agent\.exe\.connection.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33162"
"*action1_remote.exe*",".{0,1000}action1_remote\.exe.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33163"
"*action1_update.exe*",".{0,1000}action1_update\.exe.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33164"
"*activate.netsupportsoftware.com*",".{0,1000}activate\.netsupportsoftware\.com.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33166"
"*ad0b1b1b21f07d7dc54a2a9dade59ba6235ddeed6f9f635f4f2cca4486d0b65f*",".{0,1000}ad0b1b1b21f07d7dc54a2a9dade59ba6235ddeed6f9f635f4f2cca4486d0b65f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33189"
"*ad151125bd46fb8abf11f2a4347c7c85e102bb0e6128c69962c8d6bf9a71fca6*",".{0,1000}ad151125bd46fb8abf11f2a4347c7c85e102bb0e6128c69962c8d6bf9a71fca6.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","33192"
"*ad1cdabfb431402a99e40c0a9d932fe2153d8a26dc3be0e3a0a3a6736989b2d4*",".{0,1000}ad1cdabfb431402a99e40c0a9d932fe2153d8a26dc3be0e3a0a3a6736989b2d4.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","33193"
"*ad2ce18715d8811efe3071d94d6cac4b1f0a60dd4e6b95c0bb43e9b9f3dc2921*",".{0,1000}ad2ce18715d8811efe3071d94d6cac4b1f0a60dd4e6b95c0bb43e9b9f3dc2921.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","33198"
"*ad3bb4b1c3e647d8da814e1272de5a719d39324b53038bcc63997b1471245231*",".{0,1000}ad3bb4b1c3e647d8da814e1272de5a719d39324b53038bcc63997b1471245231.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33202"
"*ad4f5f6a6dbfe7ea29037f8d3a04161580cd109b99a3b474766927b2bf160984*",".{0,1000}ad4f5f6a6dbfe7ea29037f8d3a04161580cd109b99a3b474766927b2bf160984.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","33205"
"*ad5c1453508585d413c083df1571738ae1158b7a83aeab24c456548fb0e4cdbd*",".{0,1000}ad5c1453508585d413c083df1571738ae1158b7a83aeab24c456548fb0e4cdbd.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","33211"
"*ad61f4285ae98dd4b8bad622888e97bb290e2ca667cd9ad52ad2877cc2ec6807*",".{0,1000}ad61f4285ae98dd4b8bad622888e97bb290e2ca667cd9ad52ad2877cc2ec6807.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","33212"
"*ad62f18dcc34d56d48931cf7559bcb64e46e71feaf7e62ba8608ed38fc115937*",".{0,1000}ad62f18dcc34d56d48931cf7559bcb64e46e71feaf7e62ba8608ed38fc115937.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","33213"
"*ad932c8eeb195c5880274623fff8fb7f97c433133db49c29d46ad64fcdcb5698*",".{0,1000}ad932c8eeb195c5880274623fff8fb7f97c433133db49c29d46ad64fcdcb5698.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","33224"
"*ad977caa79c00c082206f46f521b8f99a44a051425dbb69ec9da1a152aac6279*",".{0,1000}ad977caa79c00c082206f46f521b8f99a44a051425dbb69ec9da1a152aac6279.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","33228"
"*adbfe65938517a8024565569825526643eac2d3294f4524d12a2846611107e08*",".{0,1000}adbfe65938517a8024565569825526643eac2d3294f4524d12a2846611107e08.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","33246"
"*add3proxyuser.sh*",".{0,1000}add3proxyuser\.sh.{0,1000}","greyware_tool_keyword","3proxy","3proxy - tiny free proxy server","T1090 - T1583 - T1001 - T1132","TA0040 - TA0001 - TA0005 - TA0006","N/A","Lazarus Group","Defense Evasion","https://github.com/3proxy/3proxy","1","0","N/A","N/A","8","10","4212","817","2025-04-16T18:29:51Z","2014-04-08T08:59:11Z","33308"
"*add4bb5104c6fdbb035dd4440efffc28c5b01fa7d333eb42c541f485dee87695*",".{0,1000}add4bb5104c6fdbb035dd4440efffc28c5b01fa7d333eb42c541f485dee87695.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","33309"
"*add7fb1cea253b5e58f7ab41b8db1ef3438c6dd59c6f5d95dfc18c60097ca5f3*",".{0,1000}add7fb1cea253b5e58f7ab41b8db1ef3438c6dd59c6f5d95dfc18c60097ca5f3.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","33310"
"*add859c23de8190eca95058cc1cca930786b1c673b8dd3e25dedd8e12396469a*",".{0,1000}add859c23de8190eca95058cc1cca930786b1c673b8dd3e25dedd8e12396469a.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","33311"
"*add9c85b9fd3f3594d0630518ba59220b9eec8441205b2acf8c61d4068003eeb*",".{0,1000}add9c85b9fd3f3594d0630518ba59220b9eec8441205b2acf8c61d4068003eeb.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","33312"
"*Add-AADIntAccessTokenToCache*",".{0,1000}Add\-AADIntAccessTokenToCache.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","33314"
"*Add-AADIntEASDevice*",".{0,1000}Add\-AADIntEASDevice.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","33315"
"*Add-AADIntRolloutPolicyGroups*",".{0,1000}Add\-AADIntRolloutPolicyGroups.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","33316"
"*Add-AADIntSPOSiteFiles*",".{0,1000}Add\-AADIntSPOSiteFiles.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","33317"
"*Add-AADIntSyncFabricServicePrincipal*",".{0,1000}Add\-AADIntSyncFabricServicePrincipal.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","33318"
"*Add-ADGroupMember -Identity  ""ESX Admins""*",".{0,1000}Add\-ADGroupMember\s\-Identity\s\s\""ESX\sAdmins\"".{0,1000}","greyware_tool_keyword","powershell","ESX treats all members of an Active Directory group named ""ESX Admins"" as administrators by default. Attackers have exploited this misconfiguration to escalate privileges and gain administrative access.","T1078 - T1069 - T1078.003","TA0001 - TA0004 - TA0002","N/A","Dispossessor ","Privilege Escalation","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33319"
"*Add-DnsClientDohServerAddress *-ServerAddress *",".{0,1000}Add\-DnsClientDohServerAddress\s.{0,1000}\-ServerAddress\s.{0,1000}","greyware_tool_keyword","powershell","adding a DNS over HTTPS server with powershell","T1568.003 - T1049 - T1562.001","TA0007 - TA0040 - TA0005","N/A","N/A","Defense Evasion","https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientdohserveraddress?view=windowsserver2022-ps","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","33326"
"*Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force*",".{0,1000}Add\-MpPreference\s\-ExclusionPath\s\@\(\$env\:UserProfile,\s\$env\:ProgramData\)\s\-ExclusionExtension\s\'\.exe\'\s\-Force.{0,1000}","greyware_tool_keyword","powershell","add exclusions for defender","T1489","TA0005","N/A","N/A","Defense Evasion","https://www.virustotal.com/gui/file/00820a1f0972678cfe7885bc989ab3e5602b0febc96baf9bf3741d56aa374f03/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33343"
"*Add-MpPreference -ExclusionPath C:\Video, C:\install*",".{0,1000}Add\-MpPreference\s\-ExclusionPath\sC\:\\Video,\sC\:\\install.{0,1000}","greyware_tool_keyword","powershell","AV exclusions made by the Dispossessor ransomware group","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33344"
"*Add-MpPreference -ExclusionProcess *\Windows\System32\WindowsPowerShell\v1.0\powershell.exe*",".{0,1000}Add\-MpPreference\s\-ExclusionProcess\s.{0,1000}\\Windows\\System32\\WindowsPowerShell\\v1\.0\\powershell\.exe.{0,1000}","greyware_tool_keyword","powershell","Exclude powershell from defender detections","T1562.001 - T1562.002 - T1070.004","TA0007 - TA0040 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","33345"
"*Add-PswaAuthorizationRule -UsernName \* -ComputerName \* -ConfigurationName \*",".{0,1000}Add\-PswaAuthorizationRule\s\-UsernName\s\\.{0,1000}\s\-ComputerName\s\\.{0,1000}\s\-ConfigurationName\s\\.{0,1000}","greyware_tool_keyword","powershell","allows all users to access all computers with a specified configuration","T1053","TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","33361"
"*Add-PswaAuthorizationRule*-ComputerName *",".{0,1000}Add\-PswaAuthorizationRule.{0,1000}\-ComputerName\s.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A","33362"
"*Add-PswaAuthorizationRule*-UserName *",".{0,1000}Add\-PswaAuthorizationRule.{0,1000}\-UserName\s.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A","33363"
"*Add-PswaAuthorizationRule*-UserName *",".{0,1000}Add\-PswaAuthorizationRule.{0,1000}\-UserName\s.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A","33364"
"*Add-WindowsCapability -Online -Name OpenSSH.Server*",".{0,1000}Add\-WindowsCapability\s\-Online\s\-Name\sOpenSSH\.Server.{0,1000}","greyware_tool_keyword","Openssh","Install OpenSSH Server service on windows - abused by attacker for persistant control","T1021.004 - T1574.001 - T1574.010","TA0003 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - FANCY BEAR","C2","https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell#install-openssh-for-windows","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","33386"
"*Add-WindowsCapability -Online -Name OpenSSH.Server*",".{0,1000}Add\-WindowsCapability\s\-Online\s\-Name\sOpenSSH\.Server.{0,1000}","greyware_tool_keyword","powershell","install openssh server (critical on DC - must not be installed)","T1021.004 - T1133 - T1078.003","TA0008 - TA0005","N/A","N/A","Lateral Movement","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33387"
"*Add-WindowsFeature Hyper-V -IncludeManagementTools*",".{0,1000}Add\-WindowsFeature\sHyper\-V\s\-IncludeManagementTools.{0,1000}","greyware_tool_keyword","powershell","enabling hyperV - virtualization could be abused by attacker to maintain persistence in a virtual machine","T1560.003 - T1547 - T1059","TA0003 - TA0002","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","33388"
"*adexplorer.exe*",".{0,1000}adexplorer\.exe.{0,1000}","greyware_tool_keyword","adexplorer","Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database. It can be abused by malicious actors","T1003.001 - T1087.001","TA0006 - TA0007","N/A","Lapsus$ - Scattered Spider* - BlackBasta","Discovery","https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer","1","1","N/A","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","33396"
"*adexplorer.zip*",".{0,1000}adexplorer\.zip.{0,1000}","greyware_tool_keyword","adexplorer","Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database. It can be abused by malicious actors","T1003.001 - T1087.001","TA0006 - TA0007","N/A","Lapsus$ - Scattered Spider* - BlackBasta","Discovery","https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer","1","1","N/A","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","33398"
"*adexplorer64.exe*",".{0,1000}adexplorer64\.exe.{0,1000}","greyware_tool_keyword","adexplorer","Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database. It can be abused by malicious actors","T1003.001 - T1087.001","TA0006 - TA0007","N/A","Lapsus$ - Scattered Spider* - BlackBasta","Discovery","https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer","1","1","N/A","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","33399"
"*adexplorer64a.exe*",".{0,1000}adexplorer64a\.exe.{0,1000}","greyware_tool_keyword","adexplorer","Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database. It can be abused by malicious actors","T1003.001 - T1087.001","TA0006 - TA0007","N/A","Lapsus$ - Scattered Spider* - BlackBasta","Discovery","https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer","1","1","N/A","greyware tool - risks of False positive !","7","10","N/A","N/A","N/A","N/A","33400"
"*adf6da54a084a5b8822368a4a30fe84646de8b3a00c2bef4d6261478391cd999*",".{0,1000}adf6da54a084a5b8822368a4a30fe84646de8b3a00c2bef4d6261478391cd999.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33404"
"*adfind -f *",".{0,1000}adfind\s\-f\s.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33406"
"*adfind -f objectclass=trusteddomain*",".{0,1000}adfind\s\-f\sobjectclass\=trusteddomain.{0,1000}","greyware_tool_keyword","adfind","query domain trusts with adfind","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33407"
"*adfind -sc trustdmp*",".{0,1000}adfind\s\-sc\strustdmp.{0,1000}","greyware_tool_keyword","adfind","query domain trusts with adfind","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33415"
"*adfind.bat*",".{0,1000}adfind\.bat.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/","1","1","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","33417"
"*adfind.exe -f objectclass=trusteddomain*",".{0,1000}adfind\.exe\s\-f\sobjectclass\=trusteddomain.{0,1000}","greyware_tool_keyword","adfind","query domain trusts with adfind","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33422"
"*adfind.exe -sc trustdmp*",".{0,1000}adfind\.exe\s\-sc\strustdmp.{0,1000}","greyware_tool_keyword","adfind","query domain trusts with adfind","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33425"
"*adfind.exe*",".{0,1000}adfind\.exe.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/","1","1","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","33427"
"*AdFind\AdFind.cpp*",".{0,1000}AdFind\\AdFind\.cpp.{0,1000}","greyware_tool_keyword","adfind","adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers are abusing it to gather valuable information about the network environment","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://www.virustotal.com/gui/file/484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33428"
"*AdFind_original.exe*",".{0,1000}AdFind_original\.exe.{0,1000}","greyware_tool_keyword","adfind","adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers are abusing it to gather valuable information about the network environment","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://www.virustotal.com/gui/file/484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33429"
"*adiskreader.disks.raw*",".{0,1000}adiskreader\.disks\.raw.{0,1000}","greyware_tool_keyword","adiskreader","Async Python library to parse local and remote disk images","T1020 - T1048 - T1074 - T1560.001","TA0005 - TA0009 - TA0010","N/A","N/A","Data Exfiltration","https://github.com/skelsec/adiskreader","1","1","N/A","N/A","4","1","76","7","2025-03-15T19:48:39Z","2023-12-18T11:54:31Z","33447"
"*adiskreader.disks.vhdx*",".{0,1000}adiskreader\.disks\.vhdx.{0,1000}","greyware_tool_keyword","adiskreader","Async Python library to parse local and remote disk images","T1020 - T1048 - T1074 - T1560.001","TA0005 - TA0009 - TA0010","N/A","N/A","Data Exfiltration","https://github.com/skelsec/adiskreader","1","1","N/A","N/A","4","1","76","7","2025-03-15T19:48:39Z","2023-12-18T11:54:31Z","33448"
"*admin.*.swi-dre.com*",".{0,1000}admin\..{0,1000}\.swi\-dre\.com.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33456"
"*ADMIN_BASICAUTH_PASSWORDHASH = f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7*",".{0,1000}ADMIN_BASICAUTH_PASSWORDHASH\s\=\sf52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","0","#filehostingservice","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","33459"
"*ADMIN_ROUTE = /SuPeRsEcReTuRl/*",".{0,1000}ADMIN_ROUTE\s\=\s\/SuPeRsEcReTuRl\/.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","0","#filehostingservice","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","33462"
"*ADRecon * by Prashant Mahajan (@prashant3535)*",".{0,1000}ADRecon\s.{0,1000}\sby\sPrashant\sMahajan\s\(\@prashant3535\).{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","33473"
"*ADRecon -OutputDir *",".{0,1000}ADRecon\s\-OutputDir\s.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","N/A","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","33474"
"*ADRecon.ps1*",".{0,1000}ADRecon\.ps1.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","N/A","Discovery","https://github.com/adrecon/ADRecon","1","1","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","33475"
"*adrecon/ADRecon*",".{0,1000}adrecon\/ADRecon.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","1","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","33476"
"*ADRecon-Console-Log.txt*",".{0,1000}ADRecon\-Console\-Log\.txt.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","33477"
"*ADRecon-master.zip*",".{0,1000}ADRecon\-master\.zip.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","1","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","33478"
"*ADRecon-Report-*",".{0,1000}ADRecon\-Report\-.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","33479"
"*-ADRecon-Report.xlsx*",".{0,1000}\-ADRecon\-Report\.xlsx.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","33480"
"*ADUsers-Disabled.txt*",".{0,1000}ADUsers\-Disabled\.txt.{0,1000}","greyware_tool_keyword","AD-common-queries","Collection of common ADSI queries for Domain Account enumeration","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","33493"
"*ADUsers-PasswordNeverExpires.txt*",".{0,1000}ADUsers\-PasswordNeverExpires\.txt.{0,1000}","greyware_tool_keyword","AD-common-queries","Collection of common ADSI queries for Domain Account enumeration","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","33494"
"*ADUsers-PasswordNotRequired.txt*",".{0,1000}ADUsers\-PasswordNotRequired\.txt.{0,1000}","greyware_tool_keyword","AD-common-queries","Collection of common ADSI queries for Domain Account enumeration","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","33495"
"*Advanced IP Scanner*",".{0,1000}Advanced\sIP\sScanner.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","33496"
"*Advanced Monitoring Agent HTTP Retriever 1.1*",".{0,1000}Advanced\sMonitoring\sAgent\sHTTP\sRetriever\s1\.1.{0,1000}","greyware_tool_keyword","Nsight RMM","Nsight RMM usage","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Scattered Spider*","RMM","https://www.n-able.com/products/n-sight-rmm","1","1","#useragent","user-agent","10","10","N/A","N/A","N/A","N/A","33497"
"*Advanced_IP_Scanner*.exe*",".{0,1000}Advanced_IP_Scanner.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","33500"
"*advanced_ip_scanner_console.exe*",".{0,1000}advanced_ip_scanner_console\.exe.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","33501"
"*advanced_port_scanner.exe*",".{0,1000}advanced_port_scanner\.exe.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","33502"
"*advanced_port_scanner_console.exe*",".{0,1000}advanced_port_scanner_console\.exe.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","33503"
"*AdvancedRun.exe *",".{0,1000}AdvancedRun\.exe\s\/EXEFilename\s.{0,1000}\\sc\.exe.{0,1000}stop\sWinDefend.{0,1000}","greyware_tool_keyword","AdvancedRun","nirsoft tool  - Run a program with different settings that you choose","T1562 - T1089","TA0005","N/A","N/A","Defense Evasion","https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","33504"
"*ae0be925e6ad15b6c85814746d17876295c1736a91665a44c22cd49a431fd7cc*",".{0,1000}ae0be925e6ad15b6c85814746d17876295c1736a91665a44c22cd49a431fd7cc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33514"
"*ae33a0a1e4918c394acfd08d99853492fc97b9abafb4257fa739b6876a807950*",".{0,1000}ae33a0a1e4918c394acfd08d99853492fc97b9abafb4257fa739b6876a807950.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","33531"
"*ae37bedf1ad63fabd9843da4dc3598e80bc135b820555842cc20cad4f95164ff*",".{0,1000}ae37bedf1ad63fabd9843da4dc3598e80bc135b820555842cc20cad4f95164ff.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","33535"
"*ae3f83840abeaed5df17c82b7d8f318e88e40642d31297c2d0c4ab80ada62335*",".{0,1000}ae3f83840abeaed5df17c82b7d8f318e88e40642d31297c2d0c4ab80ada62335.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33537"
"*ae47b091425623f74f010f4ab937cc14b08dc1c815f07626baa20fc03d424a11*",".{0,1000}ae47b091425623f74f010f4ab937cc14b08dc1c815f07626baa20fc03d424a11.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","33540"
"*ae4825d459669ab8cba5f72cd12b587f7a61d5da96e6e54db1bd8c238bcd83ae*",".{0,1000}ae4825d459669ab8cba5f72cd12b587f7a61d5da96e6e54db1bd8c238bcd83ae.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","33541"
"*ae4825d459669ab8cba5f72cd12b587f7a61d5da96e6e54db1bd8c238bcd83ae*",".{0,1000}ae4825d459669ab8cba5f72cd12b587f7a61d5da96e6e54db1bd8c238bcd83ae.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","33542"
"*ae494aa39434950473ecd7ba70bd89cb9d10cabbe7637b9775a4ba1f26dee665*",".{0,1000}ae494aa39434950473ecd7ba70bd89cb9d10cabbe7637b9775a4ba1f26dee665.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","33543"
"*ae4aa8f67e7cb800e060a454c72db0d8c0f8a94ba3ef520526c6d5df7f384995*",".{0,1000}ae4aa8f67e7cb800e060a454c72db0d8c0f8a94ba3ef520526c6d5df7f384995.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","33544"
"*ae4e32d838b180b920722598fa8cc91533742f1bc53805520b372f1f210d6833*",".{0,1000}ae4e32d838b180b920722598fa8cc91533742f1bc53805520b372f1f210d6833.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","33545"
"*ae50c71517182c9773bb138745f10a643b1215078ede439b2b3adb486a9cfb14*",".{0,1000}ae50c71517182c9773bb138745f10a643b1215078ede439b2b3adb486a9cfb14.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","33547"
"*ae6c4d028975b5126767dcfe4f1c1f0de1c9f729c123263aa35d321df918c7c8*",".{0,1000}ae6c4d028975b5126767dcfe4f1c1f0de1c9f729c123263aa35d321df918c7c8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33548"
"*AE81B416-FBC4-4F88-9EFC-D07D8789355F*",".{0,1000}AE81B416\-FBC4\-4F88\-9EFC\-D07D8789355F.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#GUIDproject","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","33550"
"*aea26b638e19ae54c752ccc0d9985bc6ccf0214a56ca5b2b26714feef2d95ac9*",".{0,1000}aea26b638e19ae54c752ccc0d9985bc6ccf0214a56ca5b2b26714feef2d95ac9.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","33563"
"*aea7f25ff97c149ba56c8b4c956d4814269c6c66a5d2a215ef8333ab9499b2da*",".{0,1000}aea7f25ff97c149ba56c8b4c956d4814269c6c66a5d2a215ef8333ab9499b2da.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","33564"
"*aeabbac9038f4826a043f2adb165c46b6e2af47bb363aab713f4841b793d5406*",".{0,1000}aeabbac9038f4826a043f2adb165c46b6e2af47bb363aab713f4841b793d5406.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","33565"
"*aeabd0eed04e87b955809822a4696df781a25ccb649f097a523d1cb4cf93a567*",".{0,1000}aeabd0eed04e87b955809822a4696df781a25ccb649f097a523d1cb4cf93a567.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","#filehash","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","33566"
"*aebfc8f6a11074dfc2e95800f32edc984abeb67eb6a07c2056acb149fbc37e66*",".{0,1000}aebfc8f6a11074dfc2e95800f32edc984abeb67eb6a07c2056acb149fbc37e66.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","33570"
"*aec887efef96f1f2ef41197b37806768476df4319c5f9a9cccac582e44f9893d*",".{0,1000}aec887efef96f1f2ef41197b37806768476df4319c5f9a9cccac582e44f9893d.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","33575"
"*aecbb25cfb2d6ef207b23febe8726e86cc0a9973948c150613222084af331cdc*",".{0,1000}aecbb25cfb2d6ef207b23febe8726e86cc0a9973948c150613222084af331cdc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33576"
"*aed35b08d85842b94df3b093cbb2ed6dc8d240567275b7880ddb93da9f097154*",".{0,1000}aed35b08d85842b94df3b093cbb2ed6dc8d240567275b7880ddb93da9f097154.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","33577"
"*aedb3bc27109fe131c2e5fcd778b9f30b864ac438f9252266492ba83ae0b73f8*",".{0,1000}aedb3bc27109fe131c2e5fcd778b9f30b864ac438f9252266492ba83ae0b73f8.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","33578"
"*aee777ead4791c2d6a5420b0625e7fdea13f6d84dedcaff924a5845df5f4db94*",".{0,1000}aee777ead4791c2d6a5420b0625e7fdea13f6d84dedcaff924a5845df5f4db94.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","33581"
"*aefc8f3e8e94a08015cc319e15a650a7b8c1c42ddb6a3f8e296196a0bec54e10*",".{0,1000}aefc8f3e8e94a08015cc319e15a650a7b8c1c42ddb6a3f8e296196a0bec54e10.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","33590"
"*Aeroadmin LLC*",".{0,1000}Aeroadmin\sLLC.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","#companyname","N/A","10","10","N/A","N/A","N/A","N/A","33593"
"*AeroAdmin PRO - remote desktop.exe*",".{0,1000}AeroAdmin\sPRO\s\-\sremote\sdesktop\.exe.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33594"
"*AeroAdmin PRO.exe*",".{0,1000}AeroAdmin\sPRO\.exe.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33595"
"*AeroAdmin v4.* (*",".{0,1000}AeroAdmin\sv4\..{0,1000}\s\(.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33596"
"*AeroAdmin.cpp*",".{0,1000}AeroAdmin\.cpp.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33597"
"*AEROADMIN.EXE-*.pf*",".{0,1000}AEROADMIN\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33598"
"*Aeroadmin\Screenshots*",".{0,1000}Aeroadmin\\Screenshots.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33599"
"*AeroAdmin_2.exe*",".{0,1000}AeroAdmin_2\.exe.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33600"
"*AeroadminService*",".{0,1000}AeroadminService.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","Service Name","10","10","N/A","N/A","N/A","N/A","33601"
"*af0592eecf1901f283b08bcbd1054f6ae50b5703c2da9ed8a4dcc858220de4a1*",".{0,1000}af0592eecf1901f283b08bcbd1054f6ae50b5703c2da9ed8a4dcc858220de4a1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","33607"
"*af0d92194012434a1e01f038d1bd536922f5187c5f645e0a4708668690020fe9*",".{0,1000}af0d92194012434a1e01f038d1bd536922f5187c5f645e0a4708668690020fe9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33610"
"*af181d53332e34c71599eaa567124a3b8b28aef141152e94d9b1a52da657ee6b*",".{0,1000}af181d53332e34c71599eaa567124a3b8b28aef141152e94d9b1a52da657ee6b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33614"
"*af19236f06140b33ac3c78ae743627ba34dcd89be6d5c8dd22cac7f6eae19774*",".{0,1000}af19236f06140b33ac3c78ae743627ba34dcd89be6d5c8dd22cac7f6eae19774.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","#filehash","N/A","9","8","N/A","N/A","N/A","N/A","33616"
"*af1baf66006d9f7ba069b6a513d894ef20423cfda9bab7cd6342eeab0fa51651*",".{0,1000}af1baf66006d9f7ba069b6a513d894ef20423cfda9bab7cd6342eeab0fa51651.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33617"
"*af1fa340c0d3690024a828f2099482530d20351bafcd114860b7faf37ddf11cb*",".{0,1000}af1fa340c0d3690024a828f2099482530d20351bafcd114860b7faf37ddf11cb.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","33618"
"*af342555f255fdd90d55abff65b84a479e95816f3117361cb924f99ba6a4542a*",".{0,1000}af342555f255fdd90d55abff65b84a479e95816f3117361cb924f99ba6a4542a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33622"
"*af4699cdafb91bb625dbe8385af2c29bb15de6dd613f0d2e4a5c64e0d3ef6302*",".{0,1000}af4699cdafb91bb625dbe8385af2c29bb15de6dd613f0d2e4a5c64e0d3ef6302.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33625"
"*af5c3753d790ac2ba4a7c4e74951e15fee5cf08153a19f6e40b0ab3f90a65f44*",".{0,1000}af5c3753d790ac2ba4a7c4e74951e15fee5cf08153a19f6e40b0ab3f90a65f44.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33628"
"*af5c388b467a78ceba2e47c2b1840d28209f1d2c1063b21cb20d79ab18ef7956*",".{0,1000}af5c388b467a78ceba2e47c2b1840d28209f1d2c1063b21cb20d79ab18ef7956.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","33629"
"*af7050d7ca89003dd9337ad18cfe03d679b6a3bbe0171dd9b891a3e096abd97e*",".{0,1000}af7050d7ca89003dd9337ad18cfe03d679b6a3bbe0171dd9b891a3e096abd97e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33634"
"*af75ab9765d7f9003aeffef2587615a1f57ed9b6f1bbe44830592b444da8f295*",".{0,1000}af75ab9765d7f9003aeffef2587615a1f57ed9b6f1bbe44830592b444da8f295.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","33637"
"*af7b8e60b4b54f5f85e6b207ac51926cb076aa4319b8e4c72e59b98c85818cae*",".{0,1000}af7b8e60b4b54f5f85e6b207ac51926cb076aa4319b8e4c72e59b98c85818cae.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","33639"
"*af836adb074c6174d4387d9fce5ed7e7bfaba965a21235974e409ab45c771c17*",".{0,1000}af836adb074c6174d4387d9fce5ed7e7bfaba965a21235974e409ab45c771c17.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","33641"
"*af8851ad2bacdea811ccb1525e7cc6bc73e082034b7c04f6ac5708708ab9f493*",".{0,1000}af8851ad2bacdea811ccb1525e7cc6bc73e082034b7c04f6ac5708708ab9f493.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","33642"
"*af9ed703387a179d2156267b03855f46f5777a9f0351be87d21d9430e8c7b854*",".{0,1000}af9ed703387a179d2156267b03855f46f5777a9f0351be87d21d9430e8c7b854.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33646"
"*afa44d33efcaf2247f5cfc5ed962a265cecd86ffd558b933db4179e95f8cc2e3*",".{0,1000}afa44d33efcaf2247f5cfc5ed962a265cecd86ffd558b933db4179e95f8cc2e3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33647"
"*afb6a4c0f19afbca0dcdfc6daecd05db72440b9f66be3b226bbdd3d601d256dd*",".{0,1000}afb6a4c0f19afbca0dcdfc6daecd05db72440b9f66be3b226bbdd3d601d256dd.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","33652"
"*afbef976a82c23c5bd1af109a1cadba5b8ca539663985cf068b228cdde72d44f*",".{0,1000}afbef976a82c23c5bd1af109a1cadba5b8ca539663985cf068b228cdde72d44f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33656"
"*afc788e3968fd29fc6ba5b9e1eded37e699764cf9e08a203936a3e235039d602*",".{0,1000}afc788e3968fd29fc6ba5b9e1eded37e699764cf9e08a203936a3e235039d602.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33658"
"*afe5cdae79e5f79047b9fbca32463a6b5b82b9f0b11c9ec712eff47f526a5fec*",".{0,1000}afe5cdae79e5f79047b9fbca32463a6b5b82b9f0b11c9ec712eff47f526a5fec.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","33668"
"*afef35513c7ce89e9ed9962e2c44c604587de1faa317d9fd3bf6590dc3be8658*",".{0,1000}afef35513c7ce89e9ed9962e2c44c604587de1faa317d9fd3bf6590dc3be8658.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","33672"
"*aff5412e89e7164b5083909f2b5a81d8edaa644a3bb6ef696843a6ee0d129fc3*",".{0,1000}aff5412e89e7164b5083909f2b5a81d8edaa644a3bb6ef696843a6ee0d129fc3.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","33674"
"*agent.fleetdeck.io/*?win*",".{0,1000}agent\.fleetdeck\.io\/.{0,1000}\?win.{0,1000}","greyware_tool_keyword","fleetdeck","FleetDeck is a Remote Desktop & Virtual Terminal solution tailored for techs to  manage large fleets of computers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://fleetdeck.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33681"
"*agent01.xeox.com*",".{0,1000}agent01\.xeox\.com.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33709"
"*agent-api.atera.com*",".{0,1000}agent\-api\.atera\.com.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33710"
"*AgentCore/MeshServer_*",".{0,1000}AgentCore\/MeshServer_.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","33711"
"*AgentPackageInternalPooler\log.txt*",".{0,1000}AgentPackageInternalPooler\\log\.txt.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33712"
"*AgentPackageRunCommandInteractive\log.txt*",".{0,1000}AgentPackageRunCommandInteractive\\log\.txt.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33713"
"*agents.level.io*",".{0,1000}agents\.level\.io.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33714"
"*agetty -o -p -l /bin/sh -a root tty*",".{0,1000}agetty\s\-o\s\-p\s\-l\s\/bin\/sh\s\-a\sroot\stty.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","33716"
"*agrinman/tap/tunnelto*",".{0,1000}agrinman\/tap\/tunnelto.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","1","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","33728"
"*agrinman/tunnelto*",".{0,1000}agrinman\/tunnelto.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","1","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","33729"
"*aigmfoeogfnljhnofglledbhhfegannp*",".{0,1000}aigmfoeogfnljhnofglledbhhfegannp.{0,1000}","greyware_tool_keyword","Lethean Proxy VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","33740"
"*akeehkgglkmpapdnanoochpfmeghfdln*",".{0,1000}akeehkgglkmpapdnanoochpfmeghfdln.{0,1000}","greyware_tool_keyword","VPN Master","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","33770"
"*akkbkhnikoeojlhiiomohpdnkhbkhieh*",".{0,1000}akkbkhnikoeojlhiiomohpdnkhbkhieh.{0,1000}","greyware_tool_keyword","Prime VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","33773"
"*almalgbpmcfpdaopimbdchdliminoign*",".{0,1000}almalgbpmcfpdaopimbdchdliminoign.{0,1000}","greyware_tool_keyword","Urban Shield","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","33808"
"*AlphaControlAgent.CloudLogsManager+<>*",".{0,1000}AlphaControlAgent\.CloudLogsManager\+\<\>.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33817"
"*alt.meshcentral.com*",".{0,1000}alt\.meshcentral\.com.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","33821"
"*amalshaji/portr*",".{0,1000}amalshaji\/portr.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","33828"
"*amalshaji/taps/portr*",".{0,1000}amalshaji\/taps\/portr.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","33829"
"*amidaware/tacticalrmm*",".{0,1000}amidaware\/tacticalrmm.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","33835"
"*Ammyy Admin*",".{0,1000}Ammyy\sAdmin.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","#companyname","N/A","10","10","N/A","N/A","N/A","N/A","33838"
"*Ammyy LLC*",".{0,1000}Ammyy\sLLC.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33839"
"*AMMYY_Admin.exe*",".{0,1000}AMMYY_Admin\.exe.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33840"
"*amnoibeflfphhplmckdbiajkjaoomgnj*",".{0,1000}amnoibeflfphhplmckdbiajkjaoomgnj.{0,1000}","greyware_tool_keyword","HideAll VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","33844"
"*Amperage - Recall setup tool for unsupported hardware*",".{0,1000}Amperage\s\-\sRecall\ssetup\stool\sfor\sunsupported\shardware.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","33845"
"*anderspitman/SirTunnel*",".{0,1000}anderspitman\/SirTunnel.{0,1000}","greyware_tool_keyword","SirTunnel","SirTunnel enables you to securely expose a webserver running on your computer to a public URL using HTTPS.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/anderspitman/SirTunnel","1","1","N/A","N/A","10","10","1436","119","2024-03-24T20:15:50Z","2020-09-23T00:15:26Z","33869"
"*angryip/ipscan*",".{0,1000}angryip\/ipscan.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","1","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","33884"
"*AnyDesk ID is: $ID AND Password is: Aa123456!*",".{0,1000}AnyDesk\sID\sis\:\s\$ID\sAND\sPassword\sis\:\sAa123456!.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1","1","0","N/A","simple backdoor with anydesk","10","1","1","0","2025-04-17T19:04:37Z","2023-12-05T22:08:51Z","33908"
"*AnyDesk Software GmbH*",".{0,1000}AnyDesk\sSoftware\sGmbH.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","#companyname","N/A","10","10","N/A","N/A","N/A","N/A","33909"
"*Anydesk* --start-with-win --silent*",".{0,1000}Anydesk.{0,1000}\s\-\-start\-with\-win\s\-\-silent.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33910"
"*AnyDesk.exe --install ""C:\Program Files (x86)\AnyDesk"" --start-with-win --silent*",".{0,1000}AnyDesk\.exe\s\-\-install\s\""C\:\\Program\sFiles\s\(x86\)\\AnyDesk\""\s\-\-start\-with\-win\s\-\-silent.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1","1","0","N/A","simple backdoor with anydesk","10","1","1","0","2025-04-17T19:04:37Z","2023-12-05T22:08:51Z","33911"
"*anydesk.exe --set-password*",".{0,1000}anydesk\.exe\s\-\-set\-password.{0,1000}","greyware_tool_keyword","anydesk","setting the AnyDesk service password manually","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","33912"
"*Anydesk\ad.trace*",".{0,1000}Anydesk\\ad\.trace.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","33913"
"*AnydeskBackdoor.ps1*",".{0,1000}AnydeskBackdoor\.ps1.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1","1","1","N/A","simple backdoor with anydesk","10","1","1","0","2025-04-17T19:04:37Z","2023-12-05T22:08:51Z","33914"
"*AnyplaceControlInstall.exe*",".{0,1000}AnyplaceControlInstall\.exe.{0,1000}","greyware_tool_keyword","AnyplaceControl","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyplace-control[.]com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33915"
"*anyproxy --intercept --ws-intercept *",".{0,1000}anyproxy\s\-\-intercept\s\-\-ws\-intercept\s.{0,1000}","greyware_tool_keyword","CursedChrome","Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies allowing you to browse sites as your victims","T1176 - T1219 - T1090","TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/mandatoryprogrammer/CursedChrome","1","0","N/A","anyproxy","10","10","1533","226","2024-10-26T19:06:54Z","2020-04-26T20:55:05Z","33917"
"*AnyViewer\audio_sniffer.dll*",".{0,1000}AnyViewer\\audio_sniffer\.dll.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33918"
"*AnyViewer\AVCore.exe*",".{0,1000}AnyViewer\\AVCore\.exe.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33919"
"*AnyViewer\RCService.exe*",".{0,1000}AnyViewer\\RCService\.exe.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33920"
"*AnyViewer\ScreanCap.exe*",".{0,1000}AnyViewer\\ScreanCap\.exe.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33921"
"*AnyViewer\SplashWin.exe*",".{0,1000}AnyViewer\\SplashWin\.exe.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33922"
"*aojlhgbkmkahabcmcpifbolnoichfeep*",".{0,1000}aojlhgbkmkahabcmcpifbolnoichfeep.{0,1000}","greyware_tool_keyword","VirtualShield VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","33925"
"*apcfdffemoinopelidncddjbhkiblecc*",".{0,1000}apcfdffemoinopelidncddjbhkiblecc.{0,1000}","greyware_tool_keyword","Soul VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","33934"
"*api.btunnel.in*",".{0,1000}api\.btunnel\.in.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","1","N/A","N/A","9","8","N/A","N/A","N/A","N/A","33938"
"*api.cyberghostvpn.com*",".{0,1000}api\.cyberghostvpn\.com.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","1","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","33939"
"*api.dataplicity.com*",".{0,1000}api\.dataplicity\.com.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","1","N/A","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","33940"
"*api.freefilesync.org*",".{0,1000}api\.freefilesync\.org.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","1","#filehostingservice","N/A","9","10","N/A","N/A","N/A","N/A","33941"
"*api.gofile.io/getServer*",".{0,1000}api\.gofile\.io\/getServer.{0,1000}","greyware_tool_keyword","gofile.io","legitimate service abused by lots of stealer to exfiltrate data","T1567.002","TA0010","N/A","Hive - Royal - LockBit - Vice Society - BlackSuit - Conti","Data Exfiltration","https://gofile.io","1","1","#filehostingservice","N/A","8","10","N/A","N/A","N/A","N/A","33942"
"*api.localxpose.io*",".{0,1000}api\.localxpose\.io.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","1","N/A","N/A","10","1","N/A","N/A","N/A","N/A","33943"
"*api.remot3.it*",".{0,1000}api\.remot3\.it.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","1","N/A","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","33944"
"*api.surfshark.com/*",".{0,1000}api\.surfshark\.com\/.{0,1000}","greyware_tool_keyword","surfshark VPN","usage of surfsharkVPN client","T1090 - T1573","TA0005 - TA010","N/A","N/A","Defense Evasion","","1","1","N/A","N/A","7","8","N/A","N/A","N/A","N/A","33945"
"*api.telegram.org*",".{0,1000}api\.telegram\.org.{0,1000}","greyware_tool_keyword","telegram","telegram API usage -given the increasing adoption of Telegram by malware for command and control (C2) operations. it's essential to monitor and restrict its usage within corporate networks and on company devices","T1071.004 - T1102 - T1047","TA0011 - TA0002 - TA0005","N/A","Gamaredon","C2","api.telegram.org","0","1","N/A","High False positive Risk !","1","9","N/A","N/A","N/A","N/A","33946"
"*api/v1/fleet/sso/callback*",".{0,1000}api\/v1\/fleet\/sso\/callback.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","33948"
"*api@mega.nz*",".{0,1000}api\@mega\.nz.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#email","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","33950"
"*api01.remot3.it*",".{0,1000}api01\.remot3\.it.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","1","N/A","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","33952"
"*api-telemetry.servers.getgo.com*",".{0,1000}api\-telemetry\.servers\.getgo\.com.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33957"
"*apk add tailscale*",".{0,1000}apk\sadd\stailscale.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","33958"
"*AppData\Local\Temp\RemotePC Attended*",".{0,1000}AppData\\Local\\Temp\\RemotePC\sAttended.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33977"
"*AppData\Local\Temp\TeamViewer*",".{0,1000}AppData\\Local\\Temp\\TeamViewer.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","33978"
"*AppData\Roaming\Microsoft\Windows\SendTo\TeamViewer.lnk*",".{0,1000}AppData\\Roaming\\Microsoft\\Windows\\SendTo\\TeamViewer\.lnk.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","33980"
"*AppData\Roaming\uTorrent*",".{0,1000}AppData\\Roaming\\uTorrent.{0,1000}","greyware_tool_keyword","utorrent","popular BitTorrent client used for downloading files over the BitTorrent network. a peer-to-peer file sharing protocol. Can be used for collection and exfiltration. Not something we want to see installed in a enterprise network","T1193 - T1204 - T1486 - T1048","TA0005 - TA0011 - TA0010 - TA0040","N/A","N/A","Data Exfiltration","https[://]www[.]utorrent[.]com/intl/fr/","1","0","#P2P","N/A","N/A","N/A","N/A","N/A","N/A","N/A","33981"
"*application/x-supremo*",".{0,1000}application\/x\-supremo.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33990"
"*application_name='pgrokd'*",".{0,1000}application_name\=\'pgrokd\'.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","33992"
"*ApplicationName'>GoTo Opener*",".{0,1000}ApplicationName\'\>GoTo\sOpener.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33993"
"*ApplicationName'>GoToMyPC Communications*",".{0,1000}ApplicationName\'\>GoToMyPC\sCommunications.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33994"
"*ApplicationName'>GoToMyPC Host Launcher*",".{0,1000}ApplicationName\'\>GoToMyPC\sHost\sLauncher.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33995"
"*ApplicationName'>GoToMyPC Viewer*",".{0,1000}ApplicationName\'\>GoToMyPC\sViewer.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","33996"
"*apt install *megacmd*",".{0,1000}apt\sinstall\s.{0,1000}megacmd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","34001"
"*apt install gost*",".{0,1000}apt\sinstall\sgost.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","34006"
"*apt install restic*",".{0,1000}apt\sinstall\srestic.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34013"
"*APT::Update::Pre-Invoke *}*",".{0,1000}APT\:\:Update\:\:Pre\-Invoke\s.{0,1000}\}.{0,1000}","greyware_tool_keyword","APT","linux commands abused by attackers - backdoor apt execute a command when invoking apt","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Exploitation tool","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","34023"
"*apt-get install restic*",".{0,1000}apt\-get\sinstall\srestic.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34030"
"*asapi.aweray.net*",".{0,1000}asapi\.aweray\.net.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34112"
"*asse.rel.tunnels.api.visualstudio.com*",".{0,1000}asse\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","34140"
"*assist.zoho.com*",".{0,1000}assist\.zoho\.com.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34148"
"*Assistencia Rapida Installer.exe*",".{0,1000}Assistencia\sRapida\sInstaller\.exe.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","34149"
"*assoc *findstr *=cm*",".{0,1000}assoc\s.{0,1000}findstr\s.{0,1000}\=cm.{0,1000}","greyware_tool_keyword","assoc","will return the file association for file extensions that include the string =cm - hidden objectif is to find .cdxml association","T1033 - T1059 - T1083","TA0007 - TA0002","N/A","N/A","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","34151"
"*assoc *findstr *lCmd*",".{0,1000}assoc\s.{0,1000}findstr\s.{0,1000}lCmd.{0,1000}","greyware_tool_keyword","assoc","will return the file association for file extensions that include the string lCmd - hidden objectif is to find .cdxml association","T1033 - T1059 - T1083","TA0007 - TA0002","N/A","N/A","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","34152"
"*assoc *findstr *mdf*",".{0,1000}assoc\s.{0,1000}findstr\s.{0,1000}mdf.{0,1000}","greyware_tool_keyword","assoc","will return the file association for file extensions that include the string mdf - hidden objectif is to find cmdfile association","T1033 - T1059 - T1083","TA0007 - TA0002","N/A","N/A","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","34153"
"*assoc *findstr *s1x*",".{0,1000}assoc\s.{0,1000}findstr\s.{0,1000}s1x.{0,1000}","greyware_tool_keyword","assoc","will return the file association for file extensions that include the string s1x - hidden objectif is to find .ps1xml association","T1033 - T1059 - T1083","TA0007 - TA0002","N/A","N/A","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","34154"
"*assoc *findstr =cm*",".{0,1000}assoc\s.{0,1000}findstr\s\=cm.{0,1000}","greyware_tool_keyword","assoc","will return the file association for file extensions that include the string =cm - hidden objectif is to find .cdxml association","T1033 - T1059 - T1083","TA0007 - TA0002","N/A","N/A","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","34155"
"*assoc *findstr lCmd*",".{0,1000}assoc\s.{0,1000}findstr\slCmd.{0,1000}","greyware_tool_keyword","assoc","will return the file association for file extensions that include the string lCmd - hidden objectif is to find .cdxml association","T1033 - T1059 - T1083","TA0007 - TA0002","N/A","N/A","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","34156"
"*assoc *findstr mdf*",".{0,1000}assoc\s.{0,1000}findstr\smdf.{0,1000}","greyware_tool_keyword","assoc","will return the file association for file extensions that include the string mdf - hidden objectif is to find cmdfile association","T1033 - T1059 - T1083","TA0007 - TA0002","N/A","N/A","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","34157"
"*assoc *findstr s1x*",".{0,1000}assoc\s.{0,1000}findstr\ss1x.{0,1000}","greyware_tool_keyword","assoc","will return the file association for file extensions that include the string s1x - hidden objectif is to find .ps1xml association","T1033 - T1059 - T1083","TA0007 - TA0002","N/A","N/A","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","34158"
"*as-tk.aweray.com*",".{0,1000}as\-tk\.aweray\.com.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34161"
"*as-tk.aweray.com/track*",".{0,1000}as\-tk\.aweray\.com\/track.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34162"
"*ataylor32/duckdns-powershell*",".{0,1000}ataylor32\/duckdns\-powershell.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","1","N/A","N/A","5","10","N/A","N/A","N/A","N/A","34171"
"*atera_del.bat*",".{0,1000}atera_del\.bat.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34172"
"*atera_del2.bat*",".{0,1000}atera_del2\.bat.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34173"
"*AteraAgent*AgentPackageRunCommandInteractive.exe*",".{0,1000}AteraAgent.{0,1000}AgentPackageRunCommandInteractive\.exe.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34174"
"*AteraSetupLog.txt*",".{0,1000}AteraSetupLog\.txt.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34175"
"*attrib *.rdp -s -h",".{0,1000}attrib\s.{0,1000}\.rdp\s\-s\s\-h","greyware_tool_keyword","attrib","hide evidence of RDP connections","T1070.004","TA0005","N/A","N/A","Defense Evasion","https://github.com/xiaoy-sec/Pentest_Note/blob/52156f816f0c2497c25343c2e872130193acca80/wiki/%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87/Windows%E6%8F%90%E6%9D%83/RDP%26Firewall/%E5%88%A0%E9%99%A4%E7%97%95%E8%BF%B9.md?plain=1#L4","1","0","N/A","N/A","10","10","3875","951","2023-05-22T03:50:57Z","2020-06-15T02:58:36Z","34238"
"*attrib +R +S +H C:\WINDOWS\scvhost.exe*",".{0,1000}attrib\s\+R\s\+S\s\+H\sC\:\\WINDOWS\\scvhost\.exe.{0,1000}","greyware_tool_keyword","attrib","suspicious attrib command","T1070 - T1222","TA0005","Sph1nX","N/A","Defense Evasion","https://github.com/petikvx/vx-ezine/blob/cfaf09bb089a08a9f33254929209fb32ebd52806/darkcodes/dc1/Sources/Sph1nX_Sources/DeskLock/DeskLock.txt#L13","1","0","N/A","N/A","9","1","16","2","2022-09-13T12:31:07Z","2021-10-02T12:56:47Z","34240"
"*attrib +s +h /D ""C:\Program Files\Windows NT\*",".{0,1000}attrib\s\+s\s\+h\s\/D\s\""C\:\\Program\sFiles\\Windows\sNT\\.{0,1000}","greyware_tool_keyword","attrib","defense evasion - hidding in suspicious directory","T1564.001","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34241"
"*attrib +s +h /D ""C:\users\Public\*",".{0,1000}attrib\s\+s\s\+h\s\/D\s\""C\:\\users\\Public\\.{0,1000}","greyware_tool_keyword","attrib","defense evasion - hidding in suspicious directory","T1564.001","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34242"
"*attrib +s +h desktop.ini*",".{0,1000}attrib\s\+s\s\+h\sdesktop\.ini.{0,1000}","greyware_tool_keyword","attrib","NTLM Leak via Desktop.ini","T1564.001","TA0005","N/A","N/A","Credential Access","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Anti-Forensics.md","1","0","N/A","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","34243"
"*attrib desktop.ini +s +h +r*",".{0,1000}attrib\sdesktop\.ini\s\+s\s\+h\s\+r.{0,1000}","greyware_tool_keyword","attrib","instruments explorer to treat the folder as ActiveX cache","T1070 - T1222","TA0005","N/A","N/A","Defense Evasion","https://x.com/ValthekOn/status/1890160938407596168","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34244"
"*attrib -R -S -H C:\WINDOWS\explorer.exe*",".{0,1000}attrib\s\-R\s\-S\s\-H\sC\:\\WINDOWS\\explorer\.exe.{0,1000}","greyware_tool_keyword","attrib","suspicious attrib command","T1070 - T1222","TA0005","Sph1nX","N/A","Defense Evasion","https://github.com/petikvx/vx-ezine/blob/cfaf09bb089a08a9f33254929209fb32ebd52806/darkcodes/dc1/Sources/Sph1nX_Sources/DeskLock/DeskLock.txt#L13","1","0","N/A","N/A","9","1","16","2","2022-09-13T12:31:07Z","2021-10-02T12:56:47Z","34245"
"*attrib -R -S -H C:\WINDOWS\System32\explorer.exe*",".{0,1000}attrib\s\-R\s\-S\s\-H\sC\:\\WINDOWS\\System32\\explorer\.exe.{0,1000}","greyware_tool_keyword","attrib","suspicious attrib command","T1070 - T1222","TA0005","Sph1nX","N/A","Defense Evasion","https://github.com/petikvx/vx-ezine/blob/cfaf09bb089a08a9f33254929209fb32ebd52806/darkcodes/dc1/Sources/Sph1nX_Sources/DeskLock/DeskLock.txt#L13","1","0","N/A","N/A","9","1","16","2","2022-09-13T12:31:07Z","2021-10-02T12:56:47Z","34246"
"*attrib -s -h %userprofile%*",".{0,1000}attrib\s\-s\s\-h\s\%userprofile\%.{0,1000}","greyware_tool_keyword","attrib","CleanRDP.bat script erasing RDP traces used by Dispossessor ransomware group","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34247"
"*attrib -s -h %userprofile%\documents\Default.rdp*",".{0,1000}attrib\s\-s\s\-h\s\%userprofile\%\\documents\\Default\.rdp.{0,1000}","greyware_tool_keyword","attrib","CleanRDP.bat script erasing RDP traces used by Dispossessor ransomware group","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34248"
"*auc1.rel.tunnels.api.visualstudio.com*",".{0,1000}auc1\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","34250"
"*auditctl -e 0*",".{0,1000}auditctl\s\-e\s0.{0,1000}","greyware_tool_keyword","auditd","disabling auditd","T1562.001 - T1070.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","8","N/A","N/A","N/A","N/A","34252"
"*auditctl -e0*",".{0,1000}auditctl\s\-e0.{0,1000}","greyware_tool_keyword","auditd","disabling auditd","T1562.001 - T1070.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","8","N/A","N/A","N/A","N/A","34253"
"*aue.rel.tunnels.api.visualstudio.com*",".{0,1000}aue\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","34254"
"*aue.rel.tunnels.api.visualstudio.com*",".{0,1000}aue\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","vscode","built-in port forwarding. This feature allows you to share locally running services over the internet to other people and devices.","T1090 - T1003 - T1571","TA0010 - TA0002 - TA0009","N/A","N/A","C2","https://twitter.com/code/status/1699869087071899669","0","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34255"
"*aue-data.rel.tunnels.api.visualstudio.com*",".{0,1000}aue\-data\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","vscode","built-in port forwarding. This feature allows you to share locally running services over the internet to other people and devices.","T1090 - T1003 - T1571","TA0010 - TA0002 - TA0009","N/A","N/A","C2","https://twitter.com/code/status/1699869087071899669","0","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34256"
"*auth*.aeroadmin.com*",".{0,1000}auth.{0,1000}\.aeroadmin\.com.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34259"
"*auth11.aeroadmin.com*",".{0,1000}auth11\.aeroadmin\.com.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34262"
"*AutoHotkey/Ahk2Exe*",".{0,1000}AutoHotkey\/Ahk2Exe.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","1","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","34297"
"*AutoHotkey/AutoHotkey*",".{0,1000}AutoHotkey\/AutoHotkey.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","1","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","34298"
"*AutoHotkeySC.bin*",".{0,1000}AutoHotkeySC\.bin.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","1","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","34299"
"*AutoHotkeyx.sln*",".{0,1000}AutoHotkeyx\.sln.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","34300"
"*AutoHotkeyx.vcxproj*",".{0,1000}AutoHotkeyx\.vcxproj.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","34301"
"*auvik.agent.exe*",".{0,1000}auvik\.agent\.exe.{0,1000}","greyware_tool_keyword","auvik","cloud-based network management software","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.auvik.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34326"
"*AuvikService.exe*",".{0,1000}AuvikService\.exe.{0,1000}","greyware_tool_keyword","auvik","cloud-based network management software","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.auvik.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34327"
"*AvDump.exe --pid * --dump_file *.dmp*",".{0,1000}AvDump\.exe\s\-\-pid\s.{0,1000}\s\-\-dump_file\s.{0,1000}\.dmp.{0,1000}","greyware_tool_keyword","AVDump","Avast AV to dump LSASS (C:\Program Files\Avast Software\Avast)","T1003.001 - T1059.001 - T1106","TA0006","N/A","Dispossessor","Credential Access","https://rosesecurity.gitbook.io/red-teaming-ttps/windows#av-lsass-dump","1","0","N/A","lolbin","8","9","N/A","N/A","N/A","N/A","34341"
"*Aweray_Remote.exe*",".{0,1000}Aweray_Remote\.exe.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34370"
"*awerayimg.com*",".{0,1000}awerayimg\.com.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34371"
"*azimjohn/jprq*",".{0,1000}azimjohn\/jprq.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","34392"
"*AzureADConnectAuthenticationAgentService.exe*",".{0,1000}AzureADConnectAuthenticationAgentService\.exe.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","34400"
"*b^i^t^s^a^d^min^ /t^ra^n^s^f^e^r^ ^/^d^o^w^n^l^o^a^d*",".{0,1000}b\^i\^t\^s\^a\^d\^min\^\s\/t\^ra\^n\^s\^f\^e\^r\^\s\^\/\^d\^o\^w\^n\^l\^o\^a\^d.{0,1000}","greyware_tool_keyword","bitsadmin","bitsadmin obfuscation observed used by attackers","T1105 - T1071","TA0010 - TA0011 - TA0009 - TA00005","N/A","Black Basta - Hive - Revil - Conti - Medusa","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","34409"
"*B00004294C7ABEDC67BD41B0F3CB0C9730BEDA03BC3CE2709B7F838585133B2C*",".{0,1000}B00004294C7ABEDC67BD41B0F3CB0C9730BEDA03BC3CE2709B7F838585133B2C.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","#filehash","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","34410"
"*b00f3120e03aa38f2472730d2b1bbbb4e00af3f5130e8b6d14a8b9f3ee96bece*",".{0,1000}b00f3120e03aa38f2472730d2b1bbbb4e00af3f5130e8b6d14a8b9f3ee96bece.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34412"
"*b01db099512e344df190ee405619399c835b1d5522e2e6faa8e47b49418bab66*",".{0,1000}b01db099512e344df190ee405619399c835b1d5522e2e6faa8e47b49418bab66.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#filehash","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","34416"
"*b03d96d8d00893f76bd9c55b7ce47750222728e30b19d23e1a39e0239ea6420d*",".{0,1000}b03d96d8d00893f76bd9c55b7ce47750222728e30b19d23e1a39e0239ea6420d.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","34419"
"*b04b1dc45652c59f82cecc30cf9aea76e5a1bd6cc3fecc450cef67cbcd825f06*",".{0,1000}b04b1dc45652c59f82cecc30cf9aea76e5a1bd6cc3fecc450cef67cbcd825f06.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","34420"
"*b065a47eb4b282f716c57381099ee39456910bacb6887fdb6a7c86cc571dfbf0*",".{0,1000}b065a47eb4b282f716c57381099ee39456910bacb6887fdb6a7c86cc571dfbf0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34425"
"*b069bee7a2a19e296886fb26862e7432e0b2a0fbde72db072f369a0c0e990955*",".{0,1000}b069bee7a2a19e296886fb26862e7432e0b2a0fbde72db072f369a0c0e990955.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","34426"
"*b075acc6e8a6a1f619752b6106299e66ff7fc95032bd9a9096718c7600bd5c72*",".{0,1000}b075acc6e8a6a1f619752b6106299e66ff7fc95032bd9a9096718c7600bd5c72.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34429"
"*b084b50bb95806e54bd010fa7e2663adfae267d4baea1b590b8f97a66ae730f9*",".{0,1000}b084b50bb95806e54bd010fa7e2663adfae267d4baea1b590b8f97a66ae730f9.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","34430"
"*b087a02bc2325dcbb06caa40e7debe301dea47b89f1e4a875092835e056f0b73*",".{0,1000}b087a02bc2325dcbb06caa40e7debe301dea47b89f1e4a875092835e056f0b73.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","34432"
"*b0943f704ffc3830b8b900408b94e7a27434602dd34e9a831f81730bee4631a2*",".{0,1000}b0943f704ffc3830b8b900408b94e7a27434602dd34e9a831f81730bee4631a2.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","34433"
"*b095c8ae34961ed96ebd2cfb8d99d0aae0c9194beee50efcb55743a56a3f2527*",".{0,1000}b095c8ae34961ed96ebd2cfb8d99d0aae0c9194beee50efcb55743a56a3f2527.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34435"
"*b09684adfae58733bc12cd0ee3cf1e20d6b888c3e5280cf9f9e7a6467cf87a71*",".{0,1000}b09684adfae58733bc12cd0ee3cf1e20d6b888c3e5280cf9f9e7a6467cf87a71.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34436"
"*b09d38e5eba230a6bb04f144f5d32d26ce69f1424bbbb1058d43c712ff558679*",".{0,1000}b09d38e5eba230a6bb04f144f5d32d26ce69f1424bbbb1058d43c712ff558679.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34442"
"*b0a1898b536d811f388b3fddd94d50c8bcec6e87f11a7c36e5d4e5761563eb4f*",".{0,1000}b0a1898b536d811f388b3fddd94d50c8bcec6e87f11a7c36e5d4e5761563eb4f.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","34443"
"*b0c4f83b23c0bd366537a33642050c0ddfb4184d969dbf2e934903873a801953*",".{0,1000}b0c4f83b23c0bd366537a33642050c0ddfb4184d969dbf2e934903873a801953.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","34447"
"*b0d11385c1a17d7085834e7d163eab9d78acea55d406862770db20ba18ba16f8*",".{0,1000}b0d11385c1a17d7085834e7d163eab9d78acea55d406862770db20ba18ba16f8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34452"
"*b0d62a246efdf89a35137f55d840b7f7d1a6c231a4a2a14bd4ab2375355644ac*",".{0,1000}b0d62a246efdf89a35137f55d840b7f7d1a6c231a4a2a14bd4ab2375355644ac.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34454"
"*b0daa38ea704406f5eafe4056be67de1206dced6333c01c90f76441aa227ee21*",".{0,1000}b0daa38ea704406f5eafe4056be67de1206dced6333c01c90f76441aa227ee21.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","34455"
"*b0f71544821d4a67e6462c8355b91b5c4d1e1f4dd6f8e84fd08879aff1669de3*",".{0,1000}b0f71544821d4a67e6462c8355b91b5c4d1e1f4dd6f8e84fd08879aff1669de3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34462"
"*b0f78c07fd76cc1ba1d663dc2b4b798c635c94d2369b62805399be8f43d3565f*",".{0,1000}b0f78c07fd76cc1ba1d663dc2b4b798c635c94d2369b62805399be8f43d3565f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34463"
"*b10cfda1-f24f-441b-8f43-80cb93e786ec*",".{0,1000}b10cfda1\-f24f\-441b\-8f43\-80cb93e786ec.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#GUIDproject","N/A","10","10","N/A","N/A","N/A","N/A","34465"
"*b11045e6accfd5cfa54afed6cfdfc2203873efe7541aa5a93f920d71d3a517b0*",".{0,1000}b11045e6accfd5cfa54afed6cfdfc2203873efe7541aa5a93f920d71d3a517b0.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","34467"
"*b117ea60954ad0c8d4e92eb60ca8e748806978506c377d59b4f5bc5295c4e3d1*",".{0,1000}b117ea60954ad0c8d4e92eb60ca8e748806978506c377d59b4f5bc5295c4e3d1.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34468"
"*b1213c190d359872abf866bbfbd98b8140e16177157d241330b2ad172fa59daa*",".{0,1000}b1213c190d359872abf866bbfbd98b8140e16177157d241330b2ad172fa59daa.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34472"
"*b122583cf21343bfe83444d90b3223ff4abd42738e5817a1ba5095ddbc0202ed*",".{0,1000}b122583cf21343bfe83444d90b3223ff4abd42738e5817a1ba5095ddbc0202ed.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","34473"
"*b1251cfdcbc44356e001057524c3e2f7be56d94546273d10143bfa1148c155ab*",".{0,1000}b1251cfdcbc44356e001057524c3e2f7be56d94546273d10143bfa1148c155ab.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34474"
"*b12e3cfdb977c2a9f5a26dc0db4b828b28b98dc3f5e635c7833d5b50cfcca1ea*",".{0,1000}b12e3cfdb977c2a9f5a26dc0db4b828b28b98dc3f5e635c7833d5b50cfcca1ea.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34476"
"*b14b44b9a2346327ab1debd3d56028c3f861821666cbddb6c084e72ded0cb662*",".{0,1000}b14b44b9a2346327ab1debd3d56028c3f861821666cbddb6c084e72ded0cb662.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","34479"
"*b14d2059935ad7f318588eaf13d283d7678279979a317a571101c1c45f147f36*",".{0,1000}b14d2059935ad7f318588eaf13d283d7678279979a317a571101c1c45f147f36.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34480"
"*b159333d4411c72736ec1c54cbca34c6ead9ff7779de79dc968387e61570f0d5*",".{0,1000}b159333d4411c72736ec1c54cbca34c6ead9ff7779de79dc968387e61570f0d5.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","34482"
"*b168ad78533011155648042d2900398596b0b128d12aeab2314424eb8be06794*",".{0,1000}b168ad78533011155648042d2900398596b0b128d12aeab2314424eb8be06794.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34484"
"*b17778908c7e0b879b79b4aadf2dc28e9361e555fb68b35243c325b390628eed*",".{0,1000}b17778908c7e0b879b79b4aadf2dc28e9361e555fb68b35243c325b390628eed.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34490"
"*b17a74e58d85f8d1ecfa38831fbca197c8edeb92e6c3a856e8c6b1030149ebe7*",".{0,1000}b17a74e58d85f8d1ecfa38831fbca197c8edeb92e6c3a856e8c6b1030149ebe7.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","34491"
"*b18153bc7a6d6627f402380a6e5ac01b631207df54d7fcc0d89a8f6f81521401*",".{0,1000}b18153bc7a6d6627f402380a6e5ac01b631207df54d7fcc0d89a8f6f81521401.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34492"
"*b190ff95d6d155e9a49752a555ca8ba14fe9e40156ec8cc5f8bcb6b0674cb80e*",".{0,1000}b190ff95d6d155e9a49752a555ca8ba14fe9e40156ec8cc5f8bcb6b0674cb80e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","34498"
"*b19a810320e3d27743080c6732d3ee8caae0c8b747df6001b81b0a1fb226665b*",".{0,1000}b19a810320e3d27743080c6732d3ee8caae0c8b747df6001b81b0a1fb226665b.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","34501"
"*b19a810320e3d27743080c6732d3ee8caae0c8b747df6001b81b0a1fb226665b*",".{0,1000}b19a810320e3d27743080c6732d3ee8caae0c8b747df6001b81b0a1fb226665b.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","34502"
"*b19ad25b155f7c1f9b7f725df787c80ea67daa07a9cee548fd8420f3918b1e91*",".{0,1000}b19ad25b155f7c1f9b7f725df787c80ea67daa07a9cee548fd8420f3918b1e91.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34503"
"*b1a6f85aa7693abc888ec5cd0313b16ae5e932dee4e04f495481935530276427*",".{0,1000}b1a6f85aa7693abc888ec5cd0313b16ae5e932dee4e04f495481935530276427.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","34505"
"*b1abf65d6e9817ce5e2be532edeeb45cbd9ad671e8325d9d145e4d3c3ad41715*",".{0,1000}b1abf65d6e9817ce5e2be532edeeb45cbd9ad671e8325d9d145e4d3c3ad41715.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34507"
"*b1accc32bce8291fbbe929cac3e7e2663e4667e55aff1001257f627eda478fbc*",".{0,1000}b1accc32bce8291fbbe929cac3e7e2663e4667e55aff1001257f627eda478fbc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34508"
"*b1b0d774ea2e40ee9a6e9a3c4704fce91af0025abd58dfdd9131fb8485e3de4b*",".{0,1000}b1b0d774ea2e40ee9a6e9a3c4704fce91af0025abd58dfdd9131fb8485e3de4b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34509"
"*b1c9ee1dff229639c43c60e39a6023798b5c96ccd38df7e3edd41cfb6990c90a*",".{0,1000}b1c9ee1dff229639c43c60e39a6023798b5c96ccd38df7e3edd41cfb6990c90a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34512"
"*b1cb1665e707241d9b0df4443c75ecd01f036562b1ab0d83eaf9a6fb4cfa018d*",".{0,1000}b1cb1665e707241d9b0df4443c75ecd01f036562b1ab0d83eaf9a6fb4cfa018d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34514"
"*b1ce529f2a0ff157590b2607388d425ac9a0d076de7f58bb6ee7c14bdb657bd7*",".{0,1000}b1ce529f2a0ff157590b2607388d425ac9a0d076de7f58bb6ee7c14bdb657bd7.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","34516"
"*b1d5414f66e4d4ffb2e2d67b26a484d55fc2113e8cedeca8794bd2c358897d0e*",".{0,1000}b1d5414f66e4d4ffb2e2d67b26a484d55fc2113e8cedeca8794bd2c358897d0e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34517"
"*b1dc5923bfb2c9d0d1e271e20cce3615f8d23d276e376d9c566dc5400f14282d*",".{0,1000}b1dc5923bfb2c9d0d1e271e20cce3615f8d23d276e376d9c566dc5400f14282d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34519"
"*b1e6103ec1b2468d5ec2f2367897f7cc20bbc9256af81b699e8d138aeb1267c6*",".{0,1000}b1e6103ec1b2468d5ec2f2367897f7cc20bbc9256af81b699e8d138aeb1267c6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34522"
"*b22cf68891d45c2280d22c9139bb67c3bad35675e0571b024256f67bc001ae0b*",".{0,1000}b22cf68891d45c2280d22c9139bb67c3bad35675e0571b024256f67bc001ae0b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34533"
"*b22d38050a7a8f95ebad69f27d48c792813865bef8faccbaced6e9bd4a3b8364*",".{0,1000}b22d38050a7a8f95ebad69f27d48c792813865bef8faccbaced6e9bd4a3b8364.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34534"
"*b2344770edbdf6582fc88f65541386d47a3d079b7ad316dda58004025ad447db*",".{0,1000}b2344770edbdf6582fc88f65541386d47a3d079b7ad316dda58004025ad447db.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","34536"
"*b246e5bb88a8e76fe372909c4c3fdaa09d69929ec4d0fd8e373936270a7baa0c*",".{0,1000}b246e5bb88a8e76fe372909c4c3fdaa09d69929ec4d0fd8e373936270a7baa0c.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","34548"
"*b25e38016ee6cae1175968f4686699588b208d14f27320052e097c5a252d2d1a*",".{0,1000}b25e38016ee6cae1175968f4686699588b208d14f27320052e097c5a252d2d1a.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","34553"
"*b2768608b33e964fc7067657f385ba15a69762b0a875db47981953d70dd36af7*",".{0,1000}b2768608b33e964fc7067657f385ba15a69762b0a875db47981953d70dd36af7.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34560"
"*b27ceab87644e8402f0a72d5f84bfa6e52b4c9c31293fe42fef6edba58fd81a3*",".{0,1000}b27ceab87644e8402f0a72d5f84bfa6e52b4c9c31293fe42fef6edba58fd81a3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34563"
"*b2834369b18687b609ec6f0b3fda7dbdf89fb55301b50cf110702995970d13fe*",".{0,1000}b2834369b18687b609ec6f0b3fda7dbdf89fb55301b50cf110702995970d13fe.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","34565"
"*b28be6193bc56da75aab6d29ff6b02bb58c57974447bbff3fecf106077e4b35c*",".{0,1000}b28be6193bc56da75aab6d29ff6b02bb58c57974447bbff3fecf106077e4b35c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34568"
"*b2b16cfd0ddbf519fb626a0b303afa172043fce9fda1d3dd238b636814b75d6b*",".{0,1000}b2b16cfd0ddbf519fb626a0b303afa172043fce9fda1d3dd238b636814b75d6b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34581"
"*b2b717b196a443ae5421b0e6cb1656d29034ede9c604bf04fec2bddaeba5dcf8*",".{0,1000}b2b717b196a443ae5421b0e6cb1656d29034ede9c604bf04fec2bddaeba5dcf8.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","34587"
"*b2cb915a6e66c99fcceceae07b08d28002c575a3bc2c6aa8ea88c9ae45294be3*",".{0,1000}b2cb915a6e66c99fcceceae07b08d28002c575a3bc2c6aa8ea88c9ae45294be3.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34595"
"*b2d67e08d8c55a49f1b18bac7457fcd831dbb13dbdd1b05c119ace65ccdf7b31*",".{0,1000}b2d67e08d8c55a49f1b18bac7457fcd831dbb13dbdd1b05c119ace65ccdf7b31.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34598"
"*b2ef7165622db32fdb1b2117f9393fc549bfe5fe9e7541a619a5707d2179d81e*",".{0,1000}b2ef7165622db32fdb1b2117f9393fc549bfe5fe9e7541a619a5707d2179d81e.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","34600"
"*b2f532c5c0922778360f918b4823e415b4309653689dd131b9e3514045f94613*",".{0,1000}b2f532c5c0922778360f918b4823e415b4309653689dd131b9e3514045f94613.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34601"
"*b2fbf30e0db9dd21a011d733f210f9c7944f4cdf3903c352946c3f88e760746d*",".{0,1000}b2fbf30e0db9dd21a011d733f210f9c7944f4cdf3903c352946c3f88e760746d.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","34603"
"*b309f0785461dbe35a63b0a674cc70381ef7f87720d2aa884a8dbc8ae3c2c42e*",".{0,1000}b309f0785461dbe35a63b0a674cc70381ef7f87720d2aa884a8dbc8ae3c2c42e.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","34606"
"*b30e9e154587f6e37134b6121d01c79c79f36e71092d086a1d8e3e547ccc6cde*",".{0,1000}b30e9e154587f6e37134b6121d01c79c79f36e71092d086a1d8e3e547ccc6cde.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34607"
"*b31716aa1e425286ea9372e2f72fa7e99e5df62dbe9ac54838d55a877a45abe1*",".{0,1000}b31716aa1e425286ea9372e2f72fa7e99e5df62dbe9ac54838d55a877a45abe1.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","34609"
"*b31e9e186194897b6b75e122c5ea4bf20170a485ff31faf312612514fe7b92ec*",".{0,1000}b31e9e186194897b6b75e122c5ea4bf20170a485ff31faf312612514fe7b92ec.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","34611"
"*b330c29f6ef91302c6a2b9a0f6e86c77b498d0babb60fe182440f1b97e0554cb*",".{0,1000}b330c29f6ef91302c6a2b9a0f6e86c77b498d0babb60fe182440f1b97e0554cb.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34619"
"*b379d721a766c8b80a121173be37050c9ecc94b11c5dbb0e246308ebbb5fbe74*",".{0,1000}b379d721a766c8b80a121173be37050c9ecc94b11c5dbb0e246308ebbb5fbe74.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34628"
"*b38a8c339aa39c37a3680e31876bc6b4e5c9f337d4c0f409fd17b696befecf93*",".{0,1000}b38a8c339aa39c37a3680e31876bc6b4e5c9f337d4c0f409fd17b696befecf93.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","34633"
"*b396b58b9729c83406ade3cd3f6d52820a7ff6cf36cd4a59eb9d87ee267591fc*",".{0,1000}b396b58b9729c83406ade3cd3f6d52820a7ff6cf36cd4a59eb9d87ee267591fc.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34637"
"*b39aacc5eb127dab66d1ccbbcbee9ee6cf659d27ebe9cec63c4940754acab7da*",".{0,1000}b39aacc5eb127dab66d1ccbbcbee9ee6cf659d27ebe9cec63c4940754acab7da.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","34638"
"*b3b8e7d50a413a441df3ee1d510d3a9f537f9bc3a8da6119814da8da34940e64*",".{0,1000}b3b8e7d50a413a441df3ee1d510d3a9f537f9bc3a8da6119814da8da34940e64.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","34646"
"*b3c09137b462548f44d764f98909534bef6e85fe029d4daf60545642cdefd3dd*",".{0,1000}b3c09137b462548f44d764f98909534bef6e85fe029d4daf60545642cdefd3dd.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34651"
"*b3c7ed8b0e54e2f93361946299200d1fdd94b658e7410b5dba3fbeb90dce4143*",".{0,1000}b3c7ed8b0e54e2f93361946299200d1fdd94b658e7410b5dba3fbeb90dce4143.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34655"
"*b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8*",".{0,1000}b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","34657"
"*b3e1befd68844e32730608eb0bd7465a4e634154ac4a90ab8d48738c05054e42*",".{0,1000}b3e1befd68844e32730608eb0bd7465a4e634154ac4a90ab8d48738c05054e42.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34662"
"*b3ebafe5393a73230d893e9e5549c2e090570048f8ed01e618b832b3b9f4eebe*",".{0,1000}b3ebafe5393a73230d893e9e5549c2e090570048f8ed01e618b832b3b9f4eebe.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34664"
"*b3f0715b807f2c31670a389cb430f01423f281d38f44e93d53e5fb2732406173*",".{0,1000}b3f0715b807f2c31670a389cb430f01423f281d38f44e93d53e5fb2732406173.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","34666"
"*b3f41948b9d55320be0884cdf9634a30089348e31bcb8a6675f75094167c741e*",".{0,1000}b3f41948b9d55320be0884cdf9634a30089348e31bcb8a6675f75094167c741e.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","34667"
"*b3f9f99ab501e8c40099dc351b2a59281e6a6b8117deae1e0d820ea70dd6a041*",".{0,1000}b3f9f99ab501e8c40099dc351b2a59281e6a6b8117deae1e0d820ea70dd6a041.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","34669"
"*b411cbafc30aeeb59c69803b5f962f87a653fdf4a4a6f4292ecb6280978c0cc2*",".{0,1000}b411cbafc30aeeb59c69803b5f962f87a653fdf4a4a6f4292ecb6280978c0cc2.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","34674"
"*b421bac88d296432b6b92005e1dd0c6fc94a023a54afdd0d4965693d264cfd5e*",".{0,1000}b421bac88d296432b6b92005e1dd0c6fc94a023a54afdd0d4965693d264cfd5e.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","34680"
"*b430c31a107a7c5e48899e3ee800f39aa50300d3d76f87bb7afb7ede58875cfe*",".{0,1000}b430c31a107a7c5e48899e3ee800f39aa50300d3d76f87bb7afb7ede58875cfe.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34685"
"*b44c1910df6b24847b75712e9f183d5fd9119e2e4dfdc15eeecb5e7159e4530a*",".{0,1000}b44c1910df6b24847b75712e9f183d5fd9119e2e4dfdc15eeecb5e7159e4530a.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","34688"
"*b460ff28856ab55d600f2a3a2bd178850ff9183b93b92fd8f82726761a4c5bd5*",".{0,1000}b460ff28856ab55d600f2a3a2bd178850ff9183b93b92fd8f82726761a4c5bd5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34692"
"*b46470d77a056eff68316b87f51b4d1a50d6529393825d2690a3628d18054634*",".{0,1000}b46470d77a056eff68316b87f51b4d1a50d6529393825d2690a3628d18054634.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34693"
"*b46dd99bb0f6d14356dc4dcfd1facc8183a878017b6f4ebabbb176182919465b*",".{0,1000}b46dd99bb0f6d14356dc4dcfd1facc8183a878017b6f4ebabbb176182919465b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34694"
"*b46ed003967f739acb4f0778b4665dc9aceab652c51223b10f632ab0681b7261*",".{0,1000}b46ed003967f739acb4f0778b4665dc9aceab652c51223b10f632ab0681b7261.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","34695"
"*b47481c1ac2497a694331e44166f2b9c08050bd9da2f24ea4d020c412c3865d4*",".{0,1000}b47481c1ac2497a694331e44166f2b9c08050bd9da2f24ea4d020c412c3865d4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34698"
"*b47b85efda1561b559c7d1a81e0d4b49958607f6e4933bf46f97f43c917f69a7*",".{0,1000}b47b85efda1561b559c7d1a81e0d4b49958607f6e4933bf46f97f43c917f69a7.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","34701"
"*b4808cea473c3d6e6af368ab59dd59a933bc0859459ea3b77481695cfab7dcd4*",".{0,1000}b4808cea473c3d6e6af368ab59dd59a933bc0859459ea3b77481695cfab7dcd4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34704"
"*b4810eb33bbc3888e66d51db3c76a52abe7b98d8520584daa8d92c03e412be57*",".{0,1000}b4810eb33bbc3888e66d51db3c76a52abe7b98d8520584daa8d92c03e412be57.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","34705"
"*b48943e9641fde4b91e0032fa031599fdbe3f9cebdd8612cec9e3477aecf2866*",".{0,1000}b48943e9641fde4b91e0032fa031599fdbe3f9cebdd8612cec9e3477aecf2866.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34707"
"*b4a40bfaca19d5b8570be95ea2839fa82c7814c561510c3e3807ce273ee7c7cf*",".{0,1000}b4a40bfaca19d5b8570be95ea2839fa82c7814c561510c3e3807ce273ee7c7cf.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34713"
"*b4a7cfb3399f9225d72ad7e4a66f87f825b9ffa41cdab8103ec194077b08b5b6*",".{0,1000}b4a7cfb3399f9225d72ad7e4a66f87f825b9ffa41cdab8103ec194077b08b5b6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34716"
"*b4aa7c480ce02aeb723529ed5e8c2874738ca4d2aeb9e718cdc96c5e5cbded3b*",".{0,1000}b4aa7c480ce02aeb723529ed5e8c2874738ca4d2aeb9e718cdc96c5e5cbded3b.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","34717"
"*b4ae7e04d503aacbe2bcaf751c159d258fb4f199ccb3b5c2e0587531af6d3c4f*",".{0,1000}b4ae7e04d503aacbe2bcaf751c159d258fb4f199ccb3b5c2e0587531af6d3c4f.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","34719"
"*b4bed3b73a07c019ea853ee051e35932c97a1547809697dfa495a00710dec8eb*",".{0,1000}b4bed3b73a07c019ea853ee051e35932c97a1547809697dfa495a00710dec8eb.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","34723"
"*b4c16d2e012d0c946e0826ab7e34acc035eca9d1a94a5fd30f394124296c962b*",".{0,1000}b4c16d2e012d0c946e0826ab7e34acc035eca9d1a94a5fd30f394124296c962b.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","34724"
"*b4c80f3e5fcdf37a0d165af88b219bb2e3ce6b435164e6048b5f1b618b908fea*",".{0,1000}b4c80f3e5fcdf37a0d165af88b219bb2e3ce6b435164e6048b5f1b618b908fea.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","34728"
"*b4d304b1dc76001b1d3bb820ae8d1ae60a072afbd3296be904a3ee00b3d4fab9*",".{0,1000}b4d304b1dc76001b1d3bb820ae8d1ae60a072afbd3296be904a3ee00b3d4fab9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34731"
"*b4f0256edb670edd9ee44e5884979228f558e6040e39faf4c95d010f82fda4af*",".{0,1000}b4f0256edb670edd9ee44e5884979228f558e6040e39faf4c95d010f82fda4af.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34739"
"*b4f3bc92ccedfbb0714c662c8d6a7842e71f1ebb2d8392ec5064b314dd5dede5*",".{0,1000}b4f3bc92ccedfbb0714c662c8d6a7842e71f1ebb2d8392ec5064b314dd5dede5.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#filehash","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","34741"
"*b4fd5651fedd284d57bae7f1eee41e3f9ef77e2d21014159081ce9200f886ace*",".{0,1000}b4fd5651fedd284d57bae7f1eee41e3f9ef77e2d21014159081ce9200f886ace.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","34743"
"*b4ldr/nse-scripts*",".{0,1000}b4ldr\/nse\-scripts.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","1","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","34746"
"*b50382b91253028e0f21ca8d585456adbdd8eb05d20efe8eb024ff2253f49a3a*",".{0,1000}b50382b91253028e0f21ca8d585456adbdd8eb05d20efe8eb024ff2253f49a3a.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","34752"
"*b509e7d50b164aaa62b30efb189caf965615ce266d51c243e494bca14d2f2864*",".{0,1000}b509e7d50b164aaa62b30efb189caf965615ce266d51c243e494bca14d2f2864.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34755"
"*b52adf7f57f96bc43c7380afc6aa2f549b530e42436af53ba5b6ca4a75ed343e*",".{0,1000}b52adf7f57f96bc43c7380afc6aa2f549b530e42436af53ba5b6ca4a75ed343e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34761"
"*b53e3cba1a8a3ebaa1e7d04f647eee3aed3417740692e346dc460c813403475c*",".{0,1000}b53e3cba1a8a3ebaa1e7d04f647eee3aed3417740692e346dc460c813403475c.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34768"
"*b56153a4717acef3981496c1b7612efb801ce9b90ec941f1ebf69026d7fbbe20*",".{0,1000}b56153a4717acef3981496c1b7612efb801ce9b90ec941f1ebf69026d7fbbe20.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","34777"
"*b5649a8ea3cc6477325e09e2248ef708d434ee3b2251eb8764bcfc15fb1de456*",".{0,1000}b5649a8ea3cc6477325e09e2248ef708d434ee3b2251eb8764bcfc15fb1de456.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","34779"
"*b57f1898dda9bdacec25669b4a8ccdb6905b5d0b9c9d0c4c3695d8aa54181bee*",".{0,1000}b57f1898dda9bdacec25669b4a8ccdb6905b5d0b9c9d0c4c3695d8aa54181bee.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","34783"
"*b580a9a0c9c89c5b5ea6e120a0358756c6e880d049ae63c97aa562a1ffdddc98*",".{0,1000}b580a9a0c9c89c5b5ea6e120a0358756c6e880d049ae63c97aa562a1ffdddc98.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34784"
"*b582450f8aea64cf41134d657ff610825080ddb317b7cbc1f1c1f1e4dd2c1978*",".{0,1000}b582450f8aea64cf41134d657ff610825080ddb317b7cbc1f1c1f1e4dd2c1978.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","34786"
"*b58fe1c67dd06e3e1224b3769af2d61d9cc6ba2ff4a501510a9c36836f395551*",".{0,1000}b58fe1c67dd06e3e1224b3769af2d61d9cc6ba2ff4a501510a9c36836f395551.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34792"
"*b5a13819d673e09534661f3f1c2f85f4cac71f020b8a6a64586ba829e2cd3fd4*",".{0,1000}b5a13819d673e09534661f3f1c2f85f4cac71f020b8a6a64586ba829e2cd3fd4.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","34794"
"*b5a6cb3aef4fd1a2165fb8c21b1b1705f3cb754a202adc81931b47cd39c64749*",".{0,1000}b5a6cb3aef4fd1a2165fb8c21b1b1705f3cb754a202adc81931b47cd39c64749.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34796"
"*b5bed9e86f1fcce890d35bf0f75dcdabe99dece7a1b5af2f1cafb1af5104ec66*",".{0,1000}b5bed9e86f1fcce890d35bf0f75dcdabe99dece7a1b5af2f1cafb1af5104ec66.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","34802"
"*b5df12aab758bbaea8291069515a6e46b84b7b5326f24d54410fa20ac8c0c447*",".{0,1000}b5df12aab758bbaea8291069515a6e46b84b7b5326f24d54410fa20ac8c0c447.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","34808"
"*b5e2d8796b19967b5945d040763d9d140f3e4c0393e4163ca6acb43666e998dd*",".{0,1000}b5e2d8796b19967b5945d040763d9d140f3e4c0393e4163ca6acb43666e998dd.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","34811"
"*b5f4c4d06ff3d426aee99870ad437276c9ddaad55442f2df6a58b918115fe4cf*",".{0,1000}b5f4c4d06ff3d426aee99870ad437276c9ddaad55442f2df6a58b918115fe4cf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34817"
"*b609a1cd184b98aa4f2c881c728c88387547d7e143e3bbce5a3f4c6331e239fd*",".{0,1000}b609a1cd184b98aa4f2c881c728c88387547d7e143e3bbce5a3f4c6331e239fd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34822"
"*b60aca868ccb04dd0116edeae8430c93be5dda4410f766d137d22dc02f9dce6e*",".{0,1000}b60aca868ccb04dd0116edeae8430c93be5dda4410f766d137d22dc02f9dce6e.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","34824"
"*b61cc885ac54a8f87869094cb343095b341e0db10898d2889942632f6155f1ff*",".{0,1000}b61cc885ac54a8f87869094cb343095b341e0db10898d2889942632f6155f1ff.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34827"
"*b624a1f6b4582374715c11809ec8cfc7f8d6b15ee426b0027357377eb5e250a3*",".{0,1000}b624a1f6b4582374715c11809ec8cfc7f8d6b15ee426b0027357377eb5e250a3.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","34828"
"*b626b5bb92017ef63e3450aeeeb50583be95fadc09e9d2f44c5f37caa8a61e59*",".{0,1000}b626b5bb92017ef63e3450aeeeb50583be95fadc09e9d2f44c5f37caa8a61e59.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","34829"
"*b62fddbe045b405c39c6d9252805804619c0551d527b78806f0f71246b87b812*",".{0,1000}b62fddbe045b405c39c6d9252805804619c0551d527b78806f0f71246b87b812.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","34836"
"*b64b34521d1942f05b9224bb21d025af5c0ae99fa2e2dff635f26f91d91a6188*",".{0,1000}b64b34521d1942f05b9224bb21d025af5c0ae99fa2e2dff635f26f91d91a6188.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34840"
"*b64d241702d0970bca644bf2d2f90155cf12f0265cd43377e58e5bb4f54c487f*",".{0,1000}b64d241702d0970bca644bf2d2f90155cf12f0265cd43377e58e5bb4f54c487f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","34842"
"*b65532e0fd6b3431083794b77510be5bb604ccdd09b140717cb8b984e3f071f6*",".{0,1000}b65532e0fd6b3431083794b77510be5bb604ccdd09b140717cb8b984e3f071f6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34847"
"*b668e7abef3da11ad164c618aff533f225d96fa046034e64485a48eaf5fdaf58*",".{0,1000}b668e7abef3da11ad164c618aff533f225d96fa046034e64485a48eaf5fdaf58.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","34850"
"*b673a20bc465d0312a145da0fa9382d990b4f28d2d492452be952a32c1740f50*",".{0,1000}b673a20bc465d0312a145da0fa9382d990b4f28d2d492452be952a32c1740f50.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","34854"
"*b68640e6866a22639186095138657c53b0bb6626ec0438b488d1a2ffdde23155*",".{0,1000}b68640e6866a22639186095138657c53b0bb6626ec0438b488d1a2ffdde23155.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34858"
"*b6911a2d3730f3bbcd89d503ac1226d6e6172cb49d3c92d04df933ef3c9e1531*",".{0,1000}b6911a2d3730f3bbcd89d503ac1226d6e6172cb49d3c92d04df933ef3c9e1531.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","#filehash","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","34862"
"*b69c2f0acc58d45ae4dae502892af08ce9abaa0de2433573a07e9a06fae3a255*",".{0,1000}b69c2f0acc58d45ae4dae502892af08ce9abaa0de2433573a07e9a06fae3a255.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","34867"
"*b6a7e8314b59c535279316d0fccf6165fec70e45a66edc1fad206fb68face26c*",".{0,1000}b6a7e8314b59c535279316d0fccf6165fec70e45a66edc1fad206fb68face26c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34870"
"*b6a919990fe576710a4ce3ed46cc40d91ce4d59e547af8c50b739920987b7e44*",".{0,1000}b6a919990fe576710a4ce3ed46cc40d91ce4d59e547af8c50b739920987b7e44.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","34871"
"*b6bb35e5bb724ced8d8d7da596f060ec650909eba12e38b5c40bcf32ed5e0ac2*",".{0,1000}b6bb35e5bb724ced8d8d7da596f060ec650909eba12e38b5c40bcf32ed5e0ac2.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","34875"
"*b6c43379ca375e18916fd220fb5bb4c76a0bb75c5e83532fa47d6f74aeee61d6*",".{0,1000}b6c43379ca375e18916fd220fb5bb4c76a0bb75c5e83532fa47d6f74aeee61d6.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","34877"
"*b6c5fd2222bb8c16d6627a961f988fb75c4d18b0432de4c01ae494913a34a6b2*",".{0,1000}b6c5fd2222bb8c16d6627a961f988fb75c4d18b0432de4c01ae494913a34a6b2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34879"
"*b6d0f1d60596d87349f81aff517a1c340b16e68a68d72fbb568307a8a8e0a7e8*",".{0,1000}b6d0f1d60596d87349f81aff517a1c340b16e68a68d72fbb568307a8a8e0a7e8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34880"
"*b6d55d6536ff5e827c393516158924d228cfc2de2d127e302537e0f4abf1f98f*",".{0,1000}b6d55d6536ff5e827c393516158924d228cfc2de2d127e302537e0f4abf1f98f.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","34881"
"*b6dd2b211d156dc7295cb5ff0e65eca60ba2d1a86b321ad9bcc4fd37f7ab423f*",".{0,1000}b6dd2b211d156dc7295cb5ff0e65eca60ba2d1a86b321ad9bcc4fd37f7ab423f.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","34884"
"*b6f5c4dc870fdc69d0309c5d5a2a5d48a924a5c14a62b8a13228f071749739b5*",".{0,1000}b6f5c4dc870fdc69d0309c5d5a2a5d48a924a5c14a62b8a13228f071749739b5.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","34892"
"*b6ff6c05c78901dfc6291751bab1ae93a0ac836d8d506e57d2bb6fb927facc7d*",".{0,1000}b6ff6c05c78901dfc6291751bab1ae93a0ac836d8d506e57d2bb6fb927facc7d.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","34896"
"*b70a71c6d30d106c21cdfcd3d7bf61f8eff05d28d22538c6ea335e9818999cb5*",".{0,1000}b70a71c6d30d106c21cdfcd3d7bf61f8eff05d28d22538c6ea335e9818999cb5.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","34901"
"*b710bdc87555b125cca39a89d2f41449b99afa567ec7e78f6e28b3f7bf872ac3*",".{0,1000}b710bdc87555b125cca39a89d2f41449b99afa567ec7e78f6e28b3f7bf872ac3.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","34902"
"*b71ddababf3cb07dcf58059d117c12cbf501987bb9435811bd5380a2617324bd*",".{0,1000}b71ddababf3cb07dcf58059d117c12cbf501987bb9435811bd5380a2617324bd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34906"
"*b72dff370a3d29191e51658527bafaddbe5a6519c0cde269ffa88b2d71fbced0*",".{0,1000}b72dff370a3d29191e51658527bafaddbe5a6519c0cde269ffa88b2d71fbced0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34911"
"*b73d7349fb3446615ae20d73985b8b43edbede87eec813caf326a5b9d8b19156*",".{0,1000}b73d7349fb3446615ae20d73985b8b43edbede87eec813caf326a5b9d8b19156.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34915"
"*b74f47cf6fd216692dc71832ec8910ddd60b64b08b0aa6593ee83e7c08416f73*",".{0,1000}b74f47cf6fd216692dc71832ec8910ddd60b64b08b0aa6593ee83e7c08416f73.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","34919"
"*b754705e934ef0766078f0371a1e83007dc7c85ef02ccd72da4571736df1914a*",".{0,1000}b754705e934ef0766078f0371a1e83007dc7c85ef02ccd72da4571736df1914a.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","34920"
"*b75fa5157fd2ff049b07259fde91ab3605f737827fb64fcbc373e2bd1779bb5d*",".{0,1000}b75fa5157fd2ff049b07259fde91ab3605f737827fb64fcbc373e2bd1779bb5d.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","34925"
"*b7632ad86179427b51fbad5f7f5a896fdf7107092db562ee04262d4f25fd1465*",".{0,1000}b7632ad86179427b51fbad5f7f5a896fdf7107092db562ee04262d4f25fd1465.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34928"
"*b7678c523152e65ff7b537cafde3fd5ef076ea35e59c3c9148b44a7e6aee796d*",".{0,1000}b7678c523152e65ff7b537cafde3fd5ef076ea35e59c3c9148b44a7e6aee796d.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","34933"
"*b76e232b8d3bb64d981b3a90fc81d1cf4e737fe28dfcfb41e37054a48ed326c2*",".{0,1000}b76e232b8d3bb64d981b3a90fc81d1cf4e737fe28dfcfb41e37054a48ed326c2.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","34934"
"*b7716adc8baf4d206d412aec8017804099e8b210af4ca3e6040810c15b0d82ac*",".{0,1000}b7716adc8baf4d206d412aec8017804099e8b210af4ca3e6040810c15b0d82ac.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34935"
"*b7778c69b9cfb944a3d1ab7ceabb2e1b13d222d40125122e30b868cf184f86eb*",".{0,1000}b7778c69b9cfb944a3d1ab7ceabb2e1b13d222d40125122e30b868cf184f86eb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34937"
"*b7a7814aedd230b66e11f3626aa505a2a701d6afc19bc8be2143955bfa3c1d6e*",".{0,1000}b7a7814aedd230b66e11f3626aa505a2a701d6afc19bc8be2143955bfa3c1d6e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34944"
"*b7a85081d3f3529c2d0fc98596499489a27654917c1188f5dabe9ecdeac4459f*",".{0,1000}b7a85081d3f3529c2d0fc98596499489a27654917c1188f5dabe9ecdeac4459f.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","34945"
"*b7b76dbe6c1976ebdb81e3b87284910f581cc79b7baa9f5073b0193c6f16b0d8*",".{0,1000}b7b76dbe6c1976ebdb81e3b87284910f581cc79b7baa9f5073b0193c6f16b0d8.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","34953"
"*b7c1564546c8c57f4c1581d8473ae7a88ecba2e2a114178f8862ed8a15c93e16*",".{0,1000}b7c1564546c8c57f4c1581d8473ae7a88ecba2e2a114178f8862ed8a15c93e16.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","34955"
"*b7c5ffe669acefd71a205c617ff4e1d66ecc58130b8c26513e818c8a35e5d658*",".{0,1000}b7c5ffe669acefd71a205c617ff4e1d66ecc58130b8c26513e818c8a35e5d658.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34957"
"*b7ccc947d2e65a38eb9dd32e54c47f742ca9530e41e6ce8237c44e4d58abd601*",".{0,1000}b7ccc947d2e65a38eb9dd32e54c47f742ca9530e41e6ce8237c44e4d58abd601.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34962"
"*b7e394578b41e9a71857e59d04b7bf582e3d0d15f314ab69f269be474a4b9e1a*",".{0,1000}b7e394578b41e9a71857e59d04b7bf582e3d0d15f314ab69f269be474a4b9e1a.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","34964"
"*b7e45744a48f5a5db2177b70a0c6741909343d2393045204ebf6c740c50e1de1*",".{0,1000}b7e45744a48f5a5db2177b70a0c6741909343d2393045204ebf6c740c50e1de1.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","34965"
"*b7efb92268e1e7897c0844e0a0f6c8648173a3c5c2c51d46fa5677b6c58c1dcd*",".{0,1000}b7efb92268e1e7897c0844e0a0f6c8648173a3c5c2c51d46fa5677b6c58c1dcd.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","34968"
"*b7f2414b1d8be99157e5b25ea578938520c45d094534fffb2e515796559b9b29*",".{0,1000}b7f2414b1d8be99157e5b25ea578938520c45d094534fffb2e515796559b9b29.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34970"
"*b8001e36a089a3933fe1f04947e5f0f550532437f1cafdb7486d1479846d4a8b*",".{0,1000}b8001e36a089a3933fe1f04947e5f0f550532437f1cafdb7486d1479846d4a8b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34976"
"*b80fcbbc7283e4737d325cd9566c3269ee97cde42c1377721abab7c45d9e518e*",".{0,1000}b80fcbbc7283e4737d325cd9566c3269ee97cde42c1377721abab7c45d9e518e.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","34981"
"*b81d6ed58664ae2cbe10d5b6c166266ab7d3f359b72be00913509d24eb093c57*",".{0,1000}b81d6ed58664ae2cbe10d5b6c166266ab7d3f359b72be00913509d24eb093c57.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","34982"
"*b830677a4de7462efd2cf843cd15ab382545f2243567ec1214f52bccccd168cd*",".{0,1000}b830677a4de7462efd2cf843cd15ab382545f2243567ec1214f52bccccd168cd.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","34985"
"*b83a269ce5fb9ff099695165a5d3565646f6032579c4bc6925c63fe8100aee0f*",".{0,1000}b83a269ce5fb9ff099695165a5d3565646f6032579c4bc6925c63fe8100aee0f.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","34989"
"*b855b843211e9604d22362e14906b73b7016f230b11aab67047ac8b4e071da18*",".{0,1000}b855b843211e9604d22362e14906b73b7016f230b11aab67047ac8b4e071da18.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","35002"
"*b86e9468c1470e3a3e776f5cab91a1cb79927743cfbc92535e753024611e8b4e*",".{0,1000}b86e9468c1470e3a3e776f5cab91a1cb79927743cfbc92535e753024611e8b4e.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#filehash linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","35004"
"*b86ee9cb9b2d4f4c8dee5805a0ff07067cb31e8e7ede06159854314f8a3ff4b6*",".{0,1000}b86ee9cb9b2d4f4c8dee5805a0ff07067cb31e8e7ede06159854314f8a3ff4b6.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","35005"
"*b8714bdc54a797d35052db4d241bf2c5ca1dbd0f0ab549711ccdd0b54b4d1d55*",".{0,1000}b8714bdc54a797d35052db4d241bf2c5ca1dbd0f0ab549711ccdd0b54b4d1d55.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","35006"
"*b884750041a05d7998e07110ba366d19af3c35157c95524b240707f81ce9572c*",".{0,1000}b884750041a05d7998e07110ba366d19af3c35157c95524b240707f81ce9572c.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","35012"
"*b886f3afc9b5d11dcf8741b00aff8c1f43f1007554ac58f949c7654df0566fed*",".{0,1000}b886f3afc9b5d11dcf8741b00aff8c1f43f1007554ac58f949c7654df0566fed.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","35014"
"*b8a048ff117640b07633cd2cb357b07ab64fd1817f6f68f9926c555b293d2a69*",".{0,1000}b8a048ff117640b07633cd2cb357b07ab64fd1817f6f68f9926c555b293d2a69.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35023"
"*b8a22f70d3451a7f4b8e1718da28ef02dfb38d37193bcbdc1df39eb52d0da40b*",".{0,1000}b8a22f70d3451a7f4b8e1718da28ef02dfb38d37193bcbdc1df39eb52d0da40b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35025"
"*b8b12628c324cddb1e1a464c1caf2597b66ce8f5f1057ffa86c1fe7b1c241b40*",".{0,1000}b8b12628c324cddb1e1a464c1caf2597b66ce8f5f1057ffa86c1fe7b1c241b40.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","35031"
"*b8c838d10851d63bca4f99ebb22b29989f517c66ea950eb0a9d7a4d110d2e86a*",".{0,1000}b8c838d10851d63bca4f99ebb22b29989f517c66ea950eb0a9d7a4d110d2e86a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35032"
"*b8e073c828b106964df38c2a16c30d9acae5aac15a2b4204f084bdf2579c3145*",".{0,1000}b8e073c828b106964df38c2a16c30d9acae5aac15a2b4204f084bdf2579c3145.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","35036"
"*b8e1e263041bda37b87db45bd826c8dc4a81c0b60055df4f028ec4971cd55211*",".{0,1000}b8e1e263041bda37b87db45bd826c8dc4a81c0b60055df4f028ec4971cd55211.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","35037"
"*b8ea3c85bf0e95653e1df9d4fa9bd268464260ec75ea9affaf84e3bf52de0ebc*",".{0,1000}b8ea3c85bf0e95653e1df9d4fa9bd268464260ec75ea9affaf84e3bf52de0ebc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35039"
"*b91f5ef6203a5c50a72943c21aaef336e1344f19a3afd35406c00f065db8a8b9*",".{0,1000}b91f5ef6203a5c50a72943c21aaef336e1344f19a3afd35406c00f065db8a8b9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35050"
"*b92dd2f3e8834af0a175dcf8ec3463b7b1012a8f23769fcbe96e4062505bf3b8*",".{0,1000}b92dd2f3e8834af0a175dcf8ec3463b7b1012a8f23769fcbe96e4062505bf3b8.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","35056"
"*b93eda57716e1c55030ac507cbbb9c70b6cfe3d0d5b9041742b4a5e90538a90e*",".{0,1000}b93eda57716e1c55030ac507cbbb9c70b6cfe3d0d5b9041742b4a5e90538a90e.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","35060"
"*b9488c840679a25f1afc5666025727d823751107550249b8b28fdda43cf270d2*",".{0,1000}b9488c840679a25f1afc5666025727d823751107550249b8b28fdda43cf270d2.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","35062"
"*b957518edefbb9a18a66d6b3c298875e5a34818bb8b8924a58e53b6c863d906e*",".{0,1000}b957518edefbb9a18a66d6b3c298875e5a34818bb8b8924a58e53b6c863d906e.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","35069"
"*b9593e94892849b50e819c070843639953a69917a9069cb603433b3261519be7*",".{0,1000}b9593e94892849b50e819c070843639953a69917a9069cb603433b3261519be7.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","35071"
"*b95a258099aee9a56e620ccebcecabc246ee7f8390e3937ccedadd609c6d2dd0*",".{0,1000}b95a258099aee9a56e620ccebcecabc246ee7f8390e3937ccedadd609c6d2dd0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35072"
"*b96e491df170080d656cf7e24dd085bc15e044e72c5bbbd6abbe3bcc230b328d*",".{0,1000}b96e491df170080d656cf7e24dd085bc15e044e72c5bbbd6abbe3bcc230b328d.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","35074"
"*b9723ac6913ec711c25f35ae45869af57f3868b690a8da331ccbedfcd37ca68f*",".{0,1000}b9723ac6913ec711c25f35ae45869af57f3868b690a8da331ccbedfcd37ca68f.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","35076"
"*b98f46ae8a0fa6b7ec5fb984ab5bdad6f5728ab5e2806ec2f5c90014612e3a92*",".{0,1000}b98f46ae8a0fa6b7ec5fb984ab5bdad6f5728ab5e2806ec2f5c90014612e3a92.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35082"
"*b993db8bf609419a850d3233f97bf422de7e5e54576120c36de0ad703e541bf2*",".{0,1000}b993db8bf609419a850d3233f97bf422de7e5e54576120c36de0ad703e541bf2.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35086"
"*b99def34d979c04dd81857a6ba93e79d8a16bcefecc8f4607e3c1cee097f41c1*",".{0,1000}b99def34d979c04dd81857a6ba93e79d8a16bcefecc8f4607e3c1cee097f41c1.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","35088"
"*b99ea0f9bbe24f200b696c365a5a6ad6ee507ed4af27f22f505af648e971cf62*",".{0,1000}b99ea0f9bbe24f200b696c365a5a6ad6ee507ed4af27f22f505af648e971cf62.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35089"
"*b9a1a2387b9b07ec6be9d28e5ed9639c1ea29d41a84bc3a62b39ab476459b1ff*",".{0,1000}b9a1a2387b9b07ec6be9d28e5ed9639c1ea29d41a84bc3a62b39ab476459b1ff.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35090"
"*b9a70c3eac6f54cd95d0a61e74e0d12a1c93a21cd5d14d4aab53238e6a8f2236*",".{0,1000}b9a70c3eac6f54cd95d0a61e74e0d12a1c93a21cd5d14d4aab53238e6a8f2236.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","35091"
"*b9a7d9cee05f2f4132c71ad619dca8ce9d252ee2dabfee18a5ab552cab228fca*",".{0,1000}b9a7d9cee05f2f4132c71ad619dca8ce9d252ee2dabfee18a5ab552cab228fca.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","35092"
"*b9c52c18fb7f1b046650f606aa2904b18b73108bc9fde5000a7953a294169532*",".{0,1000}b9c52c18fb7f1b046650f606aa2904b18b73108bc9fde5000a7953a294169532.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","35094"
"*b9c79acc881c58b0185465a5ded032d6210637f860712f04ecb800b66453d125*",".{0,1000}b9c79acc881c58b0185465a5ded032d6210637f860712f04ecb800b66453d125.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35095"
"*b9ccd13469c5223264dd92b763eff1f27dedd86aa9a2068a08fadce9527e7e71*",".{0,1000}b9ccd13469c5223264dd92b763eff1f27dedd86aa9a2068a08fadce9527e7e71.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","35096"
"*b9e13383878ef7999d46b18b41d6699ce5c406af071ec849235bdd103025e3e5*",".{0,1000}b9e13383878ef7999d46b18b41d6699ce5c406af071ec849235bdd103025e3e5.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","35101"
"*b9eb20c7cddd46e2b79c6dab5f85943439333c710bdf6d27fe930a44a6ccb042*",".{0,1000}b9eb20c7cddd46e2b79c6dab5f85943439333c710bdf6d27fe930a44a6ccb042.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","35102"
"*ba1320c819ee2b6e29fe38ea4df592813e7219a89175313556110775f2204201*",".{0,1000}ba1320c819ee2b6e29fe38ea4df592813e7219a89175313556110775f2204201.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35108"
"*ba2b81d69ca915132c560a787698e84bf530236a234dd7163e391feb82858bb0*",".{0,1000}ba2b81d69ca915132c560a787698e84bf530236a234dd7163e391feb82858bb0.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","35113"
"*ba4393a03124724ca068684e02727bcede7e897eaa3698362bf1a452d1ed5823*",".{0,1000}ba4393a03124724ca068684e02727bcede7e897eaa3698362bf1a452d1ed5823.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35115"
"*ba4439ded52eb5c5994dd10181ff83ef350933753198e50bf04b5f21333f2a12*",".{0,1000}ba4439ded52eb5c5994dd10181ff83ef350933753198e50bf04b5f21333f2a12.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35116"
"*ba5e8ac5fc350cef4640480e48932359266bff6a2a85fff3a9163dc07e5a310b*",".{0,1000}ba5e8ac5fc350cef4640480e48932359266bff6a2a85fff3a9163dc07e5a310b.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","35118"
"*ba65a4a428b16812cfade65b50138e0b865496a637bdf5dad7993bf3907cdd60*",".{0,1000}ba65a4a428b16812cfade65b50138e0b865496a637bdf5dad7993bf3907cdd60.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","35121"
"*ba68f7b9e8eb49325a28ed27d1ff542919952145af371b144cc7effdd0d561d9*",".{0,1000}ba68f7b9e8eb49325a28ed27d1ff542919952145af371b144cc7effdd0d561d9.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","35122"
"*ba7d8b6731532506b0ed79ed246562eec78498dd8123a6a1c5ec99d148eedbfb*",".{0,1000}ba7d8b6731532506b0ed79ed246562eec78498dd8123a6a1c5ec99d148eedbfb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35126"
"*ba837f975b85f993b49c134bac37dec1c2f475228f2bff0b2e64045aea1fe494*",".{0,1000}ba837f975b85f993b49c134bac37dec1c2f475228f2bff0b2e64045aea1fe494.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35129"
"*ba8bf4dcb9e12c6a4abc64205fe7e07ddf0610db4a6c536a550125d597add25b*",".{0,1000}ba8bf4dcb9e12c6a4abc64205fe7e07ddf0610db4a6c536a550125d597add25b.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","35132"
"*BA902FC8-E936-44AA-9C88-57D358BBB700*",".{0,1000}BA902FC8\-E936\-44AA\-9C88\-57D358BBB700.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#GUIDproject #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","35133"
"*ba9ae74a938a83efcaee904b800d7bff0b19e02f632c4956bd0361e6a32f4ef3*",".{0,1000}ba9ae74a938a83efcaee904b800d7bff0b19e02f632c4956bd0361e6a32f4ef3.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","35140"
"*ba9d24e28c6e24740fa1a9c49a09c8c80c12b367eab4b550afb6cc4fc08bc698*",".{0,1000}ba9d24e28c6e24740fa1a9c49a09c8c80c12b367eab4b550afb6cc4fc08bc698.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","35141"
"*baafca947c72c36658ecd4593869100d200524ece1248b98234a44e6113bb6a8*",".{0,1000}baafca947c72c36658ecd4593869100d200524ece1248b98234a44e6113bb6a8.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","35145"
"*babf3b67f08f5f80a2d9fdaecd7c9faa52a5eadb30daed474bdf50df21760513*",".{0,1000}babf3b67f08f5f80a2d9fdaecd7c9faa52a5eadb30daed474bdf50df21760513.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35148"
"*Backdoor.Quasar*",".{0,1000}Backdoor\.Quasar.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","#content","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","35181"
"*Backup-GPO -All -Path *",".{0,1000}Backup\-GPO\s\-All\s\-Path\s.{0,1000}","greyware_tool_keyword","powershell","backs up all Group Policy Objects (GPOs) to a specified path","T1615","TA0009","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","35216"
"*bad client public DH value*",".{0,1000}bad\sclient\spublic\sDH\svalue.{0,1000}","greyware_tool_keyword","ssh","Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts","T1071.004 - T1078.004","TA0011 - TA0006","N/A","N/A","Exploitation tool","https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","4692","1051","2025-01-22T01:58:36Z","2013-09-17T17:07:58Z","35223"
"*baf01944477c9b110f7f0edf02e4c129e63e78d4a3e87db667e9b6bb2d8aeaad*",".{0,1000}baf01944477c9b110f7f0edf02e4c129e63e78d4a3e87db667e9b6bb2d8aeaad.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","35274"
"*baf1e7bdd6feedd6b9144fed16093bd281ce26dc0da57137a5385fc7a5fc498f*",".{0,1000}baf1e7bdd6feedd6b9144fed16093bd281ce26dc0da57137a5385fc7a5fc498f.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","35276"
"*baf423bed15c4ecb7c5df42b23aea20137154e370146e3a834eca0e4cb20c837*",".{0,1000}baf423bed15c4ecb7c5df42b23aea20137154e370146e3a834eca0e4cb20c837.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35277"
"*baf4b309c7b2064aa60e2e2ceb614f321cd31d3fc1348eee349f19ef0cfbb236*",".{0,1000}baf4b309c7b2064aa60e2e2ceb614f321cd31d3fc1348eee349f19ef0cfbb236.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35278"
"*bafe621127910335db84dfc38a60088d1aaf6ab52cf2ecebab389457103137b0*",".{0,1000}bafe621127910335db84dfc38a60088d1aaf6ab52cf2ecebab389457103137b0.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","35282"
"*Barracuda RMM Onsite Manager - InstallShield Wizard*",".{0,1000}Barracuda\sRMM\sOnsite\sManager\s\-\sInstallShield\sWizard.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35287"
"*Barracuda RMM Onsite Manager.msi*",".{0,1000}Barracuda\sRMM\sOnsite\sManager\.msi.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35288"
"*base64 -d /tmp/*",".{0,1000}base64\s\-d\s\/tmp\/.{0,1000}","greyware_tool_keyword","base64","suspicious base64 commands used by the offensive tool traitor and other tools","T1140 - T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","FP risks","7","10","N/A","N/A","N/A","N/A","35289"
"*bash -c *curl *.sh | bash*",".{0,1000}bash\s\-c\s.{0,1000}curl\s.{0,1000}\.sh\s\|\sbash.{0,1000}","greyware_tool_keyword","bash","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Exploitation tool","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","35294"
"*bash -c *wget *.sh | bash*",".{0,1000}bash\s\-c\s.{0,1000}wget\s.{0,1000}\.sh\s\|\sbash.{0,1000}","greyware_tool_keyword","bash","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Exploitation tool","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","35295"
"*bash -c 'bash -i >& /dev/tcp/*",".{0,1000}bash\s\-c\s\'bash\s\-i\s\>\&\s\/dev\/tcp\/.{0,1000}","greyware_tool_keyword","bash","reverse shell","T1071.001 - T1105","TA0011","N/A","Black Basta","C2","https://medium.com/@simone.kraus/black-basta-playbook-chat-leak-d5036936166d","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35296"
"*bash -i >& /dev/tcp/*/* 0>&1*",".{0,1000}bash\s\-i\s\>\&\s\/dev\/tcp\/.{0,1000}\/.{0,1000}\s0\>\&1.{0,1000}","greyware_tool_keyword","bash","bash reverse shell","T1071 - T1071.004 - T1021","TA0002 - TA0011","N/A","N/A","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","35299"
"*bash -i >& /dev/tcp/*/* 0>&1*",".{0,1000}bash\s\-i\s\>\&\s\/dev\/tcp\/.{0,1000}\/.{0,1000}\s0\>\&1.{0,1000}","greyware_tool_keyword","bash","bash reverse shell ","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","1","0","#linux","greyware tool - risks of False positive !","10","10","64862","15261","2025-04-09T09:16:20Z","2016-10-18T07:29:07Z","35300"
"*BATtoEXEconverter.bat*",".{0,1000}BATtoEXEconverter\.bat.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","35322"
"*bb016f6b3e240b6447a72b15b103d32b8239969ac4493b8522b4f22b21f9440c*",".{0,1000}bb016f6b3e240b6447a72b15b103d32b8239969ac4493b8522b4f22b21f9440c.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","35326"
"*bb074e0e2302d9d1b31cc2cffec35d81525bd43beee43df3679b9dd8f1e16461*",".{0,1000}bb074e0e2302d9d1b31cc2cffec35d81525bd43beee43df3679b9dd8f1e16461.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35328"
"*bb10b0d3cf12dd5a2038e765473ebea32bef4e2ae875cceb9eab281695456f14*",".{0,1000}bb10b0d3cf12dd5a2038e765473ebea32bef4e2ae875cceb9eab281695456f14.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","35329"
"*bb136a7de55ce17c6a4fd59319a724f80e53a89d0896675cdd78f98cc7bc7858*",".{0,1000}bb136a7de55ce17c6a4fd59319a724f80e53a89d0896675cdd78f98cc7bc7858.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","35330"
"*bb1ce1e7d92f6ac0da1bd1b8cee56d6139b9dc41f5821e58e7d07063805e7b3f*",".{0,1000}bb1ce1e7d92f6ac0da1bd1b8cee56d6139b9dc41f5821e58e7d07063805e7b3f.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","35333"
"*bb25b3f72e24573d9695f7bb677500a695ad46ce61b61dae5d13fb035ce071c2*",".{0,1000}bb25b3f72e24573d9695f7bb677500a695ad46ce61b61dae5d13fb035ce071c2.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","35336"
"*bb453ae9686b0b7a3e0000c80811cac81b4a7fde4e5613089681b7d58cd1d6a4*",".{0,1000}bb453ae9686b0b7a3e0000c80811cac81b4a7fde4e5613089681b7d58cd1d6a4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35342"
"*bb57a815d8a4aae884fe930b7a0daa6c408b60d932286fd060a4cf61ee79e01a*",".{0,1000}bb57a815d8a4aae884fe930b7a0daa6c408b60d932286fd060a4cf61ee79e01a.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","35345"
"*bb5f01316e315e4a9039a17dd2358cec0a86cac566638d8ce5e2ce0b5ebc1fbf*",".{0,1000}bb5f01316e315e4a9039a17dd2358cec0a86cac566638d8ce5e2ce0b5ebc1fbf.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","35347"
"*bb5f93973ab84243afce3f94f61b49887f275bc88db4e1fd892ab11a9eff7584*",".{0,1000}bb5f93973ab84243afce3f94f61b49887f275bc88db4e1fd892ab11a9eff7584.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","35348"
"*bb651a2795e62aee6efd88e889c2c7f553f4df16e59562182b5565d34d1e6970*",".{0,1000}bb651a2795e62aee6efd88e889c2c7f553f4df16e59562182b5565d34d1e6970.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","35353"
"*bb735e934251282a349f5bf909d8d52f5a5e4c4adc2423fb4b736d110ff966e1*",".{0,1000}bb735e934251282a349f5bf909d8d52f5a5e4c4adc2423fb4b736d110ff966e1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35358"
"*bb7eb0fdbe238ae66d227a939c6ad718731881dbbe51d3be33409d3cd6276a30*",".{0,1000}bb7eb0fdbe238ae66d227a939c6ad718731881dbbe51d3be33409d3cd6276a30.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35360"
"*bb80873faf22af995e0904aaabb9dad5bde417bc7c670e3bbfde0a8453bb0b00*",".{0,1000}bb80873faf22af995e0904aaabb9dad5bde417bc7c670e3bbfde0a8453bb0b00.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35362"
"*bb8734f2be2907a2923aedf43757d6ff85a7c66af789b8dbef34ddaf2194f05f*",".{0,1000}bb8734f2be2907a2923aedf43757d6ff85a7c66af789b8dbef34ddaf2194f05f.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35364"
"*bb8b44e0fab088c4f5e40878b4213ce15fa474763f1355f597b0a6ad2aa96c6d*",".{0,1000}bb8b44e0fab088c4f5e40878b4213ce15fa474763f1355f597b0a6ad2aa96c6d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35369"
"*bb8fda8566da9d054f2dde15f390d5364841c2181f4e278056569ece2fbc1d46*",".{0,1000}bb8fda8566da9d054f2dde15f390d5364841c2181f4e278056569ece2fbc1d46.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35372"
"*bba3aff46b0c7ddecdd62d9c0a5cd90fac59ee40255cb2988cc1c409cd59e822*",".{0,1000}bba3aff46b0c7ddecdd62d9c0a5cd90fac59ee40255cb2988cc1c409cd59e822.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35383"
"*bba5b77e594b8cf6645a2061b7888047b2a32c0fa7e74c54198571128290db69*",".{0,1000}bba5b77e594b8cf6645a2061b7888047b2a32c0fa7e74c54198571128290db69.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35385"
"*bbab0b5d719860c14954099bbe5f641c3594ffb1ad8d7c91c7895c5bea221964*",".{0,1000}bbab0b5d719860c14954099bbe5f641c3594ffb1ad8d7c91c7895c5bea221964.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","35387"
"*bbb1ab095f30e9ecf1b745579f6ecff80eff11fb712f2bc364a656fbec89f73b*",".{0,1000}bbb1ab095f30e9ecf1b745579f6ecff80eff11fb712f2bc364a656fbec89f73b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35390"
"*bbb47c16882b6c5f2e8c1b04229378e28f68734c613321ef0ea2263760f74cd0*",".{0,1000}bbb47c16882b6c5f2e8c1b04229378e28f68734c613321ef0ea2263760f74cd0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35392"
"*bbc22b7149e74ee2ca344ebc55207e6bae4837b77857c7e9ef9e16682d7c8c49*",".{0,1000}bbc22b7149e74ee2ca344ebc55207e6bae4837b77857c7e9ef9e16682d7c8c49.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","#filehash","N/A","7","10","N/A","N/A","N/A","N/A","35394"
"*bbe35e6cee0f2d86632a419a45fc63ec44eb1ef01f14fe53c5dddb527545e16f*",".{0,1000}bbe35e6cee0f2d86632a419a45fc63ec44eb1ef01f14fe53c5dddb527545e16f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35400"
"*bbe8a83b968e62d2f07b427ca70f48454a33e44250ae43fbe917caf93bc0da26*",".{0,1000}bbe8a83b968e62d2f07b427ca70f48454a33e44250ae43fbe917caf93bc0da26.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","35403"
"*bblcccknbdbplgmdjnnikffefhdlobhp*",".{0,1000}bblcccknbdbplgmdjnnikffefhdlobhp.{0,1000}","greyware_tool_keyword","FastStunnel VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","35411"
"*bc03e2ee769df50cc0095ffc64177e3b63a789a64937581820de4a44af1d13f8*",".{0,1000}bc03e2ee769df50cc0095ffc64177e3b63a789a64937581820de4a44af1d13f8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35419"
"*bc19099bd718989cf9f415548edc77044563a512dafeba5a2042626b3238df6d*",".{0,1000}bc19099bd718989cf9f415548edc77044563a512dafeba5a2042626b3238df6d.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","35426"
"*bc283cb6e280e5fd5089216c8362003235dcf371e9f99bbc14462a0ef05c0b53*",".{0,1000}bc283cb6e280e5fd5089216c8362003235dcf371e9f99bbc14462a0ef05c0b53.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35430"
"*bc375342f9360b0b5cbcb5a3701c301eaf577ec8ab5d1796cf10908d315edf72*",".{0,1000}bc375342f9360b0b5cbcb5a3701c301eaf577ec8ab5d1796cf10908d315edf72.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","35436"
"*bc40d2839a4942652d9a765b64a024b600b2dd3b3205f845d77b93d458b039b9*",".{0,1000}bc40d2839a4942652d9a765b64a024b600b2dd3b3205f845d77b93d458b039b9.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","35438"
"*bc4447977cdc9a765c2d6b61aada0fa40f45435aa68b193729cf4e7d8a94e891*",".{0,1000}bc4447977cdc9a765c2d6b61aada0fa40f45435aa68b193729cf4e7d8a94e891.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","35440"
"*bc680f0aa5ee457d60cb9d660071b3bb393f31c05c0e7fd7b89b39584ba25619*",".{0,1000}bc680f0aa5ee457d60cb9d660071b3bb393f31c05c0e7fd7b89b39584ba25619.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","35445"
"*bc75191718b8556c1c8610987285d98f7421044d7be117252d5f35516af3205c*",".{0,1000}bc75191718b8556c1c8610987285d98f7421044d7be117252d5f35516af3205c.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","35451"
"*bc7ee01c3d261a0c0a63e250513aa2eb28d7f707570c8fb507742fb125c5da07*",".{0,1000}bc7ee01c3d261a0c0a63e250513aa2eb28d7f707570c8fb507742fb125c5da07.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","35454"
"*bc811e6d2c2df7fd2826ba0545a5a27f53d6da1420abfb8ff5ff8e0427a9317d*",".{0,1000}bc811e6d2c2df7fd2826ba0545a5a27f53d6da1420abfb8ff5ff8e0427a9317d.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","35456"
"*bc8277f174b9c61f32958b2ef583e0efcb82ed8b5892a684f678ec70c70c81ae*",".{0,1000}bc8277f174b9c61f32958b2ef583e0efcb82ed8b5892a684f678ec70c70c81ae.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35457"
"*bc886aea03ddb2d4201501904a25816ac962cd3fbe6bc7fab3ca05357069666d*",".{0,1000}bc886aea03ddb2d4201501904a25816ac962cd3fbe6bc7fab3ca05357069666d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35459"
"*bc917c3bcd943a4d632360c067977a31e85e385f5f4845f69749bce88183cb38*",".{0,1000}bc917c3bcd943a4d632360c067977a31e85e385f5f4845f69749bce88183cb38.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","0","#filehash","N/A","7","8","N/A","N/A","N/A","N/A","35461"
"*bca2f7b65962dc1ef67996d9c853158b9beb3c73755fda6c217dd2883b9ab29d*",".{0,1000}bca2f7b65962dc1ef67996d9c853158b9beb3c73755fda6c217dd2883b9ab29d.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","35467"
"*bca3eca534819386df33cde502bcbb23224dc2f814979ca580be4ff2d4c80067*",".{0,1000}bca3eca534819386df33cde502bcbb23224dc2f814979ca580be4ff2d4c80067.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","35468"
"*bcbae8d4564f1c0933331c5e4c5b779a72d889504155e209e2aa942b963160b2*",".{0,1000}bcbae8d4564f1c0933331c5e4c5b779a72d889504155e209e2aa942b963160b2.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","35475"
"*bcbd51fae14c1b87542a6130b0aea2f77d888615bc2ebcc517977d56ed1fe582*",".{0,1000}bcbd51fae14c1b87542a6130b0aea2f77d888615bc2ebcc517977d56ed1fe582.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35478"
"*bcbede4c733ae4b0abe3657ec35f1917dcbdb680aea8e05431d6fef074b720c2*",".{0,1000}bcbede4c733ae4b0abe3657ec35f1917dcbdb680aea8e05431d6fef074b720c2.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","35479"
"*bcbede4c733ae4b0abe3657ec35f1917dcbdb680aea8e05431d6fef074b720c2*",".{0,1000}bcbede4c733ae4b0abe3657ec35f1917dcbdb680aea8e05431d6fef074b720c2.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","35480"
"*bcc708853cb655ade9ab3dba63fb1a585508ca1f55fe0ec41d97f84c97a25495*",".{0,1000}bcc708853cb655ade9ab3dba63fb1a585508ca1f55fe0ec41d97f84c97a25495.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35483"
"*bcceea9a68e6cc6c2e826f660a7f5656cc4cb930a02e447460166dcab9b2ecf4*",".{0,1000}bcceea9a68e6cc6c2e826f660a7f5656cc4cb930a02e447460166dcab9b2ecf4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35484"
"*bcd93c450ce456b97996771daeb96abb271566e285e369b534cc54c54f8daed8*",".{0,1000}bcd93c450ce456b97996771daeb96abb271566e285e369b534cc54c54f8daed8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35486"
"*bcda505dc0c24c5a438490cb329180f6215a57d3fa5c1209570b86f9472f0474*",".{0,1000}bcda505dc0c24c5a438490cb329180f6215a57d3fa5c1209570b86f9472f0474.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35487"
"*bcdedit /set {default} bootstatuspolicy ignoreallfailures*",".{0,1000}bcdedit\s\/set\s\{default\}\sbootstatuspolicy\signoreallfailures.{0,1000}","greyware_tool_keyword","bcdedit","changes the boot status policy to ignore all failures","T1490","TA0005","N/A","LockBit - Snatch - Hive - Zola - BlackCat - Cicada3301 - Embargo","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35489"
"*bcdedit /set {default} recoveryenabled No*",".{0,1000}bcdedit\s\/set\s\{default\}\srecoveryenabled\sNo.{0,1000}","greyware_tool_keyword","bcdedit","disables Windows automatic recovery","T1490","TA0005","N/A","LockBit - Snatch - Hive - Zola - BlackCat - Cicada3301 - Embargo","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35490"
"*bcdedit /set hypervisorlaunchtype off*",".{0,1000}bcdedit\s\/set\shypervisorlaunchtype\soff.{0,1000}","greyware_tool_keyword","bcdedit","used by a hacktool to help remove Windows Defender","T1089 - T1562.001 - T1562.004","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/ionuttbara/windows-defender-remover","1","0","N/A","N/A","7","10","5266","354","2025-02-13T20:21:07Z","2021-08-13T20:44:46Z","35491"
"*bcdedit* /set {default} bootstatuspolicy ignoreallfailures*",".{0,1000}bcdedit.{0,1000}\s\/set\s\{default\}\sbootstatuspolicy\signoreallfailures.{0,1000}","greyware_tool_keyword","bcdedit","Bcdedit is a command-line tool that enables users to view and make changes to boot configuration data (BCD) settings in Windows systems. Adversaries may leverage bcdedit to modify boot settings. such as enabling debug mode or disabling code integrity checks. as a means to bypass security mechanisms and gain persistence on the compromised system. By modifying the boot configuration. adversaries can evade detection and potentially maintain access to the system even after reboots.","T1542.003 - T1112 - T1484.001","TA0005 - TA0040?","N/A","LockBit - Snatch - Hive - Zola - BlackCat - Cicada3301 - Embargo","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35493"
"*bcdedit* /set {default} recoveryenabled No*",".{0,1000}bcdedit.{0,1000}\s\/set\s\{default\}\srecoveryenabled\sNo.{0,1000}","greyware_tool_keyword","bcdedit","Bcdedit is a command-line tool that enables users to view and make changes to boot configuration data (BCD) settings in Windows systems. Adversaries may leverage bcdedit to modify boot settings. such as enabling debug mode or disabling code integrity checks. as a means to bypass security mechanisms and gain persistence on the compromised system. By modifying the boot configuration. adversaries can evade detection and potentially maintain access to the system even after reboots.","T1542.003 - T1112 - T1484.001","TA0005 - TA0040?","N/A","LockBit - Snatch - Hive - Zola - BlackCat - Cicada3301 - Embargo","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35494"
"*bce4fa4709599a20156a3ee315899a479e28eead968db5af6199bffc7288d256*",".{0,1000}bce4fa4709599a20156a3ee315899a479e28eead968db5af6199bffc7288d256.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","35498"
"*bce6f8df72e0f942a3eaeca45ed59fbf929d887b9fcd30350944c5f72287cb73*",".{0,1000}bce6f8df72e0f942a3eaeca45ed59fbf929d887b9fcd30350944c5f72287cb73.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35499"
"*bcefbd70874b8198be4635b5c64b15359a7c28287d274e02d5177c4933ad3f71*",".{0,1000}bcefbd70874b8198be4635b5c64b15359a7c28287d274e02d5177c4933ad3f71.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35501"
"*bcf09d38544f07d19337c6c7cbf1d12a29f418d0f85cae8c3af17f37b63d5836*",".{0,1000}bcf09d38544f07d19337c6c7cbf1d12a29f418d0f85cae8c3af17f37b63d5836.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","35502"
"*bd07ae00c8a28ce61d06fb344b8d646696ac3a9eba79b0df1612736009b7c509*",".{0,1000}bd07ae00c8a28ce61d06fb344b8d646696ac3a9eba79b0df1612736009b7c509.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","35515"
"*bd158af8aa25d8f7123030620494c3296b96e56a1cc387bdf2274635335be867*",".{0,1000}bd158af8aa25d8f7123030620494c3296b96e56a1cc387bdf2274635335be867.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","35518"
"*bd192e4c9e26c22864669baa728f40edd8ab90a3028801298f34519e624eff59*",".{0,1000}bd192e4c9e26c22864669baa728f40edd8ab90a3028801298f34519e624eff59.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35519"
"*bd26a9a068c1d419bd4829d28254e50e8471d2c38c707c4d9d7a90f0c32783cd*",".{0,1000}bd26a9a068c1d419bd4829d28254e50e8471d2c38c707c4d9d7a90f0c32783cd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35521"
"*bd313c0a5313c056ecaabdb990ed5077602f6e97e0c57b2e21a643b06d211eb8*",".{0,1000}bd313c0a5313c056ecaabdb990ed5077602f6e97e0c57b2e21a643b06d211eb8.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","35522"
"*bd4c534c458ff68d34112516e281ba763093dcb9ab531ccc3e6c95b5aef667d8*",".{0,1000}bd4c534c458ff68d34112516e281ba763093dcb9ab531ccc3e6c95b5aef667d8.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","35529"
"*bd6c9258ee73cd63d1b1a2aa02fda7cbefd1cee3ff17a590fc74613723625043*",".{0,1000}bd6c9258ee73cd63d1b1a2aa02fda7cbefd1cee3ff17a590fc74613723625043.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","35539"
"*bd6f57c36d0cf7393e1dcf6912c36887715864945fa06c457f135f9ea33fcf41*",".{0,1000}bd6f57c36d0cf7393e1dcf6912c36887715864945fa06c457f135f9ea33fcf41.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35540"
"*bd6f80e0290c96f73f6cb4837e0050dd4f66c71cdca9da9afde6a619b4c09f11*",".{0,1000}bd6f80e0290c96f73f6cb4837e0050dd4f66c71cdca9da9afde6a619b4c09f11.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","35541"
"*bd7c78ae36f84966ffd5effbb9f9227d1a018d8cdb51a2e4e883d4d113453304*",".{0,1000}bd7c78ae36f84966ffd5effbb9f9227d1a018d8cdb51a2e4e883d4d113453304.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","35547"
"*bd7eb45070c8a4e1595e9daaf55bfc331e5ada1244c4ed496b89225e22429cf7*",".{0,1000}bd7eb45070c8a4e1595e9daaf55bfc331e5ada1244c4ed496b89225e22429cf7.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","35548"
"*bdb7525b0af0c8528ee5811393f46ca0905eea38ec615ba68bf86f9d358e9c11*",".{0,1000}bdb7525b0af0c8528ee5811393f46ca0905eea38ec615ba68bf86f9d358e9c11.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","35560"
"*bdca5844eac154b94bbdd1b51e68f7d4e45a560fa13c7ce0a227646b0091982a*",".{0,1000}bdca5844eac154b94bbdd1b51e68f7d4e45a560fa13c7ce0a227646b0091982a.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","35564"
"*bde619019885097753f7b2af850a15254df13c486e2bff1ebd009683cc1945d2*",".{0,1000}bde619019885097753f7b2af850a15254df13c486e2bff1ebd009683cc1945d2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35572"
"*bde8471edd6a437d0737e477025d0fc82dec47453f6bcc284c1d093d305f64d8*",".{0,1000}bde8471edd6a437d0737e477025d0fc82dec47453f6bcc284c1d093d305f64d8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35573"
"*bdlcnpceagnkjnjlbbbcepohejbheilk*",".{0,1000}bdlcnpceagnkjnjlbbbcepohejbheilk.{0,1000}","greyware_tool_keyword","Malus VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","35579"
"*be17212901eb7e1853ddaca18eff5a2520b093e8a049e2074ba845a9ccc05623*",".{0,1000}be17212901eb7e1853ddaca18eff5a2520b093e8a049e2074ba845a9ccc05623.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35593"
"*be21413da8a75c62583b1c9eaf5194f5853f5ee8aba7e67510069717a0fbfcf2*",".{0,1000}be21413da8a75c62583b1c9eaf5194f5853f5ee8aba7e67510069717a0fbfcf2.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","35595"
"*be22845ceff07acc3ca02e9e24e1ff70fa71b6689f3f5a5ff4b38f43d4fd61e7*",".{0,1000}be22845ceff07acc3ca02e9e24e1ff70fa71b6689f3f5a5ff4b38f43d4fd61e7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35597"
"*be3d96e3278af277078db17d19fe4dbd61e55024c07c514cdf99adf586152401*",".{0,1000}be3d96e3278af277078db17d19fe4dbd61e55024c07c514cdf99adf586152401.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35602"
"*be4b5c4bf5fde4fe59cbd98a5691035d5866613a2bb53ee8588d393ee14af667*",".{0,1000}be4b5c4bf5fde4fe59cbd98a5691035d5866613a2bb53ee8588d393ee14af667.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35605"
"*be4d5112b9928f8c5dbb51c2e67163fb82fed8abdda5b75ffafeff43b96fc8c0*",".{0,1000}be4d5112b9928f8c5dbb51c2e67163fb82fed8abdda5b75ffafeff43b96fc8c0.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","35606"
"*be521ad853a194db441e3731603eff6badef3dae544e44096a7a147fa522b855*",".{0,1000}be521ad853a194db441e3731603eff6badef3dae544e44096a7a147fa522b855.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35608"
"*be547f029cf462e5654c5d30c3833bdf54cfab966e6287a2f03dfb6c4a16da33*",".{0,1000}be547f029cf462e5654c5d30c3833bdf54cfab966e6287a2f03dfb6c4a16da33.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","35609"
"*be57fdfea2475688c89f91967e17371265f6803b3edfba4026befd6272c86e71*",".{0,1000}be57fdfea2475688c89f91967e17371265f6803b3edfba4026befd6272c86e71.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","35610"
"*be6180600783794df523f8c180917acc285d3bbf98e9b2edad19175771f390b7*",".{0,1000}be6180600783794df523f8c180917acc285d3bbf98e9b2edad19175771f390b7.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","35613"
"*be707189365dc12e5742234e07d2bae35ccdcff0de458dceefd4812796fe2fb8*",".{0,1000}be707189365dc12e5742234e07d2bae35ccdcff0de458dceefd4812796fe2fb8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35618"
"*be8fc36ec0082bdb7d20a21ae7098899529bc9b9f6439b1496ca634395598d8a*",".{0,1000}be8fc36ec0082bdb7d20a21ae7098899529bc9b9f6439b1496ca634395598d8a.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#filehash","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","35623"
"*bea14bb7e2fa975cdb9d73a326b3d4e7fdd0176774279e83e072641b8a8bfdfd*",".{0,1000}bea14bb7e2fa975cdb9d73a326b3d4e7fdd0176774279e83e072641b8a8bfdfd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","35629"
"*bea23804b59ef8bc8cbd4e03054e2b89baccf01b2640013e3b1b7db85c5f6b2e*",".{0,1000}bea23804b59ef8bc8cbd4e03054e2b89baccf01b2640013e3b1b7db85c5f6b2e.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","35630"
"*bee03789cb90ecea446cce9211600312ca43c8ab4c6231ea64234b65eb2a5b82*",".{0,1000}bee03789cb90ecea446cce9211600312ca43c8ab4c6231ea64234b65eb2a5b82.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35753"
"*bee31ef4c9cfb1f2bcc3b662c3102cfbe6a551918d2deac6101459557a3fe0b4*",".{0,1000}bee31ef4c9cfb1f2bcc3b662c3102cfbe6a551918d2deac6101459557a3fe0b4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35756"
"*bee3b667e865fa5552261f7fa7df260ffae18980c0e827c918180f969fac2b51*",".{0,1000}bee3b667e865fa5552261f7fa7df260ffae18980c0e827c918180f969fac2b51.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","35757"
"*bef4bc1889b6d80b2551b3b3f70feb3df848edf2beb72935129f7e4fba42edc5*",".{0,1000}bef4bc1889b6d80b2551b3b3f70feb3df848edf2beb72935129f7e4fba42edc5.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","35778"
"*bef64b382548fdcd24b4736f6a92c5c68e5b8555c897ed27d83ecf50f8117486*",".{0,1000}bef64b382548fdcd24b4736f6a92c5c68e5b8555c897ed27d83ecf50f8117486.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","35779"
"*bef8974161105a23c834764ab11fe51c8d0e4f27fbf6db0739379787d5b7fcda*",".{0,1000}bef8974161105a23c834764ab11fe51c8d0e4f27fbf6db0739379787d5b7fcda.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35780"
"*berstend/hypertunnel*",".{0,1000}berstend\/hypertunnel.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","1","N/A","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","35818"
"*beyondcode/expose*",".{0,1000}beyondcode\/expose.{0,1000}","greyware_tool_keyword","expose","tunneling service - written in pure PHP","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/beyondcode/expose","1","1","N/A","N/A","10","10","4367","280","2025-04-04T13:57:03Z","2020-04-14T19:18:38Z","35839"
"*beyondtrustcloud.com\Software\Qt6*",".{0,1000}beyondtrustcloud\.com\\Software\\Qt6.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","35840"
"*bf0ae0037ee0bb1c92c22b806b8eb81684cf42f97584cc83a92a9eeeb8537b94*",".{0,1000}bf0ae0037ee0bb1c92c22b806b8eb81684cf42f97584cc83a92a9eeeb8537b94.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35843"
"*bf1dcd0761b81ba9b79c01399083c6df74b709b44303ff01433753a9cc731caf*",".{0,1000}bf1dcd0761b81ba9b79c01399083c6df74b709b44303ff01433753a9cc731caf.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35844"
"*bf2893ace82d8952c00dfaefc48cfb09e2d58fc2cf3553aadfdc250f4b03ccbd*",".{0,1000}bf2893ace82d8952c00dfaefc48cfb09e2d58fc2cf3553aadfdc250f4b03ccbd.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","35845"
"*bf33607b1f28707326ad3cda5bdd5d729e28b7c826db8c7c2affa68adf5f50b5*",".{0,1000}bf33607b1f28707326ad3cda5bdd5d729e28b7c826db8c7c2affa68adf5f50b5.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","35846"
"*bf352b6fb09f15ce5bb29db4f131baa128eb579b157e7ab140682891bae6393b*",".{0,1000}bf352b6fb09f15ce5bb29db4f131baa128eb579b157e7ab140682891bae6393b.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","35847"
"*bf356e9c87e06eddfe9c5c476742bbc9cf26405631296f03c8f57f91afbb5247*",".{0,1000}bf356e9c87e06eddfe9c5c476742bbc9cf26405631296f03c8f57f91afbb5247.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","35848"
"*bf6e09743df6899a02f0647d899fb008932760ea872667287bbc47b42091a3b0*",".{0,1000}bf6e09743df6899a02f0647d899fb008932760ea872667287bbc47b42091a3b0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","35863"
"*bf895dca1ea67bf39a6bd87168af8d4fd6321d2f2d071295dbd4d25508eb68*",".{0,1000}bf895dca1ea67bf39a6bd87168af8d4fd6321d2f2d071295dbd4d25508eb68.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","0","#filehash","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","35870"
"*bf8ab462d70a288b7ff2e9dda8151d16340ec4758843a619a936b7541f52fe54*",".{0,1000}bf8ab462d70a288b7ff2e9dda8151d16340ec4758843a619a936b7541f52fe54.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35871"
"*bf8b63373a944d43c2c3c9b4c768cbff723526d25f40e5548e47318c7ec1b674*",".{0,1000}bf8b63373a944d43c2c3c9b4c768cbff723526d25f40e5548e47318c7ec1b674.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","35872"
"*bf980fa58499e947581c6b89b100d55c1d417fdda6f7544422a4a6400248e20d*",".{0,1000}bf980fa58499e947581c6b89b100d55c1d417fdda6f7544422a4a6400248e20d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35873"
"*bf9c44a258f8494cd015d4211896068c38fdaec54ab1e0f84295a78482a070c8*",".{0,1000}bf9c44a258f8494cd015d4211896068c38fdaec54ab1e0f84295a78482a070c8.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","35875"
"*bfb8b8f3ed04f539f694f140dcf8fdbe07b4e96dfcf8fea3d555d1b69e14b384*",".{0,1000}bfb8b8f3ed04f539f694f140dcf8fdbe07b4e96dfcf8fea3d555d1b69e14b384.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","35882"
"*bfbc703139c2fcf59d2fac2bb4afe3e60dd5f77dc12d84c8f420260f136c6721*",".{0,1000}bfbc703139c2fcf59d2fac2bb4afe3e60dd5f77dc12d84c8f420260f136c6721.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","35884"
"*bfcf0d230e85b0d06d5fc6f19042169d856d2e6dd9a38214721a4cf97ae63af2*",".{0,1000}bfcf0d230e85b0d06d5fc6f19042169d856d2e6dd9a38214721a4cf97ae63af2.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","35888"
"*bfda2d9bd0610c660bc86497f79ce1e0fba9925e4e04bc1da9d19e01e74986fa*",".{0,1000}bfda2d9bd0610c660bc86497f79ce1e0fba9925e4e04bc1da9d19e01e74986fa.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","35891"
"*bfeba1b9e53be59958266bac950f3f33c687314f751c0b4a97c3536715d0850a*",".{0,1000}bfeba1b9e53be59958266bac950f3f33c687314f751c0b4a97c3536715d0850a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35895"
"*bffaa8cbe4abb1d535b78acdb84ed93101a1efa7209dfe3d0d034a994c5a60d4*",".{0,1000}bffaa8cbe4abb1d535b78acdb84ed93101a1efa7209dfe3d0d034a994c5a60d4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","35898"
"*bfidboloedlamgdmenmlbipfnccokknp*",".{0,1000}bfidboloedlamgdmenmlbipfnccokknp.{0,1000}","greyware_tool_keyword","PureVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","35899"
"*bfleegjcoffelppfmadimianphbcdjkb*",".{0,1000}bfleegjcoffelppfmadimianphbcdjkb.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","#browser_extensionid","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","35900"
"*bhnhkdgoefpmekcgnccpnhjfdgicfebm*",".{0,1000}bhnhkdgoefpmekcgnccpnhjfdgicfebm.{0,1000}","greyware_tool_keyword","Wachee VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","35910"
"*bibjcjfmgapbfoljiojpipaooddpkpai*",".{0,1000}bibjcjfmgapbfoljiojpipaooddpkpai.{0,1000}","greyware_tool_keyword","VPN-free.pro","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","35915"
"*bihhflimonbpcfagfadcnbbdngpopnjb*",".{0,1000}bihhflimonbpcfagfadcnbbdngpopnjb.{0,1000}","greyware_tool_keyword","DEEPRISM VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","35917"
"*bihmplhobchoageeokmgbdihknkjbknd*",".{0,1000}bihmplhobchoageeokmgbdihknkjbknd.{0,1000}","greyware_tool_keyword","Touch VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","35918"
"*--bin tunnelto*",".{0,1000}\-\-bin\stunnelto.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","35919"
"*--bin tunnelto_server*",".{0,1000}\-\-bin\stunnelto_server.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","35920"
"*bin/lt --host https://*",".{0,1000}bin\/lt\s\-\-host\shttps\:\/\/.{0,1000}","greyware_tool_keyword","localtunnels","client for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/localtunnel","1","0","N/A","N/A","8","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","35933"
"*bin/telebit.js*",".{0,1000}bin\/telebit\.js.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35942"
"*bin/wireshark*",".{0,1000}bin\/wireshark.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","35945"
"*bin\Remote AccessLauncher.exe*",".{0,1000}bin\\Remote\sAccessLauncher\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35949"
"*--bin=tunnelto*",".{0,1000}\-\-bin\=tunnelto.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","35952"
"*--bin=tunnelto_server*",".{0,1000}\-\-bin\=tunnelto_server.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","35953"
"*bit.ly/2alyerp*",".{0,1000}bit\.ly\/2alyerp.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","1","N/A","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","35962"
"*BitLockerToGo*.kdbx*",".{0,1000}BitLockerToGo.{0,1000}\.kdbx.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35966"
"*BitLockerToGo*\Network\Cookies*",".{0,1000}BitLockerToGo.{0,1000}\\Network\\Cookies.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35967"
"*BitLockerToGo*360Browser*",".{0,1000}BitLockerToGo.{0,1000}360Browser.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35968"
"*BitLockerToGo*Anydesk*",".{0,1000}BitLockerToGo.{0,1000}Anydesk.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35969"
"*BitLockerToGo*Binance*",".{0,1000}BitLockerToGo.{0,1000}Binance.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35970"
"*BitLockerToGo*Bitcoin*",".{0,1000}BitLockerToGo.{0,1000}Bitcoin.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35971"
"*BitLockerToGo*BraveSoftware*",".{0,1000}BitLockerToGo.{0,1000}BraveSoftware.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35972"
"*BitLockerToGo*CocCoc*",".{0,1000}BitLockerToGo.{0,1000}CocCoc.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35973"
"*BitLockerToGo*Coinomi*",".{0,1000}BitLockerToGo.{0,1000}Coinomi.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35974"
"*BitLockerToGo*ElectronCash*",".{0,1000}BitLockerToGo.{0,1000}ElectronCash.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35975"
"*BitLockerToGo*Electrum*",".{0,1000}BitLockerToGo.{0,1000}Electrum.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35976"
"*BitLockerToGo*Electrum*",".{0,1000}BitLockerToGo.{0,1000}Electrum.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35977"
"*BitLockerToGo*Electrum*",".{0,1000}BitLockerToGo.{0,1000}Electrum.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35978"
"*BitLockerToGo*Electrum*",".{0,1000}BitLockerToGo.{0,1000}Electrum.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35979"
"*BitLockerToGo*Epic Privacy Browser*",".{0,1000}BitLockerToGo.{0,1000}Epic\sPrivacy\sBrowser.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35980"
"*BitLockerToGo*Ethereum*",".{0,1000}BitLockerToGo.{0,1000}Ethereum.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35981"
"*BitLockerToGo*Exodus*",".{0,1000}BitLockerToGo.{0,1000}Exodus.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35982"
"*BitLockerToGo*Filezilla*",".{0,1000}BitLockerToGo.{0,1000}Filezilla.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35983"
"*BitLockerToGo*Ledger*",".{0,1000}BitLockerToGo.{0,1000}Ledger.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35984"
"*BitLockerToGo*MailBird*",".{0,1000}BitLockerToGo.{0,1000}MailBird.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35985"
"*BitLockerToGo*metamask*",".{0,1000}BitLockerToGo.{0,1000}metamask.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35986"
"*BitLockerToGo*telegram*",".{0,1000}BitLockerToGo.{0,1000}telegram.{0,1000}","greyware_tool_keyword","BitLockerToGo","BitLocker To Go is legitimate Windows utility used for managing BitLocker encryption - abused by Malware like LummaSteale to manipulate registry keys -  search for cryptocurrency wallets and credentials and exfiltrate sensitive data","T1218 - T1055 - T1112 - T1056 - T1555","TA0005 - TA0007 - TA0009","Lumma Stealer","N/A","Credential Access","https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","35987"
"*bitsadmin /transfer *",".{0,1000}bitsadmin\s\/transfer\s.{0,1000}","greyware_tool_keyword","bitsadmin","bitsadmin suspicious transfer","T1105 - T1041 - T1048","TA0002 - TA0003 - TA0010","N/A","Black Basta - Hive - Revil - Conti - Medusa","Collection","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","35991"
"*bitsadmin /transfer debjob /download /priority normal \*\C$\Windows\*.dll",".{0,1000}bitsadmin\s\/transfer\sdebjob\s\/download\s\/priority\snormal\s\\.{0,1000}\\C\$\\Windows\\.{0,1000}\.dll","greyware_tool_keyword","bitsadmin","bitsadmin suspicious transfer","T1105 - T1041 - T1048","TA0002 - TA0003 - TA0010","N/A","Black Basta - Hive - Revil - Conti - Medusa","Collection","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","35992"
"*bkkgdjpomdnfemhhkalfkogckjdkcjkg*",".{0,1000}bkkgdjpomdnfemhhkalfkogckjdkcjkg.{0,1000}","greyware_tool_keyword","VPNMatic","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","36006"
"*bluekeepscanner.exe*",".{0,1000}bluekeepscanner\.exe.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner and Earth Lusca Operations Tools and commands","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf https://github.com/vletoux/pingcastle","1","1","N/A","N/A","10","","N/A","","","","36096"
"*bniikohfmajhdcffljgfeiklcbgffppl*",".{0,1000}bniikohfmajhdcffljgfeiklcbgffppl.{0,1000}","greyware_tool_keyword","Upnet","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","36102"
"*bnijmipndnicefcdbhgcjoognndbgkep*",".{0,1000}bnijmipndnicefcdbhgcjoognndbgkep.{0,1000}","greyware_tool_keyword","Veee","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","36103"
"*bomgar-rdp.exe*",".{0,1000}bomgar\-rdp\.exe.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","36187"
"*boot.net.anydesk.com*",".{0,1000}boot\.net\.anydesk\.com.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","1","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","36191"
"*bore local * --to *",".{0,1000}bore\slocal\s.{0,1000}\s\-\-to\s.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","N/A","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","36195"
"*bore server --secret *",".{0,1000}bore\sserver\s\-\-secret\s.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","N/A","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","36196"
"*bored-tunnel-client_Windows_x86_64.*",".{0,1000}bored\-tunnel\-client_Windows_x86_64\..{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","1","N/A","N/A","9","8","N/A","N/A","N/A","N/A","36197"
"*boringproxy client -server *",".{0,1000}boringproxy\sclient\s\-server\s.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","36198"
"*boringproxy/boringproxy*",".{0,1000}boringproxy\/boringproxy.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","1","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","36199"
"*boringproxy_db.json*",".{0,1000}boringproxy_db\.json.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","1","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","36200"
"*boringproxy-client@default.service*",".{0,1000}boringproxy\-client\@default\.service.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","36201"
"*Box.Desktop.Installer.CustomActions*",".{0,1000}Box\.Desktop\.Installer\.CustomActions.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","36205"
"*brave* --headless * --dump-dom http*",".{0,1000}brave.{0,1000}\s\-\-headless\s.{0,1000}\s\-\-dump\-dom\shttp.{0,1000}","greyware_tool_keyword","chromium","Headless Chromium allows running Chromium in a headless/server environment - downloading a file - abused by attackers","T1553.002 - T1059.005 - T1071.001 - T1561","TA0002","N/A","N/A","Defense Evasion","https://redcanary.com/blog/intelligence-insights-june-2023/","1","0","N/A","N/A","4","5","N/A","N/A","N/A","N/A","36216"
"*brave.exe* --load-extension=""*\Users\*\Appdata\Local\Temp\*",".{0,1000}brave\.exe.{0,1000}\s\-\-load\-extension\=\"".{0,1000}\\Users\\.{0,1000}\\Appdata\\Local\\Temp\\.{0,1000}","greyware_tool_keyword","chromium","The --load-extension switch allows the source to specify a target directory to load as an extension. This gives malware the opportunity to start a new browser window with their malicious extension loaded.","T1136.001 - T1176 - T1059.007","TA0003 - TA0004 - TA0005","N/A","N/A","Exploitation tool","https://www.mandiant.com/resources/blog/lnk-between-browsers","1","0","N/A","risk of false positives","7","10","N/A","N/A","N/A","N/A","36217"
"*bre@pagekite.net*",".{0,1000}bre\@pagekite\.net.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#email","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","36221"
"*brew install --cask localxpose*",".{0,1000}brew\sinstall\s\-\-cask\slocalxpose.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","36229"
"*brew install croc*",".{0,1000}brew\sinstall\scroc.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#linux","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","36230"
"*brimstone/rsocks*",".{0,1000}brimstone\/rsocks.{0,1000}","greyware_tool_keyword","rsocks","reverse socks5 client & server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/brimstone/rsocks","1","1","N/A","N/A","10","10","85","29","2020-01-09T20:45:32Z","2018-01-05T03:09:07Z","36233"
"*browser.lol/create*",".{0,1000}browser\.lol\/create.{0,1000}","greyware_tool_keyword","browser.lol","Virtual Browser - Safely visit blocked or risky websites - can be used to bypass network restrictions within a corporate environment","T1071 - T1090 - T1562","TA0005","N/A","N/A","Defense Evasion","https://browser.lol","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A","36238"
"*brs.rel.tunnels.api.visualstudio.com*",".{0,1000}brs\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","36270"
"*btunnel domain *",".{0,1000}btunnel\sdomain\s.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","36324"
"*btunnel file *",".{0,1000}btunnel\sfile\s.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","36325"
"*btunnel http*",".{0,1000}btunnel\shttp.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","36326"
"*btunnel tcp --*",".{0,1000}btunnel\stcp\s\-\-.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","36327"
"*btunnel tcp*",".{0,1000}btunnel\stcp.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","36328"
"*btunnel.exe http*",".{0,1000}btunnel\.exe\shttp.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","36329"
"*builds.level.io*",".{0,1000}builds\.level\.io.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","36389"
"*bvba_UltraVNC_*_exe*",".{0,1000}bvba_UltraVNC_.{0,1000}_exe.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","36429"
"*c/ exe.dmc*",".{0,1000}c\/\sexe\.dmc.{0,1000}","greyware_tool_keyword","_","reversed string cmd.exe /c obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","36537"
"*c:\*\\u0*\\u0*\\u0*\\u0*",".{0,1000}c\:\\.{0,1000}\\\\u0.{0,1000}\\\\u0.{0,1000}\\\\u0.{0,1000}\\\\u0.{0,1000}","greyware_tool_keyword","_","file path containing mixed Unicode-escaped and ASCII characters to evade detection","T1036  - T1027","TA0005","N/A","N/A","Defense Evasion","https://cloud.google.com/blog/topics/threat-intelligence/melting-unc2198-icedid-to-ransomware-operations","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","36540"
"*c:\debug_clipboard_formats.txt*",".{0,1000}c\:\\debug_clipboard_formats\.txt.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","36564"
"*C:\Program Files (x86)\AnyDesk*",".{0,1000}C\:\\Program\sFiles\s\(x86\)\\AnyDesk.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","36572"
"*C:\Program Files\SolarWinds\Dameware Mini Remote Control x64\*",".{0,1000}C\:\\Program\sFiles\\SolarWinds\\Dameware\sMini\sRemote\sControl\sx64\\.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","36573"
"*C:\Users\mthcht\AppData\Roaming\DameWare Development\*",".{0,1000}C\:\\Users\\mthcht\\AppData\\Roaming\\DameWare\sDevelopment\\.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","36599"
"*C:\Windows\Action1\*",".{0,1000}C\:\\Windows\\Action1\\.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","36614"
"*C:\Windows\MEMORY.DMP*",".{0,1000}C\:\\Windows\\MEMORY\.DMP.{0,1000}","greyware_tool_keyword","CIMplant","C# port of WMImplant which uses either CIM or WMI to query remote systems","T1047 - T1059.001 - T1021.006","TA0002 - TA0007 - TA0008","N/A","Scattered Spider*","Lateral Movement","https://github.com/RedSiege/CIMplant","1","0","N/A","N/A","10","2","199","29","2021-07-14T18:18:42Z","2021-01-29T21:41:58Z","36616"
"*C:\Windows\System32\config\systemprofile\AppData\Local\Action1*",".{0,1000}C\:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Action1.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","36619"
"*C:\Windows\System32\spool\drivers\x64\3\old\1\*.dll*",".{0,1000}C\:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\.{0,1000}\.dll.{0,1000}","greyware_tool_keyword","PrintNightmare","PrintNightmare exploitation","T1210 - T1059.001 - T1548.002","TA0001 - TA0002 - TA0004","N/A","Dispossessor","Privilege Escalation","https://github.com/outflanknl/PrintNightmare","1","0","N/A","N/A","7","4","337","67","2021-09-13T08:45:26Z","2021-09-13T08:44:02Z","36620"
"*c01c9a0988791643b5c0ce5936f5328322286b602517718f134ff08564708e14*",".{0,1000}c01c9a0988791643b5c0ce5936f5328322286b602517718f134ff08564708e14.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36637"
"*c026c27681f756eba809e3594254fb9c8a6c9dd2a8c9321df701ade1545c7914*",".{0,1000}c026c27681f756eba809e3594254fb9c8a6c9dd2a8c9321df701ade1545c7914.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36641"
"*c0339ea0fe2da7faf3e26186c09b27ba7697728311a98d5890ad504804395b8b*",".{0,1000}c0339ea0fe2da7faf3e26186c09b27ba7697728311a98d5890ad504804395b8b.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","36643"
"*c0361de3abb61250d015ba5abb995dcf626abc3ade13953e5d19eaf0d6eee9d3*",".{0,1000}c0361de3abb61250d015ba5abb995dcf626abc3ade13953e5d19eaf0d6eee9d3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36646"
"*c0386231b4e1b594981b572cd9859cde3f7fadd74729ef51107cd65999aa8f9e*",".{0,1000}c0386231b4e1b594981b572cd9859cde3f7fadd74729ef51107cd65999aa8f9e.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","36649"
"*c049a837cfa5f098e27fbbe5904daa2cf3d21e6ad51b662b2ecc723c3abf6c6a*",".{0,1000}c049a837cfa5f098e27fbbe5904daa2cf3d21e6ad51b662b2ecc723c3abf6c6a.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","36654"
"*c08c98dcc7973d70b4024299db6c96acb6ba060749af54da45724b6427d0d897*",".{0,1000}c08c98dcc7973d70b4024299db6c96acb6ba060749af54da45724b6427d0d897.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","36674"
"*c08fd251db2d48d9eb48583b3b2209a8efda571ec6cdff6c7ebb22667ce3d360*",".{0,1000}c08fd251db2d48d9eb48583b3b2209a8efda571ec6cdff6c7ebb22667ce3d360.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","36675"
"*c09e5a6ac3d8fb135b20e08d1550b54ea0ea84da2bcdaf2dbfa739f607804b88*",".{0,1000}c09e5a6ac3d8fb135b20e08d1550b54ea0ea84da2bcdaf2dbfa739f607804b88.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","36678"
"*c0ac4e96a2e27335de61a6ada3e55f96d66b9b01b7728456b93ba23a394183a8*",".{0,1000}c0ac4e96a2e27335de61a6ada3e55f96d66b9b01b7728456b93ba23a394183a8.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","36681"
"*c0b17012581f088528c73adb9f228a99bad35ee0a9f74e1a93e688f95d11080f*",".{0,1000}c0b17012581f088528c73adb9f228a99bad35ee0a9f74e1a93e688f95d11080f.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","36683"
"*c0c02d53dea74824ba7a5a278d5e9974aed9d9d5f988606b9ad3507b8b051a7e*",".{0,1000}c0c02d53dea74824ba7a5a278d5e9974aed9d9d5f988606b9ad3507b8b051a7e.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","36685"
"*c0c761602cda01ee61c21c1fda1a65b806f26a3c36a5f8e60ffa0156b5f1b704*",".{0,1000}c0c761602cda01ee61c21c1fda1a65b806f26a3c36a5f8e60ffa0156b5f1b704.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36688"
"*c0ee4e49713fee5e12d7aea712320640bc9614e95cd5fbbdaaf90803a473a23e*",".{0,1000}c0ee4e49713fee5e12d7aea712320640bc9614e95cd5fbbdaaf90803a473a23e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36701"
"*c0f2a8d4c63349b7e3a5a34bae4a0994152c49bb4ee200ee4705b5599eef1b31*",".{0,1000}c0f2a8d4c63349b7e3a5a34bae4a0994152c49bb4ee200ee4705b5599eef1b31.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","36702"
"*c0f307cdba8e36664c10d7d7969bbd2d0e670503f33ae8b2ed693ede0f12f5b9*",".{0,1000}c0f307cdba8e36664c10d7d7969bbd2d0e670503f33ae8b2ed693ede0f12f5b9.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","36703"
"*c0f76101eeb0225230ebae6e980fc1161eb5b3727c8d1fd9ccfe3ac1169ba5b7*",".{0,1000}c0f76101eeb0225230ebae6e980fc1161eb5b3727c8d1fd9ccfe3ac1169ba5b7.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","36704"
"*c1008f9f263336c7ca1bbba0865dd0303653c398c30b41583e95f189db7e9525*",".{0,1000}c1008f9f263336c7ca1bbba0865dd0303653c398c30b41583e95f189db7e9525.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36706"
"*c1013c7a780da71bb3cf7a1e56ca394546cb20b1b6dc89518c5f4dff76c71b64*",".{0,1000}c1013c7a780da71bb3cf7a1e56ca394546cb20b1b6dc89518c5f4dff76c71b64.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36707"
"*c1175e97647ac7214388bd20914ca4d9766a5821299d83ce931a1dc93e193658*",".{0,1000}c1175e97647ac7214388bd20914ca4d9766a5821299d83ce931a1dc93e193658.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36713"
"*c11dc344bc262b1034a8cc98fe5f1032b4bc4a6cea372399884746e7fd278944*",".{0,1000}c11dc344bc262b1034a8cc98fe5f1032b4bc4a6cea372399884746e7fd278944.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","36714"
"*c1309a2dc51340d2115e3c5e2ad31917c401132406e92774b70c2470ba631e7b*",".{0,1000}c1309a2dc51340d2115e3c5e2ad31917c401132406e92774b70c2470ba631e7b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","36718"
"*c13136af014ba278cfd9f3a3ba1d9fd4e1996c72d32c068c3b259a8c5930e1d8*",".{0,1000}c13136af014ba278cfd9f3a3ba1d9fd4e1996c72d32c068c3b259a8c5930e1d8.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","36719"
"*c140a7c12752ffe61a682b74970758d6878c99b5b2581d0b423a0ec051dcd557*",".{0,1000}c140a7c12752ffe61a682b74970758d6878c99b5b2581d0b423a0ec051dcd557.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","36723"
"*c1439cff56678f08ca43ae32b4842fd43ada6b2c2798e647250e93bd32687c26*",".{0,1000}c1439cff56678f08ca43ae32b4842fd43ada6b2c2798e647250e93bd32687c26.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","36725"
"*c14ccd69607c34707120e7c2d2df9b6c0a11c7f40e22f116d75838e2038edba3*",".{0,1000}c14ccd69607c34707120e7c2d2df9b6c0a11c7f40e22f116d75838e2038edba3.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","36727"
"*c14d5be9b9d80a48354c04dd1c3f80167abae94a1854d2f5116e4e5a0da89b91*",".{0,1000}c14d5be9b9d80a48354c04dd1c3f80167abae94a1854d2f5116e4e5a0da89b91.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","36729"
"*c1692f42776ca84469429b03797eb3d782bf364b707506802564957d120a2793*",".{0,1000}c1692f42776ca84469429b03797eb3d782bf364b707506802564957d120a2793.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36733"
"*c17291696d623106324b9bad894599325a90148d7d19970b9142a445b789b571*",".{0,1000}c17291696d623106324b9bad894599325a90148d7d19970b9142a445b789b571.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","36735"
"*c175bb05f516d617d49d4b0032f71265bf95c7e62c334ee16c0f3c3f87dbbe77*",".{0,1000}c175bb05f516d617d49d4b0032f71265bf95c7e62c334ee16c0f3c3f87dbbe77.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","36736"
"*c185b75ecfe16724160530bedfe237537b23e3dc2ec2f38869fa6698bf12ce74*",".{0,1000}c185b75ecfe16724160530bedfe237537b23e3dc2ec2f38869fa6698bf12ce74.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","36738"
"*c18e861f5e44c1b731f14ddebcbbe4f6d4bd9ad24e71b49feb7d1ddde7cc1741*",".{0,1000}c18e861f5e44c1b731f14ddebcbbe4f6d4bd9ad24e71b49feb7d1ddde7cc1741.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","36742"
"*c1adbf4fe3244c1e53659221eafb35da0de80dd9f7c653dc1cb9b8037f8d01d2*",".{0,1000}c1adbf4fe3244c1e53659221eafb35da0de80dd9f7c653dc1cb9b8037f8d01d2.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","36745"
"*c1b0377ee72dc62221e2c8ecf913a34e230222e86f5291f0813474a4fd7e9b24*",".{0,1000}c1b0377ee72dc62221e2c8ecf913a34e230222e86f5291f0813474a4fd7e9b24.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","36747"
"*c1b657c2bb9c1713b0a4a6b5eea12df8b16dc1e82d1655215573575bf5a710d3*",".{0,1000}c1b657c2bb9c1713b0a4a6b5eea12df8b16dc1e82d1655215573575bf5a710d3.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","36749"
"*c1b73bfeb5933efe372525bb800f452e335247cec34ef4ca214069cf83928e45*",".{0,1000}c1b73bfeb5933efe372525bb800f452e335247cec34ef4ca214069cf83928e45.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","36750"
"*c1e6d0a41a0af8589303ab6940937d9183b344a62283ff6033a17e82c357ce17*",".{0,1000}c1e6d0a41a0af8589303ab6940937d9183b344a62283ff6033a17e82c357ce17.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","36758"
"*c1ec990cba4b1e813de9ebc1bdf540bc5dada5d5521d3a339361d04c8d92c742*",".{0,1000}c1ec990cba4b1e813de9ebc1bdf540bc5dada5d5521d3a339361d04c8d92c742.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","36759"
"*c1fcfdac8ef03a170f6ec0f7baa30a470c61585c6e78a59cd73e6d50c9e6f5f9*",".{0,1000}c1fcfdac8ef03a170f6ec0f7baa30a470c61585c6e78a59cd73e6d50c9e6f5f9.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","36765"
"*c20b795433e8799d5ef176aecd7efab4a3db7849637d8ce5f9fd0cd3ac04590f*",".{0,1000}c20b795433e8799d5ef176aecd7efab4a3db7849637d8ce5f9fd0cd3ac04590f.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","36783"
"*c20f8abf5e0933bfd88fa974ad3a005c72f494aafc021916927774ab0ce6ca46*",".{0,1000}c20f8abf5e0933bfd88fa974ad3a005c72f494aafc021916927774ab0ce6ca46.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","36784"
"*c22224a6e32bc2f071373a53c528513f993239f3a3bc52bfb0ed3d854fba86b5*",".{0,1000}c22224a6e32bc2f071373a53c528513f993239f3a3bc52bfb0ed3d854fba86b5.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","36786"
"*c235ce8a84c76ac996c7f042e21c72cbcfbbfa84294d113e607500384527fa61*",".{0,1000}c235ce8a84c76ac996c7f042e21c72cbcfbbfa84294d113e607500384527fa61.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36789"
"*c25260041d39884add2386f909bdc312639434c7c9aa59aebdabc45880978dad*",".{0,1000}c25260041d39884add2386f909bdc312639434c7c9aa59aebdabc45880978dad.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36795"
"*c25cb411793a73e8780085c0b514db7c9dfeb122478f4811b722febf146514b8*",".{0,1000}c25cb411793a73e8780085c0b514db7c9dfeb122478f4811b722febf146514b8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36800"
"*c25cfe8c61da6da361940904511fcafb0f305e6eaa926f9871045de55e6861a4*",".{0,1000}c25cfe8c61da6da361940904511fcafb0f305e6eaa926f9871045de55e6861a4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36801"
"*c269975b163143664260be837652e7163d150453b35f1d97abeadb31c9e47d66*",".{0,1000}c269975b163143664260be837652e7163d150453b35f1d97abeadb31c9e47d66.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","36806"
"*c27dbd299e21bfae88576671d7bc6208a8ff4da2e422d1e5655fae21e2cffb45*",".{0,1000}c27dbd299e21bfae88576671d7bc6208a8ff4da2e422d1e5655fae21e2cffb45.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#filehash","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","36811"
"*c281ce0f3dda13c0c85d8f798f12e3de2fe6be06c1cf44e329417617eb2acef7*",".{0,1000}c281ce0f3dda13c0c85d8f798f12e3de2fe6be06c1cf44e329417617eb2acef7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36813"
"*c28fa95a5d151d9e1d7642915ec5a727a2438477cae0f26f0557b468800111f9*",".{0,1000}c28fa95a5d151d9e1d7642915ec5a727a2438477cae0f26f0557b468800111f9.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","36817"
"*c29a459fab2edd0e81e797886daa70c210bb123e55331416cb6f5bd74bef0e6a*",".{0,1000}c29a459fab2edd0e81e797886daa70c210bb123e55331416cb6f5bd74bef0e6a.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","36820"
"*c2b3c0a83f956ad773cfd7e495d49d921e686a4759e6cfb90702be8ada9be2cd*",".{0,1000}c2b3c0a83f956ad773cfd7e495d49d921e686a4759e6cfb90702be8ada9be2cd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36824"
"*c2cc496b63e67636dbde1d94f31f5c36eb532f11953a36c56f7aebd7077befe5*",".{0,1000}c2cc496b63e67636dbde1d94f31f5c36eb532f11953a36c56f7aebd7077befe5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","36828"
"*c2df4b64565ed88fc880fe54aee44a67b07804651be9f6b698b1e12784ef40ac*",".{0,1000}c2df4b64565ed88fc880fe54aee44a67b07804651be9f6b698b1e12784ef40ac.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","36837"
"*c2eb74205eea82a5a7de8fd92a165ed25064d89099587a38449de3f3f8fde0c8*",".{0,1000}c2eb74205eea82a5a7de8fd92a165ed25064d89099587a38449de3f3f8fde0c8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36839"
"*c2f078339cc05f64a6742db6750142008627e558c1c4680ef266fdb1be836f48*",".{0,1000}c2f078339cc05f64a6742db6750142008627e558c1c4680ef266fdb1be836f48.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","36841"
"*c307a8440f2c388425525b39d5ecfcd801c747330ed73d28e04cf65dc71caaa1*",".{0,1000}c307a8440f2c388425525b39d5ecfcd801c747330ed73d28e04cf65dc71caaa1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36879"
"*c3125567cd38e49ff50e7831e180ad0818692ce669ce25fd1796530cd66b55ab*",".{0,1000}c3125567cd38e49ff50e7831e180ad0818692ce669ce25fd1796530cd66b55ab.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36883"
"*c3145c4f1e747ef9c1b2f953291f96f87abeb3e9686e8a91340ed4bd191d9941*",".{0,1000}c3145c4f1e747ef9c1b2f953291f96f87abeb3e9686e8a91340ed4bd191d9941.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","36884"
"*c316b4a76fc36899e654991376dbbd7dc5a94fa721da223e981dce247216dc17*",".{0,1000}c316b4a76fc36899e654991376dbbd7dc5a94fa721da223e981dce247216dc17.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36885"
"*c317bfeaf967b44ca53f18c17c8b03ab7bb6d34c18383419451b28b084a91499*",".{0,1000}c317bfeaf967b44ca53f18c17c8b03ab7bb6d34c18383419451b28b084a91499.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","36886"
"*c3224f8327d7cf805b9447314f6066bec357dce64c60a0937aa3b8eb1458c496*",".{0,1000}c3224f8327d7cf805b9447314f6066bec357dce64c60a0937aa3b8eb1458c496.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","36887"
"*c323b705602fcdab6f09572959ff9f7b0a6ec950129a1046c83c5cfae91ab28d*",".{0,1000}c323b705602fcdab6f09572959ff9f7b0a6ec950129a1046c83c5cfae91ab28d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36888"
"*c32b3159a8aa089b08222987a32b9856c046c276898613c75eec62d370df7e01*",".{0,1000}c32b3159a8aa089b08222987a32b9856c046c276898613c75eec62d370df7e01.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","36890"
"*c32e4b8d04c97c4ea36989159350bb6b90ec7b7f6328da448be3c94c81e57bfd*",".{0,1000}c32e4b8d04c97c4ea36989159350bb6b90ec7b7f6328da448be3c94c81e57bfd.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","36891"
"*c33d855091e67c7d51b7792a1875d2a98268ac8a4b160aca2784d7062077597e*",".{0,1000}c33d855091e67c7d51b7792a1875d2a98268ac8a4b160aca2784d7062077597e.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","36899"
"*c35d5b705e2b321cf612bcdeb44ee27392d6a1202248e8ec30bf178adf00f9da*",".{0,1000}c35d5b705e2b321cf612bcdeb44ee27392d6a1202248e8ec30bf178adf00f9da.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","36912"
"*c35dcc7b9549eacce4d5b34a07a3d102b0c631ef4b72682ce0472f65b8777d4a*",".{0,1000}c35dcc7b9549eacce4d5b34a07a3d102b0c631ef4b72682ce0472f65b8777d4a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","36913"
"*c365445b0b3203e5535c9c03f0e4b9f1bfc48ba55766cc4277d18aefbde84456*",".{0,1000}c365445b0b3203e5535c9c03f0e4b9f1bfc48ba55766cc4277d18aefbde84456.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36915"
"*c36dd14fc322e1846a793797b758f5b0fb554f7f058da6a333c86f27cbf9ec01*",".{0,1000}c36dd14fc322e1846a793797b758f5b0fb554f7f058da6a333c86f27cbf9ec01.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","36921"
"*c36fe320b5868ebb899a79c09b3c7de43c887e00ad63ed34df6c47cd8fdb2919*",".{0,1000}c36fe320b5868ebb899a79c09b3c7de43c887e00ad63ed34df6c47cd8fdb2919.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","36923"
"*c38560c8536e3c4b0d7a072e373009b03aaf63e58114deef576808c82eb62596*",".{0,1000}c38560c8536e3c4b0d7a072e373009b03aaf63e58114deef576808c82eb62596.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","36928"
"*c390aca094d308acc9e06e4375915c05c9aa1bb67e407e86a6b77e59de694469*",".{0,1000}c390aca094d308acc9e06e4375915c05c9aa1bb67e407e86a6b77e59de694469.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","36929"
"*c39719e5e79043b28a6368cdc942032bf5b2ab18fff2f66bd726058e9e921ef7*",".{0,1000}c39719e5e79043b28a6368cdc942032bf5b2ab18fff2f66bd726058e9e921ef7.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","36932"
"*c3a41b08c2665cc4036b9540ee39aa4a0786ed2416f03fe2ae5429ef303f409e*",".{0,1000}c3a41b08c2665cc4036b9540ee39aa4a0786ed2416f03fe2ae5429ef303f409e.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","36935"
"*c3b011e15c03348592d4a2adcdb90994e7ed29a43f572945505a429c12645215*",".{0,1000}c3b011e15c03348592d4a2adcdb90994e7ed29a43f572945505a429c12645215.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","36938"
"*c3b6f554126e1bc5dee6dff6d0b8dcd7241abbccff9898be3224ff90912c6c4c*",".{0,1000}c3b6f554126e1bc5dee6dff6d0b8dcd7241abbccff9898be3224ff90912c6c4c.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","36941"
"*c3bdcbd3ee63b0ff732b9027161d0e75550783a2285f36ae0b3940886f3fc1d7*",".{0,1000}c3bdcbd3ee63b0ff732b9027161d0e75550783a2285f36ae0b3940886f3fc1d7.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","36944"
"*c3c3c9668033f2f2b272b6003bf9ecb9d0ba77a04f5dc0fe79a1d4b7a1f31366*",".{0,1000}c3c3c9668033f2f2b272b6003bf9ecb9d0ba77a04f5dc0fe79a1d4b7a1f31366.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","36946"
"*c3cd6c2268c4e6f6bc42ea821588d420aed9caedead9d094070ad8f565ecffd6*",".{0,1000}c3cd6c2268c4e6f6bc42ea821588d420aed9caedead9d094070ad8f565ecffd6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36951"
"*c3d703c8e406f542bb9688a3e31c8164c8a34ff99785e256b2f7da8ae73a85cf*",".{0,1000}c3d703c8e406f542bb9688a3e31c8164c8a34ff99785e256b2f7da8ae73a85cf.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","36954"
"*c3d9753c93a5a4f6fdfd7c5146ffcb2ae4b733926b0ae3fff899d3b0851e0f60*",".{0,1000}c3d9753c93a5a4f6fdfd7c5146ffcb2ae4b733926b0ae3fff899d3b0851e0f60.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","36955"
"*c3dcf5597629c40fa47791ba86420ff1322ca0adb6110b4fceec6168f5141ee7*",".{0,1000}c3dcf5597629c40fa47791ba86420ff1322ca0adb6110b4fceec6168f5141ee7.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","36956"
"*c3f35c99bf40d43b4eaa759a92f9a1bc5fc3ddcd0f35d338302a9e88cbdf995a*",".{0,1000}c3f35c99bf40d43b4eaa759a92f9a1bc5fc3ddcd0f35d338302a9e88cbdf995a.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","36960"
"*c3f953d4dd3ae26e5206c1194b1baf5e2d8b8a06778866eb62dbd493db500dc6*",".{0,1000}c3f953d4dd3ae26e5206c1194b1baf5e2d8b8a06778866eb62dbd493db500dc6.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","36963"
"*C3Pool mining setup script v*",".{0,1000}C3Pool\smining\ssetup\sscript\sv.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","36965"
"*C3Pool/xmrig_setup*",".{0,1000}C3Pool\/xmrig_setup.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","36966"
"*c3pool_miner service*",".{0,1000}c3pool_miner\sservice.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","36967"
"*c3pool_miner.bat*",".{0,1000}c3pool_miner\.bat.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","36968"
"*c3pool_miner.service*",".{0,1000}c3pool_miner\.service.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","36969"
"*c3pool_miner.sh*",".{0,1000}c3pool_miner\.sh.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","36970"
"*c3pool_miner\*",".{0,1000}c3pool_miner\\.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","36971"
"*c400a97000f7567515c3ffa560694f83927c8a77add8da737f567b2ff3812054*",".{0,1000}c400a97000f7567515c3ffa560694f83927c8a77add8da737f567b2ff3812054.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","36972"
"*c4183ce1d991cb27ef71b811f373222759494d1cf1db55dccce83405d0d570d3*",".{0,1000}c4183ce1d991cb27ef71b811f373222759494d1cf1db55dccce83405d0d570d3.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","36974"
"*c44853992b0d6d3f9f5c777038590ee6a5869dbeb6362dfa5537e9d730aa26f6*",".{0,1000}c44853992b0d6d3f9f5c777038590ee6a5869dbeb6362dfa5537e9d730aa26f6.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","36980"
"*c45bff01783f3f79df4d0c43b404ab3293e4e351fa760d7c9500200d5771d73a*",".{0,1000}c45bff01783f3f79df4d0c43b404ab3293e4e351fa760d7c9500200d5771d73a.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","36982"
"*c4677e4eaf38ceda97841c8cae883883e026751970b41bb1a3f5e0610e07a5b1*",".{0,1000}c4677e4eaf38ceda97841c8cae883883e026751970b41bb1a3f5e0610e07a5b1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","36986"
"*c46ac57304fda332b5c3b027ae3fd0a54917e2b194f0d9f13e6cacfa1f61ff53*",".{0,1000}c46ac57304fda332b5c3b027ae3fd0a54917e2b194f0d9f13e6cacfa1f61ff53.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#filehash","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","36987"
"*c46fd158ad7a0dbb616b1c0c5416bb77e43d5aef95869923d62097034d2a1cf7*",".{0,1000}c46fd158ad7a0dbb616b1c0c5416bb77e43d5aef95869923d62097034d2a1cf7.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","36989"
"*c477182f8337d9b0ceb73fa2de3f0384a7781caa47bf33845ea7552746e6df65*",".{0,1000}c477182f8337d9b0ceb73fa2de3f0384a7781caa47bf33845ea7552746e6df65.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","36990"
"*c4776bfa13df65546ba20938f68214281a2d1771ff0d5e89542e28d34c54933e*",".{0,1000}c4776bfa13df65546ba20938f68214281a2d1771ff0d5e89542e28d34c54933e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","36991"
"*c47c3409ede8542ee139232513fe3f1c30b0360bce5d33f65fab9a32f9abb802*",".{0,1000}c47c3409ede8542ee139232513fe3f1c30b0360bce5d33f65fab9a32f9abb802.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","36992"
"*c485687562cd2a0bfe11c6ecb17a052bbdbb3662ae1faed3627718cc5da68af5*",".{0,1000}c485687562cd2a0bfe11c6ecb17a052bbdbb3662ae1faed3627718cc5da68af5.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","36994"
"*c488cce70defe02c6a90ebdfe276d88f4fdaab9264e157588bdb0e6dba9c5a91*",".{0,1000}c488cce70defe02c6a90ebdfe276d88f4fdaab9264e157588bdb0e6dba9c5a91.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","36995"
"*c491a40347069ca5f75d4c62435fde16c4fec08656fd88f5b502825dfcbc31cf*",".{0,1000}c491a40347069ca5f75d4c62435fde16c4fec08656fd88f5b502825dfcbc31cf.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","36997"
"*c4ab3986686899e9fd446713363b68f65d4710d566b1013b353191607e0c4e1d*",".{0,1000}c4ab3986686899e9fd446713363b68f65d4710d566b1013b353191607e0c4e1d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","36999"
"*c4b51b5bdd584b2901180946bd0325d1673110a9f6f2050f522404a280bc2d3b*",".{0,1000}c4b51b5bdd584b2901180946bd0325d1673110a9f6f2050f522404a280bc2d3b.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37002"
"*c4b9ef6591ae20eb0b125566f40b76cb3fc54671d1d474a5f30fb272b0a1c65f*",".{0,1000}c4b9ef6591ae20eb0b125566f40b76cb3fc54671d1d474a5f30fb272b0a1c65f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37004"
"*c4c77cda828b390796df90293a7595b030a9966af3804451295766b2d6d57a31*",".{0,1000}c4c77cda828b390796df90293a7595b030a9966af3804451295766b2d6d57a31.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37008"
"*c4c8c47da78cce55a75fb1bd7f528ba5eb4a2e2f96ae1927a705bac7eebde224*",".{0,1000}c4c8c47da78cce55a75fb1bd7f528ba5eb4a2e2f96ae1927a705bac7eebde224.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37009"
"*c4cf6a2d28fb9c4fce9337cb06adc5fa69601eec6b2e8d10bc9cd3a211f06e85*",".{0,1000}c4cf6a2d28fb9c4fce9337cb06adc5fa69601eec6b2e8d10bc9cd3a211f06e85.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","37011"
"*c4dc53f4912605a25c18357b0a0bf6dc059286ca901cb981abdf1a22d1649ddc*",".{0,1000}c4dc53f4912605a25c18357b0a0bf6dc059286ca901cb981abdf1a22d1649ddc.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","37017"
"*c4ea1ed3224d14b9af33bb5de9f66bd98a986323fefa8b6f9b94a59227edfe0b*",".{0,1000}c4ea1ed3224d14b9af33bb5de9f66bd98a986323fefa8b6f9b94a59227edfe0b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37022"
"*c4ec5f4d04c44b7a1c8cf813435dbc66a541b450bbaca4d70ded985d6518e76a*",".{0,1000}c4ec5f4d04c44b7a1c8cf813435dbc66a541b450bbaca4d70ded985d6518e76a.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#filehash","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","37024"
"*c4fe61892d40eb2a106bb1b59b0284cab20f7ec71ee6417fca03f15d062a257c*",".{0,1000}c4fe61892d40eb2a106bb1b59b0284cab20f7ec71ee6417fca03f15d062a257c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37030"
"*c5063df64bd9604d8cdc0d20d4a1eb2340425cf7a38e126fbe45f3e210a1b6a8*",".{0,1000}c5063df64bd9604d8cdc0d20d4a1eb2340425cf7a38e126fbe45f3e210a1b6a8.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37032"
"*c50a3ab93082f21788f9244393b19f2426edeeb896eec2e3e05ffb2e8727e075*",".{0,1000}c50a3ab93082f21788f9244393b19f2426edeeb896eec2e3e05ffb2e8727e075.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37034"
"*C50B26839FCDA18B4DB6560EB826E94C*",".{0,1000}C50B26839FCDA18B4DB6560EB826E94C.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#imphash","N/A","10","10","N/A","N/A","N/A","N/A","37035"
"*c5185db5e8a84cb5fcad17d8501c2fd8aadb451d5c54fdda88af3504b4c850df*",".{0,1000}c5185db5e8a84cb5fcad17d8501c2fd8aadb451d5c54fdda88af3504b4c850df.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","37039"
"*c518a96dc78f8a6fb2ccecb02c5ab09bb41f0e04c8f7e7de8b87b3392d3083d7*",".{0,1000}c518a96dc78f8a6fb2ccecb02c5ab09bb41f0e04c8f7e7de8b87b3392d3083d7.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","37040"
"*c526971481cd5f4bc3cc48eaf66f999d61f5615cdd1215516d91e8a79df78967*",".{0,1000}c526971481cd5f4bc3cc48eaf66f999d61f5615cdd1215516d91e8a79df78967.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37042"
"*c52907acfb91a54bd267041d6a967ca6e01031b7b2cf894d066e8776e498ca1b*",".{0,1000}c52907acfb91a54bd267041d6a967ca6e01031b7b2cf894d066e8776e498ca1b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37045"
"*c52cbf3646a2d15765b87cf05fc3b2bca3b1d2782d4922046c597bd979e42720*",".{0,1000}c52cbf3646a2d15765b87cf05fc3b2bca3b1d2782d4922046c597bd979e42720.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37046"
"*c53a614a1a1536db55204e938e84708de9f18c42b613a470e46d433fd83a6db0*",".{0,1000}c53a614a1a1536db55204e938e84708de9f18c42b613a470e46d433fd83a6db0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37049"
"*c53b188ec3eb09f34484d2576f957e61522875c0e7a99e67722d41b2b57cdb4d*",".{0,1000}c53b188ec3eb09f34484d2576f957e61522875c0e7a99e67722d41b2b57cdb4d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37051"
"*c54778b8dc4e458130197cf95d6fc594cc1b016b70eea917f8a44c2c37c080c7*",".{0,1000}c54778b8dc4e458130197cf95d6fc594cc1b016b70eea917f8a44c2c37c080c7.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","37055"
"*c56c22434c289bec00f2ec5e2eff83894575cf51ecdf8e3fe7a906315d666beb*",".{0,1000}c56c22434c289bec00f2ec5e2eff83894575cf51ecdf8e3fe7a906315d666beb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37060"
"*c5719fe52a801b38f7e30386450f5985a7f378147e00d1392b12b902730f6601*",".{0,1000}c5719fe52a801b38f7e30386450f5985a7f378147e00d1392b12b902730f6601.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","37063"
"*c57526a8a0010b811b9bd367704125033fc71774f6a66dcfd4224ec5478e0490*",".{0,1000}c57526a8a0010b811b9bd367704125033fc71774f6a66dcfd4224ec5478e0490.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37065"
"*c57a600e0e0000e1d5543d2ff60b6d351fd123c23feff681a5c6eb7b80f20acb*",".{0,1000}c57a600e0e0000e1d5543d2ff60b6d351fd123c23feff681a5c6eb7b80f20acb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37066"
"*c584ab8fbfa1702c36bab98e6e07b05585402ec00c2e44c245a9bd879ca049f0*",".{0,1000}c584ab8fbfa1702c36bab98e6e07b05585402ec00c2e44c245a9bd879ca049f0.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","37072"
"*c5880fabc845307a19157fa35d4cc31284cee003b1c9852686c6a8412585d4a8*",".{0,1000}c5880fabc845307a19157fa35d4cc31284cee003b1c9852686c6a8412585d4a8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37073"
"*c591528e3316538bfaf298764e9003f715de3fc6affdfbdc9edb0275627ee22f*",".{0,1000}c591528e3316538bfaf298764e9003f715de3fc6affdfbdc9edb0275627ee22f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37076"
"*c59f22eb5c115a9c633a0b1ff514787c1ceeca2bf4a660f0232616b3fc8336a7*",".{0,1000}c59f22eb5c115a9c633a0b1ff514787c1ceeca2bf4a660f0232616b3fc8336a7.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","37082"
"*c5b32aaedc7785b980be37519d95d0d3dc3ae86b3943bbf2ad7cb5dfc57460f0*",".{0,1000}c5b32aaedc7785b980be37519d95d0d3dc3ae86b3943bbf2ad7cb5dfc57460f0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37087"
"*c5baab0546d6a6f34ef0b571c8d16df52e8ea3093515986ae3eee3755683546a*",".{0,1000}c5baab0546d6a6f34ef0b571c8d16df52e8ea3093515986ae3eee3755683546a.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37090"
"*c5bd8f092426a5c99b09cea4a75df91ab8d8a586a734abfde1c0fa7a89a43389*",".{0,1000}c5bd8f092426a5c99b09cea4a75df91ab8d8a586a734abfde1c0fa7a89a43389.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37092"
"*c5c796d6c73f103b42ee079472d4717829cd71990ff722de42672a73c80a8d7b*",".{0,1000}c5c796d6c73f103b42ee079472d4717829cd71990ff722de42672a73c80a8d7b.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","37096"
"*c5d0c469b322039c20ffdbbc052083c342a0c1b9b2b16b47be469e0da76fb3f1*",".{0,1000}c5d0c469b322039c20ffdbbc052083c342a0c1b9b2b16b47be469e0da76fb3f1.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37103"
"*c5d39c81e4ab9e8ec45e8cd742d449ceb944b73fe90cd24aaff3d89bc7ebb3e4*",".{0,1000}c5d39c81e4ab9e8ec45e8cd742d449ceb944b73fe90cd24aaff3d89bc7ebb3e4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37104"
"*c5e232a129f96e0a03fae4b6ddd4b6129620ca8194fb92fd885c8112b4a84df7*",".{0,1000}c5e232a129f96e0a03fae4b6ddd4b6129620ca8194fb92fd885c8112b4a84df7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37107"
"*c5e68c5635bed872ce6ac0c2be5395cc15c2dbaa5f0052b86575cdd0b762902e*",".{0,1000}c5e68c5635bed872ce6ac0c2be5395cc15c2dbaa5f0052b86575cdd0b762902e.{0,1000}","greyware_tool_keyword","Alpemix","connect to your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.alpemix.com/","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","37109"
"*c5eca1ce456b855510b7da24a0204941c5d7a516da8b8b5af6a88f258a1994f5*",".{0,1000}c5eca1ce456b855510b7da24a0204941c5d7a516da8b8b5af6a88f258a1994f5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37111"
"*c5fb70cf2c8a3681d7e8397c8ac82c119f5bd64055dd47432c5e5672ce9a3986*",".{0,1000}c5fb70cf2c8a3681d7e8397c8ac82c119f5bd64055dd47432c5e5672ce9a3986.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","37115"
"*c638cfd7896ca9f35706e8b0db118e97925d4f8ecc1748c3a75666ed645775a8*",".{0,1000}c638cfd7896ca9f35706e8b0db118e97925d4f8ecc1748c3a75666ed645775a8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37126"
"*c6599963f89162253d6501a99425525a3406309a757f3515d957d5ff2452dffd*",".{0,1000}c6599963f89162253d6501a99425525a3406309a757f3515d957d5ff2452dffd.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","37131"
"*c66ea235f3bec5713b4b30abb7fa938c472f9f66b1f1fcaacdf8b0e7c36a735b*",".{0,1000}c66ea235f3bec5713b4b30abb7fa938c472f9f66b1f1fcaacdf8b0e7c36a735b.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","37137"
"*c671953a8131c23c8039827f79fc96c021aac1e2b6dfff805ee68f490847b3ef*",".{0,1000}c671953a8131c23c8039827f79fc96c021aac1e2b6dfff805ee68f490847b3ef.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37138"
"*c678c9a61d0faf3f0e030010615c3cca395d815f8c073ea171b20d4bdf221192*",".{0,1000}c678c9a61d0faf3f0e030010615c3cca395d815f8c073ea171b20d4bdf221192.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","37142"
"*c685a8322f7e7b2d25860ccdf8432d20f2077fd2f7480fff39f9b7bd4a1da5ba*",".{0,1000}c685a8322f7e7b2d25860ccdf8432d20f2077fd2f7480fff39f9b7bd4a1da5ba.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","37143"
"*c68f67a262cf61a81945326e0e0c9e2a3dce209c3125bb0f05a16921141f4231*",".{0,1000}c68f67a262cf61a81945326e0e0c9e2a3dce209c3125bb0f05a16921141f4231.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37146"
"*c6b4e0b176b29a3a2bf68e702195cbf72d705f8c6419ac17e7bfd16b18429447*",".{0,1000}c6b4e0b176b29a3a2bf68e702195cbf72d705f8c6419ac17e7bfd16b18429447.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","37162"
"*c6c3d2c485f517a417ed0303ec5af3888dcd3f31a90f7c0d959f01f4a540d61a*",".{0,1000}c6c3d2c485f517a417ed0303ec5af3888dcd3f31a90f7c0d959f01f4a540d61a.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37165"
"*c6c96cf14099900a4582003ae7bd2cedd62d69f4fc6820a6adf1503599095509*",".{0,1000}c6c96cf14099900a4582003ae7bd2cedd62d69f4fc6820a6adf1503599095509.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37166"
"*c6df3acfa4964ce75534e76ea4635280be68c946b8b5d0566a858337e74d5fd3*",".{0,1000}c6df3acfa4964ce75534e76ea4635280be68c946b8b5d0566a858337e74d5fd3.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","37169"
"*c6f00c7458e7546b9339ce65805b2969abf55f95698f0b2f0904ed85f187b3fa*",".{0,1000}c6f00c7458e7546b9339ce65805b2969abf55f95698f0b2f0904ed85f187b3fa.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37174"
"*c6f0b7931f8df1223c5edb6adef3919350e1eec95c9493748fb995c2d968f672*",".{0,1000}c6f0b7931f8df1223c5edb6adef3919350e1eec95c9493748fb995c2d968f672.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37175"
"*c6f2a4b09f9249c4e77ad03cc0e15940f080c125187137bc88a7d2adf2a4916f*",".{0,1000}c6f2a4b09f9249c4e77ad03cc0e15940f080c125187137bc88a7d2adf2a4916f.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","37176"
"*C7038612-8183-67A7-8A9C-1379C2674156*",".{0,1000}C7038612\-8183\-67A7\-8A9C\-1379C2674156.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","#GUIDproject","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","37180"
"*c703e6aa71038579068c826ba7f8cabdfa61de7345f389cbcbf779ef5c3e0767*",".{0,1000}c703e6aa71038579068c826ba7f8cabdfa61de7345f389cbcbf779ef5c3e0767.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37181"
"*c7048e58d7363cd4ff59c057a6632651bda40c9ad65bf223da6b170a04e6f813*",".{0,1000}c7048e58d7363cd4ff59c057a6632651bda40c9ad65bf223da6b170a04e6f813.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37182"
"*c710d2cf2941d27180e3cfc40066fede75581ead01666e4c0df16c6c2b16e128*",".{0,1000}c710d2cf2941d27180e3cfc40066fede75581ead01666e4c0df16c6c2b16e128.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37186"
"*c7304d8f23a7d129d30e27955a020357518164d01e60eb17b0db2768ceed435e*",".{0,1000}c7304d8f23a7d129d30e27955a020357518164d01e60eb17b0db2768ceed435e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37194"
"*c730f343f26791992ca406e58e182e5185ba8a8bad1e2922c3f13f3f90be8a66*",".{0,1000}c730f343f26791992ca406e58e182e5185ba8a8bad1e2922c3f13f3f90be8a66.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","37196"
"*c75e682dd8f063bd0c151b30095bae8061146928f6d8533ac983280ad2c6effc*",".{0,1000}c75e682dd8f063bd0c151b30095bae8061146928f6d8533ac983280ad2c6effc.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","37204"
"*c7647cb1c2631105bb032dad94057bfa62970d70dfa48f8be0c1a4160ff7c56d*",".{0,1000}c7647cb1c2631105bb032dad94057bfa62970d70dfa48f8be0c1a4160ff7c56d.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","37206"
"*c764892be19cdf290c49fc9d421dc1f4f8359a1c1d127c12c3a3f56f7fe199c2*",".{0,1000}c764892be19cdf290c49fc9d421dc1f4f8359a1c1d127c12c3a3f56f7fe199c2.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","37207"
"*c7652b1555ab67b927ea24b856f1a81cbd21067afbbce16ee6db88022714dfde*",".{0,1000}c7652b1555ab67b927ea24b856f1a81cbd21067afbbce16ee6db88022714dfde.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37208"
"*c792d1729f05d22140c7e71092c3ba3314d7a9b2cdd9022160b60574e50a9826*",".{0,1000}c792d1729f05d22140c7e71092c3ba3314d7a9b2cdd9022160b60574e50a9826.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37217"
"*c793af04a5ffa53c8dcde8f9453b312e40168de4081d64cbead076b8e7fcb0b9*",".{0,1000}c793af04a5ffa53c8dcde8f9453b312e40168de4081d64cbead076b8e7fcb0b9.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","37218"
"*c798b2aedc7a74f0daf51eb216aae8cb48b45f208b0409916442b1d61d2ad2ef*",".{0,1000}c798b2aedc7a74f0daf51eb216aae8cb48b45f208b0409916442b1d61d2ad2ef.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","#filehash","N/A","8","10","N/A","N/A","N/A","N/A","37221"
"*c7ad0c513a383487e712f2e5d61984f547071fa31e67c76d213647018e7251ca*",".{0,1000}c7ad0c513a383487e712f2e5d61984f547071fa31e67c76d213647018e7251ca.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","37226"
"*c7b22ed0a87596cd839b555e4992d80691359e75409063b6dca2dda96e7da480*",".{0,1000}c7b22ed0a87596cd839b555e4992d80691359e75409063b6dca2dda96e7da480.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37228"
"*c7bdf687d8aff0ab4ddb28fa9c633f416ae82b201f3c51898136c9a26631a7f1*",".{0,1000}c7bdf687d8aff0ab4ddb28fa9c633f416ae82b201f3c51898136c9a26631a7f1.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","37234"
"*C7C363BA-E5B6-4E18-9224-39BC8DA73172*",".{0,1000}C7C363BA\-E5B6\-4E18\-9224\-39BC8DA73172.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","#GUIDproject","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","37237"
"*c7dc584320f2e080de96e2889fa8139adfa1fe60aa2a670476a4bf6703fad2cb*",".{0,1000}c7dc584320f2e080de96e2889fa8139adfa1fe60aa2a670476a4bf6703fad2cb.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","37243"
"*c7dca90fb6fd83cee8b9f6a2776f5839794341af1953d251bf06a91870be7a8e*",".{0,1000}c7dca90fb6fd83cee8b9f6a2776f5839794341af1953d251bf06a91870be7a8e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37244"
"*c7e26e0a8bbe91d86c363956c9d5d4d32b55f195c9a4970cfad4df2a07853013*",".{0,1000}c7e26e0a8bbe91d86c363956c9d5d4d32b55f195c9a4970cfad4df2a07853013.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37245"
"*c7e58365d0b888a60df772e7857ce8a0b53912bbd287582e865e3c5e17db723f*",".{0,1000}c7e58365d0b888a60df772e7857ce8a0b53912bbd287582e865e3c5e17db723f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37248"
"*c7f1a98884e039f619255fc3f5ae2bdd90f6bbe46f00f7a60d72a40e82e4858c*",".{0,1000}c7f1a98884e039f619255fc3f5ae2bdd90f6bbe46f00f7a60d72a40e82e4858c.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","37251"
"*c8082d0f82601d54507242e44c75d91f33cb02d5b224c579d81c1abcc659a2f9*",".{0,1000}c8082d0f82601d54507242e44c75d91f33cb02d5b224c579d81c1abcc659a2f9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37261"
"*c80c697470033dcb0c21c4c8bfb51f8514b4bfc10f3cc64e0960ed62420eb14f*",".{0,1000}c80c697470033dcb0c21c4c8bfb51f8514b4bfc10f3cc64e0960ed62420eb14f.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","37263"
"*c816973d0005248a7c6112026d9fa942e8e755748f60fd4a7b0b5ca4d578bd74*",".{0,1000}c816973d0005248a7c6112026d9fa942e8e755748f60fd4a7b0b5ca4d578bd74.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37266"
"*c83782cfec55c5787d0a2f1dbaa3e4fb36eed7c164036fcabc1813ab314f1932*",".{0,1000}c83782cfec55c5787d0a2f1dbaa3e4fb36eed7c164036fcabc1813ab314f1932.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37270"
"*c842849be22802e6500167fc34fac869c584ad1f70b6c56dcc66d7391171d567*",".{0,1000}c842849be22802e6500167fc34fac869c584ad1f70b6c56dcc66d7391171d567.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37272"
"*c85dda1fd27eb34db30a297fe5ddfa279904579ce968d8fbe08d68a263c71a8a*",".{0,1000}c85dda1fd27eb34db30a297fe5ddfa279904579ce968d8fbe08d68a263c71a8a.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","37279"
"*c861597da1b6e5f884d6b1a7bfa480596e0ba574babd9d2ed297b26685aac2a8*",".{0,1000}c861597da1b6e5f884d6b1a7bfa480596e0ba574babd9d2ed297b26685aac2a8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37280"
"*c86db29845f8c6a4720c47a28c1a53e75ecab95cb14a5ecb6678489d2d8e2a84*",".{0,1000}c86db29845f8c6a4720c47a28c1a53e75ecab95cb14a5ecb6678489d2d8e2a84.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37288"
"*c87e364b795ed06a18e5d54ac07ab31d11f343d66bdb5779df4d48ad915850a1*",".{0,1000}c87e364b795ed06a18e5d54ac07ab31d11f343d66bdb5779df4d48ad915850a1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37295"
"*c87ffc18bfa386cf946156f91fb8649a0cdbcd762550a0b8ab1f4774cb608455*",".{0,1000}c87ffc18bfa386cf946156f91fb8649a0cdbcd762550a0b8ab1f4774cb608455.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37296"
"*c88212e7221a28d2877ba03c01c5df776c61aa4e36bc5a5909bceea7545fdfb1*",".{0,1000}c88212e7221a28d2877ba03c01c5df776c61aa4e36bc5a5909bceea7545fdfb1.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","37298"
"*c88798691efdab2ca387d84d5803b4c388f6e7de7471a6222c9fad1914cb2fdf*",".{0,1000}c88798691efdab2ca387d84d5803b4c388f6e7de7471a6222c9fad1914cb2fdf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37300"
"*c888fa7aadb304362df7bcb43164b6a07222739f5d2a90bf475817aa0e75013d*",".{0,1000}c888fa7aadb304362df7bcb43164b6a07222739f5d2a90bf475817aa0e75013d.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","#filehash","N/A","9","10","N/A","N/A","N/A","N/A","37302"
"*c89b4490de04897b1c16e5dae1c10ef10e60c56294bd4ca45d1669f5dcb6f9e3*",".{0,1000}c89b4490de04897b1c16e5dae1c10ef10e60c56294bd4ca45d1669f5dcb6f9e3.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","0","#filehash","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","37305"
"*c8a0f709cf4759d81ced139804cd7f790590fea22b34e00a7abe57431fb8525c*",".{0,1000}c8a0f709cf4759d81ced139804cd7f790590fea22b34e00a7abe57431fb8525c.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37308"
"*c8a45f4e2b59642d67abcd63f8c764b3b8fa2713bdbb1278aae427cb31cde4e0*",".{0,1000}c8a45f4e2b59642d67abcd63f8c764b3b8fa2713bdbb1278aae427cb31cde4e0.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37309"
"*c8ca4efbee070fbf92d8029eb0ab7b6debc91c4f7fc3fe6c578c416294807565*",".{0,1000}c8ca4efbee070fbf92d8029eb0ab7b6debc91c4f7fc3fe6c578c416294807565.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","37319"
"*c8d5f96c3f1d9054427004f52d87d081f0bd05e4f104eaee857c10bab7400c2d*",".{0,1000}c8d5f96c3f1d9054427004f52d87d081f0bd05e4f104eaee857c10bab7400c2d.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","37320"
"*c8da7350dc334cd5eaf13b2c9d6e689d51e7377ba1784cc6d65977bd44ee1165*",".{0,1000}c8da7350dc334cd5eaf13b2c9d6e689d51e7377ba1784cc6d65977bd44ee1165.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37323"
"*c9111589f5d92fa49c6fcd8993691158865e0ac95afe95bb1cc122c0a3b79e17*",".{0,1000}c9111589f5d92fa49c6fcd8993691158865e0ac95afe95bb1cc122c0a3b79e17.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37331"
"*c9165f1628aa7d5a75b907d71efda4fa4ab1fa8bb2ee12ef86478ef6e2c3e162*",".{0,1000}c9165f1628aa7d5a75b907d71efda4fa4ab1fa8bb2ee12ef86478ef6e2c3e162.{0,1000}","greyware_tool_keyword","tunnel","Tunnel is a server/client package that enables to proxy public connections to your local machine over a tunnel connection from the local machine to the public server. What this means is, you can share your localhost even if it doesn't have a Public IP or if it's not reachable from outside","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/koding/tunnel","1","0","#filehash","N/A","10","10","328","72","2023-10-20T13:43:58Z","2015-05-28T07:26:42Z","37333"
"*c9192193554c131a5f3c8dcdc1764bae1705583f853f302d48185128fdf7594c*",".{0,1000}c9192193554c131a5f3c8dcdc1764bae1705583f853f302d48185128fdf7594c.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37334"
"*c91e3e1822b0d7a6c47c27b89753d5f1cbb3bb0759422fc5729d50a1a9eef0f6*",".{0,1000}c91e3e1822b0d7a6c47c27b89753d5f1cbb3bb0759422fc5729d50a1a9eef0f6.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","37336"
"*c933a304bc8713f7b3916cd107f501070ab568b2f21793431f48a234502f671d*",".{0,1000}c933a304bc8713f7b3916cd107f501070ab568b2f21793431f48a234502f671d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37344"
"*c933ac96b502a02dbac31a1b1e08cd9e950274b9cfeae80eef0ef59a1157aa48*",".{0,1000}c933ac96b502a02dbac31a1b1e08cd9e950274b9cfeae80eef0ef59a1157aa48.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37345"
"*c938afbd5c475a7071dbc1912a4b5c211f7c8bbbae1c2389989c2115a08d7a0d*",".{0,1000}c938afbd5c475a7071dbc1912a4b5c211f7c8bbbae1c2389989c2115a08d7a0d.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","37347"
"*c9404d48d63246380ae88630c327b603c5795542b4cc51287bea22a04bca46b5*",".{0,1000}c9404d48d63246380ae88630c327b603c5795542b4cc51287bea22a04bca46b5.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","37350"
"*c948e37486bb247fbbc9f20b5040a11f28f642f5760be9abda81fc979c9911f1*",".{0,1000}c948e37486bb247fbbc9f20b5040a11f28f642f5760be9abda81fc979c9911f1.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","37355"
"*c95ebf48bcef81e9ee296a803ca77244d111e35a55db9680c78b407ed99bb054*",".{0,1000}c95ebf48bcef81e9ee296a803ca77244d111e35a55db9680c78b407ed99bb054.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37360"
"*c9673c278cbf55574c7a8d0c4e067e2d39b938d673b0d7332f58d28170ce267b*",".{0,1000}c9673c278cbf55574c7a8d0c4e067e2d39b938d673b0d7332f58d28170ce267b.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","37361"
"*c96ecc29074845b030484359398988deef3ec8b0a4832de0ca9168e57c040cb8*",".{0,1000}c96ecc29074845b030484359398988deef3ec8b0a4832de0ca9168e57c040cb8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37362"
"*c99142c5e55fae055955332964c56d29aba10bec9764ab961aebabf6c3ee1462*",".{0,1000}c99142c5e55fae055955332964c56d29aba10bec9764ab961aebabf6c3ee1462.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","37370"
"*c992b9a8a53c53465f035d5e254ecc1a9455f260fd110fe1600d5da4a37df413*",".{0,1000}c992b9a8a53c53465f035d5e254ecc1a9455f260fd110fe1600d5da4a37df413.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37371"
"*c9aa6d9d1d58919fe795c5209d984d31bcb3f1fccc455a0eaf0fe4a5007e03e6*",".{0,1000}c9aa6d9d1d58919fe795c5209d984d31bcb3f1fccc455a0eaf0fe4a5007e03e6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37377"
"*c9b8dc930557737b54503ce5572adcc11903b34136f5d1300d496db8063b6602*",".{0,1000}c9b8dc930557737b54503ce5572adcc11903b34136f5d1300d496db8063b6602.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37379"
"*c9bc2b37f1d79e9000ad8f53d185a28360f0d4d120e31bee0a57febb29eec08a*",".{0,1000}c9bc2b37f1d79e9000ad8f53d185a28360f0d4d120e31bee0a57febb29eec08a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37380"
"*c9bdea295fc4e88e634edc48697912379334da2c771e6130dc1702e32e70672c*",".{0,1000}c9bdea295fc4e88e634edc48697912379334da2c771e6130dc1702e32e70672c.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","37382"
"*c9c6596491f95de71a67e8ca2732616e361b99317303f8d3a36fa946ca4d29f0*",".{0,1000}c9c6596491f95de71a67e8ca2732616e361b99317303f8d3a36fa946ca4d29f0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37384"
"*c9cc2b7d5ff7a0f9f7b97da9bf4a090bfd323be51bda6c12eb2b01c9efa816b5*",".{0,1000}c9cc2b7d5ff7a0f9f7b97da9bf4a090bfd323be51bda6c12eb2b01c9efa816b5.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37386"
"*c9e87a3b55c42f86a7fbbb0bd11063d7d601988d8a31db7cf1b7c827654b0dc6*",".{0,1000}c9e87a3b55c42f86a7fbbb0bd11063d7d601988d8a31db7cf1b7c827654b0dc6.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","37398"
"*c9f5f2d7fae73dc38b27872ccb37559f5a7dd96b15b48c6e54bd6a5640d852e2*",".{0,1000}c9f5f2d7fae73dc38b27872ccb37559f5a7dd96b15b48c6e54bd6a5640d852e2.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37401"
"*ca04fa1151686619776a2009397dc9aad61975155412527638072302ea850c68*",".{0,1000}ca04fa1151686619776a2009397dc9aad61975155412527638072302ea850c68.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37407"
"*ca08f69443eb20365de2172255cc51e6be69ed93ef5edb79d870952fd68b500d*",".{0,1000}ca08f69443eb20365de2172255cc51e6be69ed93ef5edb79d870952fd68b500d.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37410"
"*ca1cb4b1d9a3e45d0704aa77651b0497eacc3e415192936a5be7f7272f2c94c5*",".{0,1000}ca1cb4b1d9a3e45d0704aa77651b0497eacc3e415192936a5be7f7272f2c94c5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37415"
"*ca1f8ec6c7236e7c9c31c1c40626c05a597e3bc6f647c1325439e2f825da9aee*",".{0,1000}ca1f8ec6c7236e7c9c31c1c40626c05a597e3bc6f647c1325439e2f825da9aee.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37416"
"*ca32067f8f93d2cc0aa1ead819aa8db3e6803c1e535e377598548f41c34ccac4*",".{0,1000}ca32067f8f93d2cc0aa1ead819aa8db3e6803c1e535e377598548f41c34ccac4.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","37425"
"*ca528c7f40b7045ff516dc9758442d05010b84b4b3eab58281325f2e1a0f2b74*",".{0,1000}ca528c7f40b7045ff516dc9758442d05010b84b4b3eab58281325f2e1a0f2b74.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37434"
"*ca5a7ecdd5f4a8c6315555fb446496b2085137d6d38e56a0d1318c5e1d80db1a*",".{0,1000}ca5a7ecdd5f4a8c6315555fb446496b2085137d6d38e56a0d1318c5e1d80db1a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37437"
"*ca5ae82e1e5269bc00b2539f84d0c5d258601741c905b7fe02ff6bd6e06089c1*",".{0,1000}ca5ae82e1e5269bc00b2539f84d0c5d258601741c905b7fe02ff6bd6e06089c1.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","37438"
"*ca62758a8fca83e129d46d3105fd8a435c16e4f534ed662b04a4aca99b92b1e7*",".{0,1000}ca62758a8fca83e129d46d3105fd8a435c16e4f534ed662b04a4aca99b92b1e7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37442"
"*ca647f69c6bf2e831902a8bd9c5f4d16f7014314d5eeb94bd3a5389a92806de8*",".{0,1000}ca647f69c6bf2e831902a8bd9c5f4d16f7014314d5eeb94bd3a5389a92806de8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37444"
"*ca6ac5c1c1f30675eecf91fe295d703007a754c1b320609ede7aa4783d899e9e*",".{0,1000}ca6ac5c1c1f30675eecf91fe295d703007a754c1b320609ede7aa4783d899e9e.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","37447"
"*ca6ae284ec3e1dfad347339b5ebcd71fe6f901a359d1dda672bd560aa7768ba2*",".{0,1000}ca6ae284ec3e1dfad347339b5ebcd71fe6f901a359d1dda672bd560aa7768ba2.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","37448"
"*ca6c79f236c29b8a923703800c1bc63ed8eb9d4e7f1951e9660bfdcc2b98e55e*",".{0,1000}ca6c79f236c29b8a923703800c1bc63ed8eb9d4e7f1951e9660bfdcc2b98e55e.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","37449"
"*ca7baeb243b5c264847067f6e5619311223f1741f73d5371ff7fa90698ff5a3b*",".{0,1000}ca7baeb243b5c264847067f6e5619311223f1741f73d5371ff7fa90698ff5a3b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37454"
"*ca8a4d90295fa5049d85ac5b867861ec4740f64f5f3061a1c0308d2a041dbf2b*",".{0,1000}ca8a4d90295fa5049d85ac5b867861ec4740f64f5f3061a1c0308d2a041dbf2b.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37456"
"*ca9099738d41c98fa1f8fe983cbc9071e37af846c851311316ee8b38c2cb5706*",".{0,1000}ca9099738d41c98fa1f8fe983cbc9071e37af846c851311316ee8b38c2cb5706.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37458"
"*ca96a1f8836f1c1afdf2c410e9d686f7beca7784e859971a493a6610522708e2*",".{0,1000}ca96a1f8836f1c1afdf2c410e9d686f7beca7784e859971a493a6610522708e2.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","#filehash","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","37460"
"*ca9c8dba1b481536626a833232ca6146eb1128f8a4f4c6cb480bb37e771898ea*",".{0,1000}ca9c8dba1b481536626a833232ca6146eb1128f8a4f4c6cb480bb37e771898ea.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","37461"
"*caae7a70d2fe9e94e7870ec50278b0c4a115e7ffd6c87e7c729462019f973024*",".{0,1000}caae7a70d2fe9e94e7870ec50278b0c4a115e7ffd6c87e7c729462019f973024.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37471"
"*cab2848992b779a1bdcdf76553265dc73b70046442ec9949135a515f7b65819f*",".{0,1000}cab2848992b779a1bdcdf76553265dc73b70046442ec9949135a515f7b65819f.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","37472"
"*cab846a2c20b581cb99f032f0e06c48baea38186f328c07d0f730e64b40f63b1*",".{0,1000}cab846a2c20b581cb99f032f0e06c48baea38186f328c07d0f730e64b40f63b1.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","37473"
"*cabc5f4b4dee64623a9a8493bad6c1fc6db5216caa5c904f78cc82d1d25645b7*",".{0,1000}cabc5f4b4dee64623a9a8493bad6c1fc6db5216caa5c904f78cc82d1d25645b7.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37474"
"*cabd08e92a016eb971ebda7ee0954f8e2b9cc234a3a61e4c04ce6fa97798ff06*",".{0,1000}cabd08e92a016eb971ebda7ee0954f8e2b9cc234a3a61e4c04ce6fa97798ff06.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","37475"
"*cabf1c59455c1447264baefba68d2a1a45d9a39a6ffbd8420c3b8c2ffda357a3*",".{0,1000}cabf1c59455c1447264baefba68d2a1a45d9a39a6ffbd8420c3b8c2ffda357a3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37477"
"*cac1286a56b2de1195d3b79ed029e68f827a1d4e8da914097dfce64584e407d0*",".{0,1000}cac1286a56b2de1195d3b79ed029e68f827a1d4e8da914097dfce64584e407d0.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37481"
"*cac2bc6fccb071789d7acc95f02470cfb935cfc9c7c6a1e6d91457e4ff11e8e1*",".{0,1000}cac2bc6fccb071789d7acc95f02470cfb935cfc9c7c6a1e6d91457e4ff11e8e1.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37482"
"*cac807c7a75909e5f8ce610b29078a2f5cce0d35a4ccdeface0d5c6809f0856c*",".{0,1000}cac807c7a75909e5f8ce610b29078a2f5cce0d35a4ccdeface0d5c6809f0856c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37483"
"*cacc832d9daf18d621c26497f5affd8b6b27cf5e34332b8bd95da127efdbb5e1*",".{0,1000}cacc832d9daf18d621c26497f5affd8b6b27cf5e34332b8bd95da127efdbb5e1.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","37485"
"*cace36a7ea185c8a675356f6e3eeb5b1d466666f7853aa9813df486c5178cbdf*",".{0,1000}cace36a7ea185c8a675356f6e3eeb5b1d466666f7853aa9813df486c5178cbdf.{0,1000}","greyware_tool_keyword","MozillaCookiesView","nirsoft utility that displays the details of all cookies stored inside the cookies file (cookies.txt or cookies.sqlite) - abused by threat actors","T1070 - T1552.001 - T1125 - T1005","TA0009 - TA0005","N/A","MuddyWater","Credential Access","https://www.nirsoft.net/utils/mzcv.html","1","0","#filehash","N/A","7","10","N/A","N/A","N/A","N/A","37486"
"*cad474e11c4a63c30d9807392c649acf15736fcb729e1a42f1b63a1a062ef62a*",".{0,1000}cad474e11c4a63c30d9807392c649acf15736fcb729e1a42f1b63a1a062ef62a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37509"
"*cadf80a863dc5b1e8222141517ffebe93bec28214dfa7d69407b98409355888d*",".{0,1000}cadf80a863dc5b1e8222141517ffebe93bec28214dfa7d69407b98409355888d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37512"
"*caed90cc51561edd29eb5e842c266add1bb477261cf5254a0e2c218ed0737b93*",".{0,1000}caed90cc51561edd29eb5e842c266add1bb477261cf5254a0e2c218ed0737b93.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","37517"
"*Cannot enumerate SAM objects*",".{0,1000}Cannot\senumerate\sSAM\sobjects.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","37555"
"*cargo install sshx*",".{0,1000}cargo\sinstall\ssshx.{0,1000}","greyware_tool_keyword","sshx","Fast collaborative live terminal sharing over the web","T1021.004 - T1041 - T1059 - T1071.001","TA0002 - TA0009 - TA0011 - TA0010","N/A","N/A","C2","https://github.com/ekzhang/sshx","1","0","N/A","N/A","10","10","6379","220","2025-02-12T20:40:30Z","2022-02-12T23:29:33Z","37583"
"*cat *.atftp_history*",".{0,1000}cat\s.{0,1000}\.atftp_history.{0,1000}","greyware_tool_keyword","cat","show atftp history","T1552.002 - T1070.004","TA0005 - TA0009","N/A","N/A","discovery","N/A","1","0","N/A","N/A","2","9","N/A","N/A","N/A","N/A","37588"
"*cat *.atftp_history*",".{0,1000}cat\s.{0,1000}\.atftp_history.{0,1000}","greyware_tool_keyword","cat","Enumerating user files history for interesting information","T1083 - T1005","TA0007","N/A","N/A","Reconnaissance","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","37589"
"*cat *.bash_history*",".{0,1000}cat\s.{0,1000}\.bash_history.{0,1000}","greyware_tool_keyword","cat","show bash history","T1552.002 - T1070.004","TA0005 - TA0009","N/A","N/A","discovery","N/A","1","0","#linux","N/A","2","9","N/A","N/A","N/A","N/A","37590"
"*cat *.bash_history*",".{0,1000}cat\s.{0,1000}\.bash_history.{0,1000}","greyware_tool_keyword","cat","Enumerating user files history for interesting information","T1083 - T1005","TA0007","N/A","N/A","Reconnaissance","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","37591"
"*cat *.mysql_history*",".{0,1000}cat\s.{0,1000}\.mysql_history.{0,1000}","greyware_tool_keyword","cat","show mysql history","T1552.002 - T1070.004","TA0005 - TA0009","N/A","N/A","discovery","N/A","1","0","N/A","N/A","2","9","N/A","N/A","N/A","N/A","37593"
"*cat *.mysql_history*",".{0,1000}cat\s.{0,1000}\.mysql_history.{0,1000}","greyware_tool_keyword","cat","Enumerating user files history for interesting information","T1083 - T1005","TA0007","N/A","N/A","Reconnaissance","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","37594"
"*cat *.nano_history*",".{0,1000}cat\s.{0,1000}\.nano_history.{0,1000}","greyware_tool_keyword","cat","show nano history","T1552.002 - T1070.004","TA0005 - TA0009","N/A","N/A","discovery","N/A","1","0","N/A","N/A","2","9","N/A","N/A","N/A","N/A","37595"
"*cat *.nano_history*",".{0,1000}cat\s.{0,1000}\.nano_history.{0,1000}","greyware_tool_keyword","cat","Enumerating user files history for interesting information","T1083 - T1005","TA0007","N/A","N/A","Reconnaissance","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","37596"
"*cat *.php_history*",".{0,1000}cat\s.{0,1000}\.php_history.{0,1000}","greyware_tool_keyword","cat","show php history","T1552.002 - T1070.004","TA0005 - TA0009","N/A","N/A","discovery","N/A","1","0","N/A","N/A","2","9","N/A","N/A","N/A","N/A","37598"
"*cat *.php_history*",".{0,1000}cat\s.{0,1000}\.php_history.{0,1000}","greyware_tool_keyword","cat","Enumerating user files history for interesting information","T1083 - T1005","TA0007","N/A","N/A","Reconnaissance","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","37599"
"*cat *.zsh_history*",".{0,1000}cat\s.{0,1000}\.zsh_history.{0,1000}","greyware_tool_keyword","cat","show zsh history","T1552.002 - T1070.004","TA0005 - TA0009","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","2","9","N/A","N/A","N/A","N/A","37601"
"*cat *.zsh_history*",".{0,1000}cat\s.{0,1000}\.zsh_history.{0,1000}","greyware_tool_keyword","cat","Enumerating user files history for interesting information","T1083 - T1005","TA0007","N/A","N/A","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","37602"
"*cat *bash-history*",".{0,1000}cat\s.{0,1000}bash\-history.{0,1000}","greyware_tool_keyword","cat","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","37603"
"*cat /dev/null > $HISTFILE*",".{0,1000}cat\s\/dev\/null\s\>\s\$HISTFILE.{0,1000}","greyware_tool_keyword","cat","deleting bash history","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","37605"
"*cat /dev/null > *bash_history*",".{0,1000}cat\s\/dev\/null\s\>\s.{0,1000}bash_history.{0,1000}","greyware_tool_keyword","bash","Clear command history in linux which is used for defense evasion. ","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml","1","0","#linux","greyware tool - risks of False positive !","10","10","10466","2904","2025-04-21T13:09:54Z","2017-10-11T17:23:32Z","37606"
"*cat /dev/null > /var/log/*.log*",".{0,1000}cat\s\/dev\/null\s\>\s\/var\/log\/.{0,1000}\.log.{0,1000}","greyware_tool_keyword","cat","deleting log files","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","37607"
"*cat /dev/null > /var/log/auth.log*",".{0,1000}cat\s\/dev\/null\s\>\s\/var\/log\/auth\.log.{0,1000}","greyware_tool_keyword","cat","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","37608"
"*cat /dev/null > /var/log/messages*",".{0,1000}cat\s\/dev\/null\s\>\s\/var\/log\/messages.{0,1000}","greyware_tool_keyword","cat","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","37609"
"*cat /dev/null > ~/.bash_history*",".{0,1000}cat\s\/dev\/null\s\>\s\~\/\.bash_history.{0,1000}","greyware_tool_keyword","cat","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","37610"
"*cat /dev/zero > /var/lol/messages*",".{0,1000}cat\s\/dev\/zero\s\>\s\/var\/lol\/messages.{0,1000}","greyware_tool_keyword","cat","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","37611"
"*cat /etc/passwd*",".{0,1000}cat\s\/etc\/passwd.{0,1000}","greyware_tool_keyword","cat","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","37612"
"*cat /etc/shadow*",".{0,1000}cat\s\/etc\/shadow.{0,1000}","greyware_tool_keyword","cat","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","37613"
"*cat /etc/sudoers*",".{0,1000}cat\s\/etc\/sudoers.{0,1000}","greyware_tool_keyword","cat","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","37616"
"*cat /root/.aws/credentials*",".{0,1000}cat\s\/root\/\.aws\/credentials.{0,1000}","greyware_tool_keyword","cat","cat suspicious commands","T1003 - T1552","TA0006 - TA0007 - TA0009","N/A","N/A","discovery","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","37617"
"*cat /root/.ssh/id_rsa*",".{0,1000}cat\s\/root\/\.ssh\/id_rsa.{0,1000}","greyware_tool_keyword","cat","cat suspicious commands","T1003 - T1552","TA0006 - TA0007 - TA0009","N/A","N/A","discovery","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","37618"
"*cb03a9577b8d7803de33676b9aa5317db4a149bc0ef45ea3971c71fe061d0ea7*",".{0,1000}cb03a9577b8d7803de33676b9aa5317db4a149bc0ef45ea3971c71fe061d0ea7.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","37633"
"*cb183ce9401cd7ad838bedb22fb49717d5de7da10b8f64781aceb4912d6f5ec8*",".{0,1000}cb183ce9401cd7ad838bedb22fb49717d5de7da10b8f64781aceb4912d6f5ec8.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","37641"
"*cb34300ac60c5a08687352721f380e736d6d3bad2e514866d27f9c581f1c19aa*",".{0,1000}cb34300ac60c5a08687352721f380e736d6d3bad2e514866d27f9c581f1c19aa.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37649"
"*cb36d409779d4a7b0285552c3bc41efc576b4a22ca5fea6f4c288e1e96f7f4eb*",".{0,1000}cb36d409779d4a7b0285552c3bc41efc576b4a22ca5fea6f4c288e1e96f7f4eb.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","37650"
"*cb5044ef22deef19afcaa1d37da6d2d1e89a21f5cff3e77ad7c47ad8da1a8a7b*",".{0,1000}cb5044ef22deef19afcaa1d37da6d2d1e89a21f5cff3e77ad7c47ad8da1a8a7b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37660"
"*cb548fc5c8a0eccd0a51a371d5ceb8abf994ea20a570d97cbd4592db6ac1919b*",".{0,1000}cb548fc5c8a0eccd0a51a371d5ceb8abf994ea20a570d97cbd4592db6ac1919b.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","37661"
"*cb5618be68d7de48075061262b531c7dd528274a7537195f33dabdffd48a058d*",".{0,1000}cb5618be68d7de48075061262b531c7dd528274a7537195f33dabdffd48a058d.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","37663"
"*cb5c6641c926bbcde9dc6306f2049aafa148ce393b974f2b7a0d7e0eafa811f7*",".{0,1000}cb5c6641c926bbcde9dc6306f2049aafa148ce393b974f2b7a0d7e0eafa811f7.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37665"
"*cb5d63e74dee2d3908969d245f21722523a3a111f98a3ed13f6554cab98569e3*",".{0,1000}cb5d63e74dee2d3908969d245f21722523a3a111f98a3ed13f6554cab98569e3.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","37666"
"*cb70ca2937afdb647a8716f0b0d122f71f91dd7ce777250d0d2573f0ec47c5fc*",".{0,1000}cb70ca2937afdb647a8716f0b0d122f71f91dd7ce777250d0d2573f0ec47c5fc.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","#filehash","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","37670"
"*cb7edcda37ef188dd5461a626f7b66d4c76676bc4cf05cba3bb4850dff3d8a2b*",".{0,1000}cb7edcda37ef188dd5461a626f7b66d4c76676bc4cf05cba3bb4850dff3d8a2b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37674"
"*cb923918ef4e035f3ac3c144792f3d20e5519741c4e1f56ff9bee53f6cd4592c*",".{0,1000}cb923918ef4e035f3ac3c144792f3d20e5519741c4e1f56ff9bee53f6cd4592c.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37677"
"*cb984e4a89d00bb86a40eab7f7920e2bb739e3eb69a35596586f45e06619961f*",".{0,1000}cb984e4a89d00bb86a40eab7f7920e2bb739e3eb69a35596586f45e06619961f.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","37680"
"*cba592d413d8cb3d09989b0b7693f3247517590d2e83329d4ae5f5b407fffc23*",".{0,1000}cba592d413d8cb3d09989b0b7693f3247517590d2e83329d4ae5f5b407fffc23.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37681"
"*cba6ba250d94853df4e8074831cf8f7db13d559623b368291a91f29501888edd*",".{0,1000}cba6ba250d94853df4e8074831cf8f7db13d559623b368291a91f29501888edd.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","37683"
"*cbab130e55af45dd1cc7b1644a799b92f7fa4b04f82b93e021e182399b8aefec*",".{0,1000}cbab130e55af45dd1cc7b1644a799b92f7fa4b04f82b93e021e182399b8aefec.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","37687"
"*cbb99174020be2e0d753674e303f2cfbc81d5f24b85c7c2f5c57ac5411720500*",".{0,1000}cbb99174020be2e0d753674e303f2cfbc81d5f24b85c7c2f5c57ac5411720500.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37690"
"*cbdf3b97f6a72121a00e8f14fd0bbd564aefc6edfde0b9449f1613559678d09f*",".{0,1000}cbdf3b97f6a72121a00e8f14fd0bbd564aefc6edfde0b9449f1613559678d09f.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","37695"
"*cbf8cb94407c028df22b4b16607adf543aa3087f079c4d7906bbb1d9081b7179*",".{0,1000}cbf8cb94407c028df22b4b16607adf543aa3087f079c4d7906bbb1d9081b7179.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","37703"
"*cbfa238232604e51fb4d47e27865ffb1fb993141634e249b246a0323ec3b1b4e*",".{0,1000}cbfa238232604e51fb4d47e27865ffb1fb993141634e249b246a0323ec3b1b4e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37704"
"*cbfeba0eec5935a088047fbb04249aeeeef35ea08f9eabfa0f6fadd113b6b522*",".{0,1000}cbfeba0eec5935a088047fbb04249aeeeef35ea08f9eabfa0f6fadd113b6b522.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37707"
"*cc0790a4988d294fbd9b971b3873b3cd48f4fd89bf2f23906b81f28f07c6d971*",".{0,1000}cc0790a4988d294fbd9b971b3873b3cd48f4fd89bf2f23906b81f28f07c6d971.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37709"
"*cc13a80a78d9a3b77899ba4a01c32c7c8034e6f06c8f4815411ddaac42e79ccf*",".{0,1000}cc13a80a78d9a3b77899ba4a01c32c7c8034e6f06c8f4815411ddaac42e79ccf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37713"
"*cc1a1ea3b0a719e36037ca340e24d6d574324578267bdfc38c3b4710289ec578*",".{0,1000}cc1a1ea3b0a719e36037ca340e24d6d574324578267bdfc38c3b4710289ec578.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","37718"
"*cc284e9b0925fd814e4aa3d125804f7cde054863c3c467492a14e8f73a4cbced*",".{0,1000}cc284e9b0925fd814e4aa3d125804f7cde054863c3c467492a14e8f73a4cbced.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","37731"
"*cc29d56606b58a553757b5a24398b0d44c899eda409a6c9b55a4085e6b47aa8c*",".{0,1000}cc29d56606b58a553757b5a24398b0d44c899eda409a6c9b55a4085e6b47aa8c.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","37732"
"*cc352c90f7f771ad36e224e1b3357be8da3d698f8ef3edc2ac4999dd843a5071*",".{0,1000}cc352c90f7f771ad36e224e1b3357be8da3d698f8ef3edc2ac4999dd843a5071.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37737"
"*cc3badcfbd2bad09f5a4312eabdc50b2d2259cbac5429deb6e53340468c7b7b0*",".{0,1000}cc3badcfbd2bad09f5a4312eabdc50b2d2259cbac5429deb6e53340468c7b7b0.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","37739"
"*cc45f912feb2ff63f5868a2474716c30c75b0a7bc5be629a26d3b03acbf289f6*",".{0,1000}cc45f912feb2ff63f5868a2474716c30c75b0a7bc5be629a26d3b03acbf289f6.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","37741"
"*cc45f912feb2ff63f5868a2474716c30c75b0a7bc5be629a26d3b03acbf289f6*",".{0,1000}cc45f912feb2ff63f5868a2474716c30c75b0a7bc5be629a26d3b03acbf289f6.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","37742"
"*cc53f743f393cd710a36b8842793843a08b102b603213f0ef43b58c19ff01147*",".{0,1000}cc53f743f393cd710a36b8842793843a08b102b603213f0ef43b58c19ff01147.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37746"
"*cc5604a463e90dd1da595a73e2fd9e0282a465fe7cd41f46e34ed05a7b84b295*",".{0,1000}cc5604a463e90dd1da595a73e2fd9e0282a465fe7cd41f46e34ed05a7b84b295.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37748"
"*cc5f8c886d8fccf6571caa4954c7ec3e5ded2e8de3c06da6695c8ea755021cd4*",".{0,1000}cc5f8c886d8fccf6571caa4954c7ec3e5ded2e8de3c06da6695c8ea755021cd4.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37754"
"*cc60aad6d5c0055d8f7d2711da000ca0d487f0fe43543977b248d5fbd95eb1f6*",".{0,1000}cc60aad6d5c0055d8f7d2711da000ca0d487f0fe43543977b248d5fbd95eb1f6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37755"
"*cc6356a6eb77a46e8d09d594d606a84d51b940023cefc616fb7d05faa36fd41f*",".{0,1000}cc6356a6eb77a46e8d09d594d606a84d51b940023cefc616fb7d05faa36fd41f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37756"
"*cc90db8e72fb9f65c61b95463c245e7836a8fd7ac375b79dc1b01d2bff1a5bd6*",".{0,1000}cc90db8e72fb9f65c61b95463c245e7836a8fd7ac375b79dc1b01d2bff1a5bd6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37768"
"*cc928db0c984d3a7e9822ebb7ac897ddb90f43848488a5c3261b5704085fa92a*",".{0,1000}cc928db0c984d3a7e9822ebb7ac897ddb90f43848488a5c3261b5704085fa92a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37769"
"*cc94b15863602ae52934d4c3c08db27c61c1530a483093b82a1029a41c4fbd60*",".{0,1000}cc94b15863602ae52934d4c3c08db27c61c1530a483093b82a1029a41c4fbd60.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","37770"
"*cc99b5463667c5a85d430ad159b1780d63b61d4bdd08b56f5ecabdb264679408*",".{0,1000}cc99b5463667c5a85d430ad159b1780d63b61d4bdd08b56f5ecabdb264679408.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37771"
"*ccb0d8983c1937aded1f217dd002be4ee9d274cbd0e775d596767ca3954090cc*",".{0,1000}ccb0d8983c1937aded1f217dd002be4ee9d274cbd0e775d596767ca3954090cc.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37785"
"*ccb13df8ba3d04697a15c8139018b213468ca3b51d725e5da173d516ee581b95*",".{0,1000}ccb13df8ba3d04697a15c8139018b213468ca3b51d725e5da173d516ee581b95.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37786"
"*ccc327a0e562c42e1067d7082e00d89bb37bb5baf5433c0c775ae8dbf2a6463d*",".{0,1000}ccc327a0e562c42e1067d7082e00d89bb37bb5baf5433c0c775ae8dbf2a6463d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37792"
"*ccd172f56541f0e08ef45066fadc2b75df8afe5e63869980f3dd921ff9c027ee*",".{0,1000}ccd172f56541f0e08ef45066fadc2b75df8afe5e63869980f3dd921ff9c027ee.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37793"
"*ccdbf9ce861c5032c54faa19c8addfb6a113acfc595851a4e3305d946f2abef5*",".{0,1000}ccdbf9ce861c5032c54faa19c8addfb6a113acfc595851a4e3305d946f2abef5.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37796"
"*ccdf8f148f9d2245383d69a5d9c7d4a5595c2c7c31416927ebda1e3bc1d33941*",".{0,1000}ccdf8f148f9d2245383d69a5d9c7d4a5595c2c7c31416927ebda1e3bc1d33941.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37798"
"*cce6497c3f06700ee80fbd145bc228aa2016f1d3973e1a22b5d6c1bfbe53a447*",".{0,1000}cce6497c3f06700ee80fbd145bc228aa2016f1d3973e1a22b5d6c1bfbe53a447.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","37801"
"*ccef810ad3e3d55975e4acaf210e75ee63fa5de1069c8c4ab1579765d541170b*",".{0,1000}ccef810ad3e3d55975e4acaf210e75ee63fa5de1069c8c4ab1579765d541170b.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","37803"
"*ccefaabe2451d9b11d6fb57bd449b60526a760b6ed92bc6bf3614858dbb861d6*",".{0,1000}ccefaabe2451d9b11d6fb57bd449b60526a760b6ed92bc6bf3614858dbb861d6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37804"
"*ccf830a3d9985235d37d82bc38432568ff15744e3772fbf52c947914cdd6745a*",".{0,1000}ccf830a3d9985235d37d82bc38432568ff15744e3772fbf52c947914cdd6745a.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","37807"
"*ccfae00ec39b5da0ecd9b68049725f07ac4a340c837fd43468419a5a5929f103*",".{0,1000}ccfae00ec39b5da0ecd9b68049725f07ac4a340c837fd43468419a5a5929f103.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","37808"
"*cd *.::$index_allocation*",".{0,1000}cd\s.{0,1000}\.\:\:\$index_allocation.{0,1000}","greyware_tool_keyword","$index_allocation","creation of hidden folders (and file) via ...$.......::$index_allocation","T1027.001 - T1564.001","TA0005 ","N/A","N/A","Defense Evasion","https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","37823"
"*cd12e8a285c77102487f04726b91bc649f9ad087a1e9a5546124a0cc7480c221*",".{0,1000}cd12e8a285c77102487f04726b91bc649f9ad087a1e9a5546124a0cc7480c221.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","#filehash","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","37836"
"*cd152f7de2ba0b3fc2e6053141b7bf326bca81aed5d5efa709bb10baa801cdd2*",".{0,1000}cd152f7de2ba0b3fc2e6053141b7bf326bca81aed5d5efa709bb10baa801cdd2.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","37837"
"*cd1978742a4afdbaaa15bf712d5c90bef4144caa99024df98f6a9ad58043ae85*",".{0,1000}cd1978742a4afdbaaa15bf712d5c90bef4144caa99024df98f6a9ad58043ae85.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","#filehash","N/A","10","1","N/A","N/A","N/A","N/A","37839"
"*cd1c54a8510c1e09d55868e12872aa54f9dc9ade95d70f08a173d29f6d676fde*",".{0,1000}cd1c54a8510c1e09d55868e12872aa54f9dc9ade95d70f08a173d29f6d676fde.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","#filehash","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","37841"
"*cd1cdad2d88d638a820cac9c562bccba8dbbc42d3ac1ec8482d12105325a3adc*",".{0,1000}cd1cdad2d88d638a820cac9c562bccba8dbbc42d3ac1ec8482d12105325a3adc.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37842"
"*cd23ba3117eb39491f3286532575c3ccce97f0445e18352c87799a7f82274c10*",".{0,1000}cd23ba3117eb39491f3286532575c3ccce97f0445e18352c87799a7f82274c10.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","37845"
"*cd244dfaba5789845405fe15f8290113d7ae87540d228c2bdea105f0351ca270*",".{0,1000}cd244dfaba5789845405fe15f8290113d7ae87540d228c2bdea105f0351ca270.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37846"
"*cd386a8883d2da370ccf24b6b29313bd58510ab87bce674ede931eb1310b153f*",".{0,1000}cd386a8883d2da370ccf24b6b29313bd58510ab87bce674ede931eb1310b153f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37852"
"*cd38d27257bae0c4ff848fe924dc17d032f66032cd017d7e22b3b60457611269*",".{0,1000}cd38d27257bae0c4ff848fe924dc17d032f66032cd017d7e22b3b60457611269.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37853"
"*cd4a93475e0410a506f0453e5b884b2b31f64d0ea65f287c97b34737232b2768*",".{0,1000}cd4a93475e0410a506f0453e5b884b2b31f64d0ea65f287c97b34737232b2768.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37858"
"*cd5b16213c11faffa7ed44becec55368348013aa980e6a38f85f7f2a0aa2b85e*",".{0,1000}cd5b16213c11faffa7ed44becec55368348013aa980e6a38f85f7f2a0aa2b85e.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","37865"
"*cd5dfb6374d84f6404352daf9fa4f0a788520a433f64b7df427f0fd4e1cb3c6a*",".{0,1000}cd5dfb6374d84f6404352daf9fa4f0a788520a433f64b7df427f0fd4e1cb3c6a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37866"
"*cd84694d8b390661c5295f76a523381daaf840c0b3ef16cf02b11086ad8d4028*",".{0,1000}cd84694d8b390661c5295f76a523381daaf840c0b3ef16cf02b11086ad8d4028.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","37876"
"*cd8c433651e8c1f9442c29ef575704a9a81168dd38e56ba882c02d1aa372c545*",".{0,1000}cd8c433651e8c1f9442c29ef575704a9a81168dd38e56ba882c02d1aa372c545.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37879"
"*cdb048f2bfd02f40df74c87a94add49a9e1625ae31e37d7b478ddeebbbaa288a*",".{0,1000}cdb048f2bfd02f40df74c87a94add49a9e1625ae31e37d7b478ddeebbbaa288a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37892"
"*cdbe02812448aad7bf45b444a2d186a164af3c7275fd404ece8f93065fd33958*",".{0,1000}cdbe02812448aad7bf45b444a2d186a164af3c7275fd404ece8f93065fd33958.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37895"
"*cdd52658f4836d8767e267931a90bd187a8d81c4a0df548cf0c4056bd5fa73fa*",".{0,1000}cdd52658f4836d8767e267931a90bd187a8d81c4a0df548cf0c4056bd5fa73fa.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","37903"
"*cdd530f38141348a294c13eec996195e8882d00d2ffb2b0ec89f58508fc3634d*",".{0,1000}cdd530f38141348a294c13eec996195e8882d00d2ffb2b0ec89f58508fc3634d.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","37904"
"*cddf06841ab4e00c5904081b9ce4a8cbd610d9b10fb324ffdde7beb4ed7488e9*",".{0,1000}cddf06841ab4e00c5904081b9ce4a8cbd610d9b10fb324ffdde7beb4ed7488e9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37908"
"*cde0f088445933eef88c2663bf2684f6e020d30347a7a230658d534c05f4e8d9*",".{0,1000}cde0f088445933eef88c2663bf2684f6e020d30347a7a230658d534c05f4e8d9.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","37910"
"*cde2bf2225a77d8e5ffded509dbcd87d7445101a67acaf5a533e5884e6240beb*",".{0,1000}cde2bf2225a77d8e5ffded509dbcd87d7445101a67acaf5a533e5884e6240beb.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","37912"
"*cdn*.boxcdn.net*",".{0,1000}cdn.{0,1000}\.boxcdn\.net.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","1","#dnsquery","N/A","6","7","N/A","N/A","N/A","N/A","37922"
"*ce18273ca20bd38c567b0355ca2c85575651b39249294969daa51e568077a872*",".{0,1000}ce18273ca20bd38c567b0355ca2c85575651b39249294969daa51e568077a872.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37937"
"*ce2af789fd2484320375766e2ecf96e7aecba5fa3d589b9462d7d251d322d532*",".{0,1000}ce2af789fd2484320375766e2ecf96e7aecba5fa3d589b9462d7d251d322d532.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37944"
"*ce30c574477d0b2527ccfe103b31d810f6c1aa8a83c08bfb5899214951d75c0d*",".{0,1000}ce30c574477d0b2527ccfe103b31d810f6c1aa8a83c08bfb5899214951d75c0d.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","37946"
"*ce360e6f1b4a634b603f8ac114e938c057bb1cda5141a053d83e16bcfe08e373*",".{0,1000}ce360e6f1b4a634b603f8ac114e938c057bb1cda5141a053d83e16bcfe08e373.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","37948"
"*ce3d52dbf87883133296d17bf791fa8a248d7613015bfcae22ae29e0fd0c6ed3*",".{0,1000}ce3d52dbf87883133296d17bf791fa8a248d7613015bfcae22ae29e0fd0c6ed3.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","37949"
"*ce4adcbf74d8dff4dbc1658d4a4ba75f65c18f40be166e0482b9deefe6eb87cb*",".{0,1000}ce4adcbf74d8dff4dbc1658d4a4ba75f65c18f40be166e0482b9deefe6eb87cb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37955"
"*ce4fc109fa3b38b58035b1274318e8db4eac26aee424d0ae4fc8d4113146db52*",".{0,1000}ce4fc109fa3b38b58035b1274318e8db4eac26aee424d0ae4fc8d4113146db52.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","37956"
"*ce523561aafdc54a24581460262853a579dfeda9653fb88bec95e3752a370118*",".{0,1000}ce523561aafdc54a24581460262853a579dfeda9653fb88bec95e3752a370118.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","37958"
"*CE5AD78C-DBDF-4D81-9A69-41B1DF683115*",".{0,1000}CE5AD78C\-DBDF\-4D81\-9A69\-41B1DF683115.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","#GUIDproject","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","37959"
"*ce5e687fc19c3f437fb7f27525f3b84919a24fa16b0db787fafa36b9958c85d4*",".{0,1000}ce5e687fc19c3f437fb7f27525f3b84919a24fa16b0db787fafa36b9958c85d4.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","37961"
"*CE62CBEE-DAA8-4E5E-AAAA-1F6FC291AB94*",".{0,1000}CE62CBEE\-DAA8\-4E5E\-AAAA\-1F6FC291AB94.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","#GUIDproject","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","37964"
"*ce70a9a044271be4336d7376aa1d5c5f8de8497b1e284b083f6d2184d6f57042*",".{0,1000}ce70a9a044271be4336d7376aa1d5c5f8de8497b1e284b083f6d2184d6f57042.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","37965"
"*ce7c494c2959f874740bab1c74b444d776c9d6550337c8c046a1ddd795194b98*",".{0,1000}ce7c494c2959f874740bab1c74b444d776c9d6550337c8c046a1ddd795194b98.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","37970"
"*ce9bd575dccf2e5b373d8f7b1aca7cfdbf6d9a4e9179a24ac6d92914b3f782d4*",".{0,1000}ce9bd575dccf2e5b373d8f7b1aca7cfdbf6d9a4e9179a24ac6d92914b3f782d4.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","37976"
"*ce9c03462b055ad6152b572662fbbc1febb19f9ce41f6ff7c7a2bfed51102166*",".{0,1000}ce9c03462b055ad6152b572662fbbc1febb19f9ce41f6ff7c7a2bfed51102166.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","37977"
"*ce9e92734048598d84c3ca3a1da32ecdf759e43b3e13716bf0bf91183c7544f2*",".{0,1000}ce9e92734048598d84c3ca3a1da32ecdf759e43b3e13716bf0bf91183c7544f2.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","37978"
"*ceb97d1ab5525c1d833ca8bc63276818ed3065832fc0a23702f308b9a2c256fb*",".{0,1000}ceb97d1ab5525c1d833ca8bc63276818ed3065832fc0a23702f308b9a2c256fb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37981"
"*cec7da1735babcd6cdd3f77e64b1eb14963a3ff3d6da825439e1c1e43dc75007*",".{0,1000}cec7da1735babcd6cdd3f77e64b1eb14963a3ff3d6da825439e1c1e43dc75007.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37983"
"*cec943f322857887bed2af7cf0aacb4052dcdb63eb76180f6a2022e3e4133718*",".{0,1000}cec943f322857887bed2af7cf0aacb4052dcdb63eb76180f6a2022e3e4133718.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","37984"
"*ced457dd55d9feb120aaf301915be097aab3a0a42e26a9e9f4d3023c1b84cb8a*",".{0,1000}ced457dd55d9feb120aaf301915be097aab3a0a42e26a9e9f4d3023c1b84cb8a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","37987"
"*certoc.exe -GetCACAPS https://raw.githubusercontent.com*",".{0,1000}certoc\.exe\s\-GetCACAPS\shttps\:\/\/raw\.githubusercontent\.com.{0,1000}","greyware_tool_keyword","certoc","download from github with certoc","T1105 - T1566.001 - T1071.001","TA0009 - TA0005","N/A","N/A","Collection","https://lolbas-project.github.io/lolbas/Binaries/Certoc/","1","0","N/A","lolbin","8","9","N/A","N/A","N/A","N/A","38026"
"*certs@tunwg.com*",".{0,1000}certs\@tunwg\.com.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#email","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","38027"
"*certutil -urlcache -split -f http*.exe*",".{0,1000}certutil\s\-urlcache\s\-split\s\-f\shttp.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","certutil","Certutil download behavior observed by APT41 group","T1105 - T1566.001 - T1071.001","TA0009 - TA0005","N/A","APT41","Collection","https://detect.fyi/playbook-hunting-chinese-apt-379a6b950492","1","0","N/A","lolbin","8","9","N/A","N/A","N/A","N/A","38036"
"*certutil.exe -urlcache -split -f *https://cdn.discordapp.com/attachments/*",".{0,1000}certutil\.exe\s\-urlcache\s\-split\s\-f\s.{0,1000}https\:\/\/cdn\.discordapp\.com\/attachments\/.{0,1000}","greyware_tool_keyword","certutil","LOLBAS execution - downloading payload from discord with certutil","T1105 - T1218.010 - T1071.001 - T1036.005","TA0009 - TA0002 - TA0005","N/A","CHRYSENE - GOLD SOUTHFIELD","Collection","N/A","1","0","N/A","lolbin","10","10","N/A","N/A","N/A","N/A","38037"
"*certutil.exe -urlcache -split -f http*.bat C:\ProgramData\*",".{0,1000}certutil\.exe\s\-urlcache\s\-split\s\-f\shttp.{0,1000}\.bat\sC\:\\ProgramData\\.{0,1000}","greyware_tool_keyword","certutil","Certutil download behavior observed by the Dispossessor ransomware group","T1105 - T1566.001 - T1071.001","TA0009 - TA0005","N/A","Dispossessor","Collection","N/A","1","0","N/A","lolbin","10","10","N/A","N/A","N/A","N/A","38038"
"*certutil.exe -urlcache -split -f http*.ps1 C:\ProgramData\*",".{0,1000}certutil\.exe\s\-urlcache\s\-split\s\-f\shttp.{0,1000}\.ps1\sC\:\\ProgramData\\.{0,1000}","greyware_tool_keyword","certutil","Certutil download behavior observed by the Dispossessor ransomware group","T1105 - T1566.001 - T1071.001","TA0009 - TA0005","N/A","Dispossessor","Collection","N/A","1","0","N/A","lolbin","10","10","N/A","N/A","N/A","N/A","38039"
"*certutil.exe -urlcache -split -f http*.vbs C:\ProgramData\*",".{0,1000}certutil\.exe\s\-urlcache\s\-split\s\-f\shttp.{0,1000}\.vbs\sC\:\\ProgramData\\.{0,1000}","greyware_tool_keyword","certutil","Certutil download behavior observed by the Dispossessor ransomware group","T1105 - T1566.001 - T1071.001","TA0009 - TA0005","N/A","Dispossessor","Collection","N/A","1","0","N/A","lolbin","10","10","N/A","N/A","N/A","N/A","38040"
"*certutil.exe -urlcache -split -f https://raw.githubusercontent.com/*",".{0,1000}certutil\.exe\s\-urlcache\s\-split\s\-f\shttps\:\/\/raw\.githubusercontent\.com\/.{0,1000}","greyware_tool_keyword","certutil","Certutil Download from github","T1105 - T1566.001 - T1071.001","TA0009 - TA0005","N/A","N/A","Collection","N/A","1","0","N/A","lolbin","8","9","N/A","N/A","N/A","N/A","38041"
"*certutil.exe* -addstore ""TrustedPublisher""*ultravnc.cer*",".{0,1000}certutil\.exe.{0,1000}\s\-addstore\s\""TrustedPublisher\"".{0,1000}ultravnc\.cer.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38042"
"*cf1327f3776cf7b4398a7984f602e78cc1976520d018933555c11bf538d21654*",".{0,1000}cf1327f3776cf7b4398a7984f602e78cc1976520d018933555c11bf538d21654.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","38046"
"*cf194caf93ce5a46768876b5fee0f644f6878e0a4dea0e391bf4ea1689731cb5*",".{0,1000}cf194caf93ce5a46768876b5fee0f644f6878e0a4dea0e391bf4ea1689731cb5.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","38047"
"*cf22ddc0de9ed5121eea525f5a701fbf7581b515372884d3c27c6ab6becb7d92*",".{0,1000}cf22ddc0de9ed5121eea525f5a701fbf7581b515372884d3c27c6ab6becb7d92.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","38049"
"*cf2a0ea978a7f5a254a046155a39127ae68701a7b4ec51dd2e509b9f217e960f*",".{0,1000}cf2a0ea978a7f5a254a046155a39127ae68701a7b4ec51dd2e509b9f217e960f.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","38053"
"*cf3de8f800852490f39fdacbe74627564494235f*",".{0,1000}cf3de8f800852490f39fdacbe74627564494235f.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38059"
"*cf418ac948b21bbed8565d6f11419405aa7b25d3c37b8a2b212e85f6aa76d233*",".{0,1000}cf418ac948b21bbed8565d6f11419405aa7b25d3c37b8a2b212e85f6aa76d233.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","38061"
"*cf4f53ce90255cd73ce5ad88865cc2239d96f51bd71b4fd109d6d08aabfe1b50*",".{0,1000}cf4f53ce90255cd73ce5ad88865cc2239d96f51bd71b4fd109d6d08aabfe1b50.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","38062"
"*cf51ff263c4171a25b93703cad922ad1f4ca4a43eb93f4b4b6129a774acccefe*",".{0,1000}cf51ff263c4171a25b93703cad922ad1f4ca4a43eb93f4b4b6129a774acccefe.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","38063"
"*cf5cc61f68d705860538b8d3e865ae026a7b27e4da8c1c1a3f50c5e7827cd097*",".{0,1000}cf5cc61f68d705860538b8d3e865ae026a7b27e4da8c1c1a3f50c5e7827cd097.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","38064"
"*cf700fa504e99bf418029192fdfe571eb19338f2a9053bb81ca082c714cf59d5*",".{0,1000}cf700fa504e99bf418029192fdfe571eb19338f2a9053bb81ca082c714cf59d5.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","38067"
"*cf7f543c3e8144b822f184d610284ef2986e9a9fe4482c377e71d7de0eee6336*",".{0,1000}cf7f543c3e8144b822f184d610284ef2986e9a9fe4482c377e71d7de0eee6336.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","38069"
"*cf873001de9c33445213818c5844992e1a3a02486bd3defce556b95e9b0f4af0*",".{0,1000}cf873001de9c33445213818c5844992e1a3a02486bd3defce556b95e9b0f4af0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","38071"
"*cf89753f97f44100d17ddac620231af952e70cb3f4fc02f410d3573be06b332e*",".{0,1000}cf89753f97f44100d17ddac620231af952e70cb3f4fc02f410d3573be06b332e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","38072"
"*cf8ba8220acc8d2af85040b65bd3b8af72a315ce6ba3da1f0d1f73b21cbd3411*",".{0,1000}cf8ba8220acc8d2af85040b65bd3b8af72a315ce6ba3da1f0d1f73b21cbd3411.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","38073"
"*cfa2c04ccd3a209c5a01db6de5b393dc2f1f038add46d45e957490c990a47c62*",".{0,1000}cfa2c04ccd3a209c5a01db6de5b393dc2f1f038add46d45e957490c990a47c62.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","38080"
"*cfad83c752fa011d705c5a6fa65f0ea4fb99f56209a8b67f9a32629a7f36ee6d*",".{0,1000}cfad83c752fa011d705c5a6fa65f0ea4fb99f56209a8b67f9a32629a7f36ee6d.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","38082"
"*cfb47bb4ee8119eaf61f1c2a34226e74af91c22485760bfd1f2209852bfbbf7f*",".{0,1000}cfb47bb4ee8119eaf61f1c2a34226e74af91c22485760bfd1f2209852bfbbf7f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","38086"
"*cfb8075c16ed227876a923bbc3c6f5e5311db40f730e2154501512f72a9ad5b2*",".{0,1000}cfb8075c16ed227876a923bbc3c6f5e5311db40f730e2154501512f72a9ad5b2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","38087"
"*cfc766cc82568e40d7198493340283cc0f4f42de97463aef863170f7e773ff9c*",".{0,1000}cfc766cc82568e40d7198493340283cc0f4f42de97463aef863170f7e773ff9c.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","38089"
"*CFCD0759E20F29C399C9D4210BE614E4E020BEE8*",".{0,1000}CFCD0759E20F29C399C9D4210BE614E4E020BEE8.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","#content","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","38093"
"*cfcdba9a1f3f660957120a8096f37fba92e92e89a24a18c916130ab459cfcf73*",".{0,1000}cfcdba9a1f3f660957120a8096f37fba92e92e89a24a18c916130ab459cfcf73.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","38095"
"*cfde70b05b27b08980827e7120b36d0d6c3b93a079ee5f54a8fd7a1f6e3aa18f*",".{0,1000}cfde70b05b27b08980827e7120b36d0d6c3b93a079ee5f54a8fd7a1f6e3aa18f.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","38098"
"*cfe2c39137630a2138ab970e5313c27210527c0fcbc583f328508d8b956edfb9*",".{0,1000}cfe2c39137630a2138ab970e5313c27210527c0fcbc583f328508d8b956edfb9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","38100"
"*cffe4f305bd8e92604ee54b41ecf0f280756c25ca65170e1e8da031a3e269745*",".{0,1000}cffe4f305bd8e92604ee54b41ecf0f280756c25ca65170e1e8da031a3e269745.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","38108"
"*cgojmfochfikphincbhokimmmjenhhgk*",".{0,1000}cgojmfochfikphincbhokimmmjenhhgk.{0,1000}","greyware_tool_keyword","Whoer VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","38114"
"*Chage language nedd to restart PowerTool*",".{0,1000}Chage\slanguage\snedd\sto\srestart\sPowerTool.{0,1000}","greyware_tool_keyword","Powertool","tool abused by threat actors to desactive Antivirus","T1562.001 - T1089 - T1562.009","TA0005","N/A","Play - Dispossessor","Defense Evasion","https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml","1","0","#content","N/A","10","10","N/A","N/A","N/A","N/A","38118"
"*Chage language nedd to restart PowerTool*",".{0,1000}Chage\slanguage\snedd\sto\srestart\sPowerTool.{0,1000}","greyware_tool_keyword","Powertool","tool abused by threat actors to desactive Antivirus","T1562.001 - T1089 - T1562.009","TA0005","N/A","Play - Dispossessor","Defense Evasion","https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml","1","0","#content","N/A","10","10","N/A","N/A","N/A","N/A","38119"
"*Channel IP for client: *@gmail.com/chromoting*",".{0,1000}Channel\sIP\sfor\sclient\:\s.{0,30}\@gmail\.com\/chromoting.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38129"
"*chat.us.n-able.com*",".{0,1000}chat\.us\.n\-able\.com.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38135"
"*chattr +i $HISTFILE*",".{0,1000}chattr\s\+i\s\$HISTFILE.{0,1000}","greyware_tool_keyword","chattr","lock out the ability to update the file","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","38139"
"*chattr +i *.bash_history*",".{0,1000}chattr\s\+i\s.{0,1000}\.bash_history.{0,1000}","greyware_tool_keyword","chattr","lock out the ability to update the file","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","38140"
"*chattr -ia */etc/passwd*",".{0,1000}chattr\s\-ia\s.{0,1000}\/etc\/passwd.{0,1000}","greyware_tool_keyword","chattr","changes the permissions and attributes of sensibles files","T1222.001 - T1222.002","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","9","10","N/A","N/A","N/A","N/A","38141"
"*chattr -ia */etc/shadow*",".{0,1000}chattr\s\-ia\s.{0,1000}\/etc\/shadow.{0,1000}","greyware_tool_keyword","chattr","changes the permissions and attributes of sensibles files","T1222.001 - T1222.002","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","9","10","N/A","N/A","N/A","N/A","38142"
"*chattr -ia */etc/sudoers*",".{0,1000}chattr\s\-ia\s.{0,1000}\/etc\/sudoers.{0,1000}","greyware_tool_keyword","chattr","changes the permissions and attributes of sensibles files","T1222.001 - T1222.002","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","9","10","N/A","N/A","N/A","N/A","38143"
"*chgpass.exe*Administrator *",".{0,1000}chgpass\.exe.{0,1000}Administrator\s.{0,1000}","greyware_tool_keyword","chgpass","reset the local administrator password","T1098.003 - T1078.003 - T1003.002","TA0006","N/A","N/A","Credential Access","https://x.com/decoder_it/status/1882851589352051144","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","38166"
"*chgpass.exe*DSRM*",".{0,1000}chgpass\.exe.{0,1000}DSRM.{0,1000}","greyware_tool_keyword","chgpass","reset the DSRM password which is the local administrator account on the domain controller stored in the local SAM","T1098.003 - T1078.003 - T1003.002","TA0006","N/A","N/A","Credential Access","https://x.com/decoder_it/status/1882851589352051144","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","38167"
"*chioafkonnhbpajpengbalkececleldf*",".{0,1000}chioafkonnhbpajpengbalkececleldf.{0,1000}","greyware_tool_keyword","BullVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","38170"
"*chisel server --port *",".{0,1000}chisel\sserver\s\-\-port\s.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","chisel","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","38175"
"*chkconfig off ip6tables*","chkconfig\soff\sip6tables","greyware_tool_keyword","iptables","Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes* deleting Registry keys so that tools do not start at run time* or other methods to interfere with security tools scanning or reporting information.","T1055 - T1070.004 - T1218.011","TA0007 - TA0005 - TA0040","N/A","N/A","Defense Evasion","https://attack.mitre.org/techniques/T1562/001/","1","0","N/A","greyware tool - risks of False positive !","3","6","N/A","N/A","N/A","N/A","38185"
"*chkconfig off iptables*","chkconfig\soff\siptables","greyware_tool_keyword","iptables","Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes* deleting Registry keys so that tools do not start at run time* or other methods to interfere with security tools scanning or reporting information.","T1055 - T1070.004 - T1218.011","TA0007 - TA0005 - TA0040","N/A","N/A","Defense Evasion","https://attack.mitre.org/techniques/T1562/001/","1","0","N/A","greyware tool - risks of False positive !","3","6","N/A","N/A","N/A","N/A","38186"
"*chmod 4777 /tmp/.scsi/dev/bin/gsh*",".{0,1000}chmod\s4777\s\/tmp\/\.scsi\/dev\/bin\/gsh.{0,1000}","greyware_tool_keyword","tmpwatch","Equation Group hack tool set command exploitation- tmpwatch - removes files which haven't been accessed for a period of time","T1070.004 - T1059 - T1047","TA0007 - TA0002 - TA0040","N/A","N/A","Malware","https://linux.die.net/man/8/tmpwatch","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","38193"
"*chmod 700 duck.sh*",".{0,1000}chmod\s700\sduck\.sh.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","0","#linux","N/A","5","10","N/A","N/A","N/A","N/A","38195"
"*choco install croc*",".{0,1000}choco\sinstall\scroc.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","N/A","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","38204"
"*choco install localxpose*",".{0,1000}choco\sinstall\slocalxpose.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","38205"
"*choco install rclone*",".{0,1000}choco\sinstall\srclone.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","38206"
"*chown boringproxy:boringproxy *",".{0,1000}chown\sboringproxy\:boringproxy\s.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#linux","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","38216"
"*chown crowbar:crowbar *",".{0,1000}chown\scrowbar\:crowbar\s.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#linux","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","38217"
"*chown root:root /tmp/.scsi/dev/bin/*",".{0,1000}chown\sroot\:root\s\/tmp\/\.scsi\/dev\/bin\/.{0,1000}","greyware_tool_keyword","tmpwatch","Equation Group hack tool set command exploitation- tmpwatch - removes files which haven't been accessed for a period of time","T1070.004 - T1059 - T1047","TA0007 - TA0002 - TA0040","N/A","N/A","Malware","https://linux.die.net/man/8/tmpwatch","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","38219"
"*--chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/*",".{0,1000}\-\-chown\=nonroot\s\/go\/src\/github\.com\/cloudflare\/cloudflared\/cloudflared\s\/usr\/local\/bin\/.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#linux","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38220"
"*Chrome remote desktop installation completed*",".{0,1000}Chrome\sremote\sdesktop\sinstallation\scompleted.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","windows event logs application provider name","10","10","N/A","N/A","N/A","N/A","38229"
"*chrome* --headless * --dump-dom http*",".{0,1000}chrome.{0,1000}\s\-\-headless\s.{0,1000}\s\-\-dump\-dom\shttp.{0,1000}","greyware_tool_keyword","chromium","Headless Chromium allows running Chromium in a headless/server environment - downloading a file - abused by attackers","T1553.002 - T1059.005 - T1071.001 - T1561","TA0002","N/A","N/A","Defense Evasion","https://redcanary.com/blog/intelligence-insights-june-2023/","1","0","N/A","N/A","4","5","N/A","N/A","N/A","N/A","38230"
"*chrome.exe* --load-extension=""*\Users\*\Appdata\Local\Temp\*",".{0,1000}chrome\.exe.{0,1000}\s\-\-load\-extension\=\"".{0,1000}\\Users\\.{0,1000}\\Appdata\\Local\\Temp\\.{0,1000}","greyware_tool_keyword","chromium","The --load-extension switch allows the source to specify a target directory to load as an extension. This gives malware the opportunity to start a new browser window with their malicious extension loaded.","T1136.001 - T1176 - T1059.007","TA0003 - TA0004 - TA0005","N/A","N/A","Exploitation tool","https://www.mandiant.com/resources/blog/lnk-between-browsers","1","0","N/A","risk of false positives","7","10","N/A","N/A","N/A","N/A","38231"
"*ChromeCookiesView.exe*",".{0,1000}ChromeCookiesView\.exe.{0,1000}","greyware_tool_keyword","ChromeCookiesView","displays the list of all cookies stored by Google Chrome Web browser - abused by attackers","T1539 - T1005 - T1070.004 - T1552.001","TA0006 - TA0008 - TA0009","N/A","Evilnum - MuddyWater","Credential Access","https://www.nirsoft.net/utils/chrome_cookies_view.html","1","1","N/A","https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf","8","10","N/A","N/A","N/A","N/A","38236"
"*chromecookiesview.zip*",".{0,1000}chromecookiesview\.zip.{0,1000}","greyware_tool_keyword","ChromeCookiesView","displays the list of all cookies stored by Google Chrome Web browser - abused by attackers","T1539 - T1005 - T1070.004 - T1552.001","TA0006 - TA0008 - TA0009","N/A","Evilnum - MuddyWater","Credential Access","https://www.nirsoft.net/utils/chrome_cookies_view.html","1","1","N/A","https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf","8","10","N/A","N/A","N/A","N/A","38237"
"*chromecookiesview-x64.zip*",".{0,1000}chromecookiesview\-x64\.zip.{0,1000}","greyware_tool_keyword","ChromeCookiesView","displays the list of all cookies stored by Google Chrome Web browser - abused by attackers","T1539 - T1005 - T1070.004 - T1552.001","TA0006 - TA0008 - TA0009","N/A","Evilnum - MuddyWater","Credential Access","https://www.nirsoft.net/utils/chrome_cookies_view.html","1","1","N/A","https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf","8","10","N/A","N/A","N/A","N/A","38238"
"*chrome-remote-desktop.service*",".{0,1000}chrome\-remote\-desktop\.service.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38252"
"*chrome-remote-desktop_current_amd64.deb*",".{0,1000}chrome\-remote\-desktop_current_amd64\.deb.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38253"
"*chromeremotedesktophost.msi*",".{0,1000}chromeremotedesktophost\.msi.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38254"
"*chsh -s /bin/false ehorus*",".{0,1000}chsh\s\-s\s\/bin\/false\sehorus.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","38265"
"*ckiahbcmlmkpfiijecbpflfahoimklke*",".{0,1000}ckiahbcmlmkpfiijecbpflfahoimklke.{0,1000}","greyware_tool_keyword","Gom VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","38295"
"*Clear-EventLog -LogName Security*",".{0,1000}Clear\-EventLog\s\-LogName\sSecurity.{0,1000}","greyware_tool_keyword","powershell","clearing security logs with powershell","T1070.001","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38304"
"*Clear-RecycleBin -Force -ErrorAction SilentlyContinue*",".{0,1000}Clear\-RecycleBin\s\-Force\s\-ErrorAction\sSilentlyContinue.{0,1000}","greyware_tool_keyword","powershell","Deletes contents of recycle bin","T1056.002 - T1566.001 - T1567.002","TA0004 - TA0040 - TA0010","N/A","N/A","Credential Access","https://github.com/hak5/omg-payloads/tree/master/payloads/library/credentials/-OMG-Credz-Plz","1","0","N/A","N/A","10","10","904","310","2024-09-14T02:34:26Z","2021-09-08T20:33:18Z","38314"
"*client.teamviewer.com*",".{0,1000}client\.teamviewer\.com.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","1","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","38332"
"*client-api.aweray.com*",".{0,1000}client\-api\.aweray\.com.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38333"
"*cloud.telebit.remot*",".{0,1000}cloud\.telebit\.remot.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38351"
"*cloudflared tunnel --config *",".{0,1000}cloudflared\stunnel\s\-\-config\s.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38358"
"*cloudflared tunnel create *",".{0,1000}cloudflared\stunnel\screate\s.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38359"
"*cloudflared tunnel info *",".{0,1000}cloudflared\stunnel\sinfo\s.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38360"
"*cloudflared tunnel list*",".{0,1000}cloudflared\stunnel\slist.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38361"
"*cloudflared tunnel login*",".{0,1000}cloudflared\stunnel\slogin.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38362"
"*cloudflared tunnel route dns *",".{0,1000}cloudflared\stunnel\sroute\sdns\s.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38363"
"*cloudflared tunnel route ip add *",".{0,1000}cloudflared\stunnel\sroute\sip\sadd\s.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38364"
"*cloudflared tunnel route ip show*",".{0,1000}cloudflared\stunnel\sroute\sip\sshow.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38365"
"*cloudflared tunnel run *",".{0,1000}cloudflared\stunnel\srun\s.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38366"
"*cloudflared-amd64.pkg*",".{0,1000}cloudflared\-amd64\.pkg.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","1","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38367"
"*cloudflared-windows-386.exe*",".{0,1000}cloudflared\-windows\-386\.exe.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","1","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38368"
"*cloudflared-windows-amd64.exe*",".{0,1000}cloudflared\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","1","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38369"
"*cloudflared-windows-amd64.msi*",".{0,1000}cloudflared\-windows\-amd64\.msi.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","1","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","38370"
"*cm9vdDppcyB0d2VsdmU=*",".{0,1000}cm9vdDppcyB0d2VsdmU\=.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","38387"
"*cmd  /c wmic /node:* process call create ""C:\programdata\*",".{0,1000}cmd\s\s\/c\swmic\s\/node\:.{0,1000}\sprocess\scall\screate\s\""C\:\\programdata\\.{0,1000}","greyware_tool_keyword","wmic","suspicious lateral movement command executing payload from suspicious directories","T1570 - T1021","TA0008","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Lateral Movement","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38390"
"*cmd  /c wmic /node:* process call create ""C:\Temp\*",".{0,1000}cmd\s\s\/c\swmic\s\/node\:.{0,1000}\sprocess\scall\screate\s\""C\:\\Temp\\.{0,1000}","greyware_tool_keyword","wmic","suspicious lateral movement command executing payload from suspicious directories","T1570 - T1021","TA0008","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Lateral Movement","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38391"
"*cmd  /c wmic /node:* process call create ""C:\users\*\AppData\Local\Temp*",".{0,1000}cmd\s\s\/c\swmic\s\/node\:.{0,1000}\sprocess\scall\screate\s\""C\:\\users\\.{0,1000}\\AppData\\Local\\Temp.{0,1000}","greyware_tool_keyword","wmic","suspicious lateral movement command executing payload from suspicious directories","T1570 - T1021","TA0008","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Lateral Movement","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38392"
"*cmd  /c wmic /node:* process call create ""C:\users\Public*",".{0,1000}cmd\s\s\/c\swmic\s\/node\:.{0,1000}\sprocess\scall\screate\s\""C\:\\users\\Public.{0,1000}","greyware_tool_keyword","wmic","suspicious lateral movement command executing payload from suspicious directories","T1570 - T1021","TA0008","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Lateral Movement","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38393"
"*cmd /c *qwinsta*",".{0,1000}cmd\s\/c\s.{0,1000}qwinsta.{0,1000}","greyware_tool_keyword","qwinsta","enumerate rdp session on a remote server","T1049 - T1018 - T1021.001","TA0007 - TA0009 - TA0010","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","3","8","N/A","N/A","N/A","N/A","38397"
"*cmd /c 'echo Aa123456! * --set-password*",".{0,1000}cmd\s\/c\s\'echo\sAa123456!\s.{0,1000}\s\-\-set\-password.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://github.com/Ab4y98/VerySimpleAnyDeskBackdoor/blob/main/AnydeskBackdoor.ps1","1","0","N/A","simple backdoor with anydesk","10","1","1","0","2025-04-17T19:04:37Z","2023-12-05T22:08:51Z","38398"
"*cmd /C reg export hkcu*",".{0,1000}cmd\s\/C\sreg\sexport\shkcu.{0,1000}","greyware_tool_keyword","reg","exporting registry keys","T1012","TA0009","N/A","N/A","Collection","https://blog.talosintelligence.com/uat-5647-romcom/","1","0","#registry","N/A","5","6","N/A","N/A","N/A","N/A","38402"
"*cmd /C reg export hklm*",".{0,1000}cmd\s\/C\sreg\sexport\shklm.{0,1000}","greyware_tool_keyword","reg","exporting registry keys","T1012","TA0009","N/A","N/A","Collection","https://blog.talosintelligence.com/uat-5647-romcom/","1","0","#registry","N/A","7","8","N/A","N/A","N/A","N/A","38403"
"*cmd /c regsvr32.exe /s C:\*\desktop.ini"" start= auto*",".{0,1000}cmd\s\/c\sregsvr32\.exe\s\/s\sC\:\\.{0,1000}\\desktop\.ini\""\sstart\=\sauto.{0,1000}","greyware_tool_keyword","regsvr32","suspicious service creation executing a desktop.ini file observed in a malware sample","T1543.003","TA0003","N/A","N/A","Persistence","https://www.virustotal.com/gui/file/faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e/behavior","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","38404"
"*cmd /c set /A 1^^0*",".{0,1000}cmd\s\/c\sset\s\/A\s1\^\^0.{0,1000}","greyware_tool_keyword","set","Bitwise XOR Operation in commandline observed in a malware sample","T1059.003 - T1480.001","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://tria.ge/240617-mn75pa1cnl/behavioral2/analog?proc=87","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","38405"
"*cmd /c systeminfo*",".{0,1000}cmd\s\/c\ssysteminfo.{0,1000}","greyware_tool_keyword","systeminfo","gathering details about the local system","T1082 - T1012 - T1033","TA0007 - TA0002","N/A","N/A","Discovery","https://thedfirreport.com/2024/08/26/blacksuit-ransomware/","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","38407"
"*cmd /c xcopy /s /i /h /e /q /y /d*",".{0,1000}cmd\s\/c\sxcopy\s\/s\s\/i\s\/h\s\/e\s\/q\s\/y\s\/d.{0,1000}","greyware_tool_keyword","xcopy","command used by Doina trojan","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Data Exfiltration","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38409"
"*cmd* wevtutil.exe cl *",".{0,1000}cmd.{0,1000}\swevtutil\.exe\scl\s.{0,1000}","greyware_tool_keyword","wevtutil","adversaries can delete specific event logs or clear their contents. erasing potentially valuable information that could aid in detection. incident response. or forensic investigations. This tactic aims to hinder forensic analysis efforts and make it more challenging for defenders to reconstruct the timeline of events or identify malicious activities.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","38411"
"*cmd*echo*\pipe\*",".{0,1000}cmd.{0,1000}echo.{0,1000}\\pipe\\.{0,1000}","greyware_tool_keyword","echo","Detects the use of getsystem Meterpreter/Cobalt Strike command. Getsystem is used to elevate privilege to SYSTEM account","T1068.003 - T1078.002","TA0004 - TA0008","N/A","N/A","Exploitation tool","https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","9115","2316","2025-04-17T19:43:35Z","2016-12-24T09:48:49Z","38412"
"*cmd.exe  /S /D /c* echo 123",".{0,1000}cmd\.exe\s\s\/S\s\/D\s\/c.{0,1000}\secho\s123","greyware_tool_keyword","echo","Adversaries may attempt to test echo command after exploitation","T1059.001 - T1059.003","TA0002 - TA0006","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","38414"
"*cmd.exe /c chcp >&2*",".{0,1000}cmd\.exe\s\/c\schcp\s\>\&2.{0,1000}","greyware_tool_keyword","chcp","chcp displays the number of the active console code page","T1059 - T1027","TA0002 - TA0009","N/A","N/A","Defense Evasion","https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","38419"
"*cmd.exe /c echo %username%*",".{0,1000}cmd\.exe\s\/c\secho\s\%username\%.{0,1000}","greyware_tool_keyword","echo","alternative to whoami","T1033","TA0007 ","N/A","N/A","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","6","9","N/A","N/A","N/A","N/A","38420"
"*cmd.exe /c echo * > \\.\pipe\*",".{0,1000}cmd\.exe\s\/c\secho\s.{0,1000}\s\>\s\\\\\.\\pipe\\.{0,1000}","greyware_tool_keyword","cobaltstrike","potential malleable Cobalt Strike profiles behavior","T1559 - T1134.001 - T1548.002 - T1548.003 - T1134.001 - T1134.003 - T1134.004 - T1087.002 - T1071.001 - T1071.004 - T1071.005 - T1197 - T1185 - T1059.001 - T1059.003 - T1059.004 - T1068.002 - T1083 - T1564.010 - T1562.001 - T1005 - T1001.003 - T1030 - T1140 - T1573.001 - T1573.002 - T1203 - T1068.001 - T1083 - T1135 - T1095 - T1027 - T1137.001 - T1003.001 - T1003.002 - T1069.001 - T1069.002 - T1057 - T1055.001 - T1055.012 - T1572 - T1090.001 - T1090.004 - T1012 - T1620 - T1021.001 - T1021.002 - T1021.003 - T1021.004 - T1021.006 - T1018 - T1029 - T1113 - T1518 - T1553.002 - T1218.011 - T1016 - T1049 - T1007 - T1569.002 - T1550.002 - T1078.002 - T1078.003 - T1047","TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0011 - TA0040","N/A","APT19 - MAZE - APT32 - APT37 - APT41 - Aquatic Panda - AvosLocker - Black Basta - BlackByte - BlackCat - BlackSuit - CL0P - Cactus - Chimera - Cobalt Group - Conti - Common Raven - CopyKittens - Cuba - Dagon Locker - DarkHydrus - Diavol - Earth Lusca - EvilCorp* - FIN6 - FIN7 - Hive - Indrik Spider - Karakurt - Leviathan - LockBit - LuminousMoth - Mustang Panda - NetWalker - Nokoyawa - PLAY - Phobos - Qilin - Quantum - REvil - RagnarLocker - RansomEXX - Royal - Ryuk - Snatch - TA505 - Threat Group-3390 - Trigona - Vice Society - Wizard Spider - XingLocker - Yanluowang - menuPass - Unit 29155 - Akira - APT15 - APT26 - BRONZE STARLIGHT - COZY BEAR - Sandworm","C2","https://github.com/IcebreakerSecurity/DelegationBOF","1","0","#namedpipe","N/A","10","10","141","23","2022-05-04T14:00:36Z","2022-03-28T20:14:24Z","38421"
"*cmd.exe /c echo * > \\.\pipe\*",".{0,1000}cmd\.exe\s\/c\secho\s.{0,1000}\s\>\s\\\\\.\\pipe\\.{0,1000}","greyware_tool_keyword","echo","potential malleable Cobalt Strike profiles behavior","T1559 - T1134.001","TA0008 - TA0011","N/A","APT19 - APT29 - MAZE - APT32 - APT37 - APT41 - Aquatic Panda - AvosLocker - Black Basta - BlackByte - BlackCat - BlackSuit - CL0P - Cactus - Chimera - Cobalt Group - Conti - CopyKittens - Cuba - Dagon Locker - DarkHydrus - Diavol - Earth Lusca - EvilCorp* - FIN6 - FIN7 - Hive - Indrik Spider - Karakurt - Leviathan - LockBit - LuminousMoth - Mustang Panda - NetWalker - Nokoyawa - PLAY - Phobos - Qilin - Quantum - REvil - RagnarLocker - RansomEXX - Royal - Ryuk - Snatch - TA505 - Threat Group-3390 - Trigona - Vice Society - Wizard Spider - XingLocker - Yanluowang - menuPass","C2","https://github.com/IcebreakerSecurity/DelegationBOF","1","0","#namedpipe","N/A","10","10","141","23","2022-05-04T14:00:36Z","2022-03-28T20:14:24Z","38422"
"*cmd.exe /c echo * > \\.\pipe\*",".{0,1000}cmd\.exe\s\/c\secho\s.{0,1000}\s\>\s\\\\\.\\pipe\\.{0,1000}","greyware_tool_keyword","echo","Named pipe impersonation","T1134.002 - T1055 - T1548.002","TA0004 - TA0003 - TA0002","N/A","N/A","Privilege Escalation","https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","38423"
"*cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc *","cmd\.exe\s\/c\sPowerShell\.exe\s\-Exec\sByPass\s\-Nol\s\-Enc\s.{0,1000}","greyware_tool_keyword","powershell","Jenkins Abuse Without admin access","T1210.002 - T1078.003 - T1046","TA0001 - TA0007 - TA0040","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","38429"
"*cmd.exe /c set /A 1^^0*",".{0,1000}cmd\.exe\s\/c\sset\s\/A\s1\^\^0.{0,1000}","greyware_tool_keyword","set","Bitwise XOR Operation in commandline observed in a malware sample","T1059.003 - T1480.001","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://tria.ge/240617-mn75pa1cnl/behavioral2/analog?proc=87","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","38432"
"*cmd.exe /c systeminfo*",".{0,1000}cmd\.exe\s\/c\ssysteminfo.{0,1000}","greyware_tool_keyword","systeminfo","gathering details about the local system","T1082 - T1012 - T1033","TA0007 - TA0002","N/A","N/A","Discovery","https://thedfirreport.com/2024/08/26/blacksuit-ransomware/","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","38433"
"*cmd.exe /C wmic /node:* /user:* /password:* os get caption*",".{0,1000}cmd\.exe\s\/C\swmic\s\/node\:.{0,1000}\s\/user\:.{0,1000}\s\/password\:.{0,1000}\sos\sget\scaption.{0,1000}","greyware_tool_keyword","wmic","gather information about Windows OS version and licensing on the hosts","T1047 - T1016 - T1082","TA0007 - TA0002 - TA0005","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Discovery","https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/","1","0","N/A","greyware tool - risks of False positive !","6","9","N/A","N/A","N/A","N/A","38436"
"*cmd.exe /Q /c dir 1> * 2>&1 && certutil -encodehex *",".{0,1000}cmd\.exe\s\/Q\s\/c\sdir\s1\>\s.{0,1000}\s2\>\&1\s\&\&\scertutil\s\-encodehex\s.{0,1000}","greyware_tool_keyword","impacket","Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself","T1557.001 - T1040 - T1003.001 - T1003.002 - T1003.003 - T1003.004 - T1558.003 - T1569.002 - T1047","TA0001 - TA0003 - TA0004 - TA0005 - TA0006 - TA0008 - TA0011","N/A","Akira - Bassterlord* - BianLian - Dragonfly - FIN8 - HAFNIUM - Hive - LockBit - Magic Hound - RansomHub - Rhysida - Sandworm Team - Scattered Spider* - Threat Group-3390 - Yanluowang - menuPass - Volt Typhoon - Cinnamon Tempest - Magic Hound - DAGGER PANDA - ENERGETIC BEAR - DEV-0270 - COZY BEAR - FANCY BEAR  - EMBER BEAR - BERSERK BEAR - Dispossessor - Black Basta","Lateral Movement","https://github.com/fortra/impacket","1","0","N/A","subject to false positive (not only impacket)","10","10","14198","3681","2025-04-22T13:40:55Z","2015-04-15T14:04:07Z","38443"
"*cmd.exe /Q /c hostname 1> * 2>&1 && certutil -encodehex *",".{0,1000}cmd\.exe\s\/Q\s\/c\shostname\s1\>\s.{0,1000}\s2\>\&1\s\&\&\scertutil\s\-encodehex\s.{0,1000}","greyware_tool_keyword","impacket","Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself","T1557.001 - T1040 - T1003.001 - T1003.002 - T1003.003 - T1003.004 - T1558.003 - T1569.002 - T1047","TA0001 - TA0003 - TA0004 - TA0005 - TA0006 - TA0008 - TA0011","N/A","Akira - Bassterlord* - BianLian - Dragonfly - FIN8 - HAFNIUM - Hive - LockBit - Magic Hound - RansomHub - Rhysida - Sandworm Team - Scattered Spider* - Threat Group-3390 - Yanluowang - menuPass - Volt Typhoon - Cinnamon Tempest - Magic Hound - DAGGER PANDA - ENERGETIC BEAR - DEV-0270 - COZY BEAR - FANCY BEAR  - EMBER BEAR - BERSERK BEAR - Dispossessor - Black Basta","Lateral Movement","https://github.com/fortra/impacket","1","0","N/A","subject to false positive (not only impacket)","10","10","14198","3681","2025-04-22T13:40:55Z","2015-04-15T14:04:07Z","38447"
"*cmd.exe /Q /c hostname 1> * 2>&1 && certutil -encodehex *",".{0,1000}cmd\.exe\s\/Q\s\/c\shostname\s1\>\s.{0,1000}\s2\>\&1\s\&\&\scertutil\s\-encodehex\s.{0,1000}","greyware_tool_keyword","impacket","Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself","T1557.001 - T1040 - T1003.001 - T1003.002 - T1003.003 - T1003.004 - T1558.003 - T1569.002 - T1047","TA0001 - TA0003 - TA0004 - TA0005 - TA0006 - TA0008 - TA0011","N/A","Akira - Bassterlord* - BianLian - Dragonfly - FIN8 - HAFNIUM - Hive - LockBit - Magic Hound - RansomHub - Rhysida - Sandworm Team - Scattered Spider* - Threat Group-3390 - Yanluowang - menuPass - Volt Typhoon - Cinnamon Tempest - Magic Hound - DAGGER PANDA - ENERGETIC BEAR - DEV-0270 - COZY BEAR - FANCY BEAR  - EMBER BEAR - BERSERK BEAR - Dispossessor - Black Basta","Lateral Movement","https://github.com/fortra/impacket","1","0","N/A","subject to false positive (not only impacket)","10","10","14198","3681","2025-04-22T13:40:55Z","2015-04-15T14:04:07Z","38448"
"*cmd.exe /Q /c ipconfig 1> * 2>&1 && certutil -encodehex *",".{0,1000}cmd\.exe\s\/Q\s\/c\sipconfig\s1\>\s.{0,1000}\s2\>\&1\s\&\&\scertutil\s\-encodehex\s.{0,1000}\s\s\s\s\s","greyware_tool_keyword","impacket","Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself","T1557.001 - T1040 - T1003.001 - T1003.002 - T1003.003 - T1003.004 - T1558.003 - T1569.002 - T1047","TA0001 - TA0003 - TA0004 - TA0005 - TA0006 - TA0008 - TA0011","N/A","Akira - Bassterlord* - BianLian - Dragonfly - FIN8 - HAFNIUM - Hive - LockBit - Magic Hound - RansomHub - Rhysida - Sandworm Team - Scattered Spider* - Threat Group-3390 - Yanluowang - menuPass - Volt Typhoon - Cinnamon Tempest - Magic Hound - DAGGER PANDA - ENERGETIC BEAR - DEV-0270 - COZY BEAR - FANCY BEAR  - EMBER BEAR - BERSERK BEAR - Dispossessor - Black Basta","Lateral Movement","https://github.com/fortra/impacket","1","0","N/A","subject to false positive (not only impacket)","10","10","14198","3681","2025-04-22T13:40:55Z","2015-04-15T14:04:07Z","38450"
"*cmd.exe /Q /c ipconfig 1> \Windows\Temp\* 2>&1*",".{0,1000}cmd\.exe\s\/Q\s\/c\sipconfig\s1\>\s\\Windows\\Temp\\.{0,1000}\s2\>\&1.{0,1000}","greyware_tool_keyword","impacket","Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself","T1557.001 - T1040 - T1003.001 - T1003.002 - T1003.003 - T1003.004 - T1558.003 - T1569.002 - T1047","TA0001 - TA0003 - TA0004 - TA0005 - TA0006 - TA0008 - TA0011","N/A","Akira - Bassterlord* - BianLian - Dragonfly - FIN8 - HAFNIUM - Hive - LockBit - Magic Hound - RansomHub - Rhysida - Sandworm Team - Scattered Spider* - Threat Group-3390 - Yanluowang - menuPass - Volt Typhoon - Cinnamon Tempest - Magic Hound - DAGGER PANDA - ENERGETIC BEAR - DEV-0270 - COZY BEAR - FANCY BEAR  - EMBER BEAR - BERSERK BEAR - Dispossessor - Black Basta","Lateral Movement","https://github.com/fortra/impacket","1","0","N/A","subject to false positive (not only impacket)","10","10","14198","3681","2025-04-22T13:40:55Z","2015-04-15T14:04:07Z","38451"
"*cmd.exe* /c echo curl https://* --output ""%temp%* --ssl no-revoke --insecure --location > ""%temp%*",".{0,1000}cmd\.exe.{0,1000}\s\/c\secho\scurl\shttps\:\/\/.{0,1000}\s\-\-output\s\""\%temp\%.{0,1000}\s\-\-ssl\sno\-revoke\s\-\-insecure\s\-\-location\s\>\s\""\%temp\%.{0,1000}","greyware_tool_keyword","curl","potential suspicious curl command - downloading payload in the temp directory","T1105 - T1059.003","TA0005","N/A","N/A","Collection","https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38464"
"*cmd.exe*/c set /A 1^^0*",".{0,1000}cmd\.exe.{0,1000}\/c\sset\s\/A\s1\^\^0.{0,1000}","greyware_tool_keyword","set","Bitwise XOR Operation in commandline observed in a malware sample","T1059.003 - T1480.001","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://tria.ge/240617-mn75pa1cnl/behavioral2/analog?proc=87","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","38466"
"*cmd.exe*\TEMP\ScreenConnect\*.cmd*",".{0,1000}cmd\.exe.{0,1000}\\TEMP\\ScreenConnect\\.{0,1000}\.cmd.{0,1000}","greyware_tool_keyword","ScreenConnect","control remote servers - abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","screenconnect.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38467"
"*cmd.exe*qwinsta*",".{0,1000}cmd\.exe.{0,1000}qwinsta.{0,1000}","greyware_tool_keyword","qwinsta","enumerate rdp session on a remote server","T1049 - T1018 - T1021.001","TA0007 - TA0009 - TA0010","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","3","8","N/A","N/A","N/A","N/A","38468"
"*cmd/boringproxy*",".{0,1000}cmd\/boringproxy.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","1","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","38469"
"*cmd/crowbard/*",".{0,1000}cmd\/crowbard\/.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","N/A","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","38472"
"*cmd/tailscale*",".{0,1000}cmd\/tailscale.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","38479"
"*Cmdkey /list*",".{0,1000}Cmdkey\s\/list.{0,1000}","greyware_tool_keyword","Cmdkey","List Saved Credentials","T1555","TA0006","N/A","N/A","Discovery","https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38493"
"*cocfojppfigjeefejbpfmedgjbpchcng*",".{0,1000}cocfojppfigjeefejbpfmedgjbpchcng.{0,1000}","greyware_tool_keyword","SaferVPN Proxy","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","38563"
"*code tunnel user login --access-token *",".{0,1000}code\stunnel\suser\slogin\s\-\-access\-token\s.{0,1000}","greyware_tool_keyword","vscode","built-in port forwarding. This feature allows you to share locally running services over the internet to other people and devices.","T1090 - T1003 - T1571","TA0010 - TA0002 - TA0009","N/A","N/A","C2","https://twitter.com/code/status/1699869087071899669","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38564"
"*code.exe tunnel --accept-server-license-terms --name *",".{0,1000}code\.exe\stunnel\s\-\-accept\-server\-license\-terms\s\-\-name\s.{0,1000}","greyware_tool_keyword","vscode","Starts a reverse connection over global.rel.tunnels.api.visualstudio.com via websockets","T1090.003 - T1059.001 - T1071.001","TA0011 - TA0002","N/A","N/A","C2","https://badoption.eu/blog/2023/01/31/code_c2.html","0","0","N/A","risk of False positive","10","10","N/A","N/A","N/A","N/A","38565"
"*code.onedev.io/SoftEther/VPN.git*",".{0,1000}code\.onedev\.io\/SoftEther\/VPN\.git.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","38566"
"*codeload.github.com/*",".{0,1000}codeload\.github\.com\/.{0,1000}","greyware_tool_keyword","github","Github executables download initiated - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","38576"
"*com.initex.proxifier.v3.macos*",".{0,1000}com\.initex\.proxifier\.v3\.macos.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","38635"
"*com.microsoft.StorageExplorer*",".{0,1000}com\.microsoft\.StorageExplorer.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","38637"
"*-Command Add-MpPreference -ExclusionProcess *\Program Files\FreeFileSync\Bin\*",".{0,1000}\-Command\sAdd\-MpPreference\s\-ExclusionProcess\s.{0,1000}\\Program\sFiles\\FreeFileSync\\Bin\\.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","38667"
"*Command: beginsharing Result: {""responsename"":""beginsharing""*",".{0,1000}Command\:\sbeginsharing\sResult\:\s\{\""responsename\""\:\""beginsharing\"".{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","38674"
"*commanderupdate.fleetdeck.io*",".{0,1000}commanderupdate\.fleetdeck\.io.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","38680"
"*'Company'>Action1 Corporation*",".{0,1000}\'Company\'\>Action1\sCorporation.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38715"
"*'Company'>BeyondTrust</Data>*",".{0,1000}\'Company\'\>BeyondTrust\<\/Data\>.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38716"
"*'Company'>bomgar</Data>*",".{0,1000}\'Company\'\>bomgar\<\/Data\>.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38717"
"*'Company'>Mega Limited</Data>*",".{0,1000}\'Company\'\>Mega\sLimited\<\/Data\>.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38718"
"*'company'>n-able take control</data>*",".{0,1000}\'company\'\>n\-able\stake\scontrol\<\/data\>.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38719"
"*Company'>NetSupport Ltd</*",".{0,1000}Company\'\>NetSupport\sLtd\<\/.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38720"
"*'Company'>UltraVNC</Data>*",".{0,1000}\'Company\'\>UltraVNC\<\/Data\>.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","#companyname","N/A","10","10","N/A","N/A","N/A","N/A","38721"
"*Compress-Archive -Path*-DestinationPath $env:TEMP*",".{0,1000}Compress\-Archive\s\-Path.{0,1000}\-DestinationPath\s\$env\:TEMP.{0,1000}","greyware_tool_keyword","Compress-Archive","Compress data using zlib for exfiltration","T1560 - T1020 - T1041","TA0010","N/A","N/A","Data Exfiltration","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38730"
"*Compress-Archive -Path*-DestinationPath*:\Windows\Temp\*",".{0,1000}Compress\-Archive\s\-Path.{0,1000}\-DestinationPath.{0,1000}\:\\Windows\\Temp\\.{0,1000}","greyware_tool_keyword","Compress-Archive","Compress data using zlib for exfiltration","T1560 - T1020 - T1041","TA0010","N/A","N/A","Data Exfiltration","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38731"
"*Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'*",".{0,1000}Compress\-Archive\s\-Path.{0,1000}\-DestinationPath.{0,1000}\\AppData\\Local\\Temp\\\'.{0,1000}","greyware_tool_keyword","Compress-Archive","Compress data using zlib for exfiltration","T1560 - T1020 - T1041","TA0010","N/A","N/A","Data Exfiltration","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38732"
"*computers_pwdnotreqd*",".{0,1000}computers_pwdnotreqd.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","38736"
"*comserver.corporate.beanywhere.com*",".{0,1000}comserver\.corporate\.beanywhere\.com.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38737"
"*comsvcs.dll*#+00024764*",".{0,1000}comsvcs\.dll.{0,1000}\#\+00024764.{0,1000}","greyware_tool_keyword","comsvcs.dll","Dumping credentials with Minidump ordinal format (suspicious)","T1003","TA0006","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38738"
"*comsvcs.dll*#24*",".{0,1000}comsvcs\.dll.{0,1000}\#24.{0,1000}","greyware_tool_keyword","comsvcs.dll","Dumping credentials with Minidump ordinal format (suspicious)","T1003","TA0006","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38739"
"*comsvcs.dll*MiniDump*lsass*full*",".{0,1000}comsvcs\.dll,\sMiniDump.{0,1000}lsass.{0,1000}full.{0,1000}","greyware_tool_keyword","comsvcs.dll","Dumping lsass credentials","T1003","TA0006","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38740"
"*comsvcs.dll, MiniDump *",".{0,1000}comsvcs\.dll,\sMiniDump\s.{0,1000}","greyware_tool_keyword","rundll32","Caling MiniDump function - dump memory of a process (often abused to dump lsass process)","T1218.011 - T1003","TA0006 - TA0005 - TA0002","N/A","Black Basta","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38741"
"*comsvcs.dll,#24 *",".{0,1000}comsvcs\.dll,\#24\s.{0,1000}","greyware_tool_keyword","rundll32","Calling MiniDump export by ordinal - dump memory of a process (often abused to dump lsass process","T1218.011 - T1003","TA0006 - TA0005 - TA0002","N/A","Black Basta","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38742"
"*conhost.exe * --headless*",".{0,1000}conhost\.exe\s.{0,1000}\s\-\-headless.{0,1000}","greyware_tool_keyword","conhost.exe","conhost in headless mode - no visible window will pop up on the victim machine","T1055 - T1562.001","TA0005 - TA0003","N/A","N/A","Defense Evasion","https://x.com/TheDFIRReport/status/1721521617908473907?s=20","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","38764"
"*connectd/usr/bin/connectd_d2d*",".{0,1000}connectd\/usr\/bin\/connectd_d2d.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#linux","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","38768"
"*connected via tailscaled*",".{0,1000}connected\svia\stailscaled.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","38769"
"*Connect-RpcClient * -EndpointPath sudo_elevate_4652*",".{0,1000}Connect\-RpcClient\s.{0,1000}\s\-EndpointPath\ssudo_elevate_4652.{0,1000}","greyware_tool_keyword","sudo","sudo on windows allowing privilege escalation","T1068 - T1548","TA0004 - TA0005","N/A","N/A","Privilege Escalation","https://www.tiraniddo.dev/2024/02/sudo-on-windows-quick-rundown.html","1","0","#linux","N/A","7","8","N/A","N/A","N/A","N/A","38770"
"*Connect-SocksServer -Server *",".{0,1000}Connect\-SocksServer\s\-Server\s.{0,1000}","greyware_tool_keyword","powershell","establishes a TCP connection to a remote server - likely for C2 or payload delivery?.","T1071.001 - T1105","TA0011","N/A","Black Basta","C2","https://medium.com/@simone.kraus/black-basta-playbook-chat-leak-d5036936166d","1","0","N/A","N/A","9","6","N/A","N/A","N/A","N/A","38771"
"*contactsupportrelays4-prod.eastus.cloudapp.azure.com*",".{0,1000}contactsupportrelays4\-prod\.eastus\.cloudapp\.azure\.com.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","38791"
"*control.*.logmeinrescue.com*",".{0,1000}control\..{0,1000}\.logmeinrescue\.com.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38804"
"*control.rsc-app*.logmeinrescue.com",".{0,1000}control\.rsc\-app.{0,1000}\.logmeinrescue\.com","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38805"
"*controlserver.anyviewer.com*",".{0,1000}controlserver\.anyviewer\.com.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38806"
"*ConvertTo-AADIntBackdoor*",".{0,1000}ConvertTo\-AADIntBackdoor.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","38818"
"*copy *.exe \\*\c$\Windows\*.exe*",".{0,1000}copy\s.{0,1000}\.exe\s\\\\.{0,1000}\\c\$\\Windows\\.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","copy","copying an executable to a remote machine in the c:\windows directory","T1021","TA0008","N/A","N/A","Lateral Movement","https://x.com/ACEResponder/status/1720906842631549377","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","38871"
"*copy *\NTDS\ntds.dit *\Temp\*.*",".{0,1000}copy\s.{0,1000}\\NTDS\\ntds\.dit\s.{0,1000}\\Temp\\.{0,1000}\..{0,1000}","greyware_tool_keyword","copy","the actor creating a Shadow Copy and then extracting a copy of the ntds.dit file from it.","T1003.001 - T1567.001 - T1070.004","TA0005 - TA0003 - TA0007","N/A","Volt Typhoon","Credential Access","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","38874"
"*copy *NTDS\NTDS.dit*Temp*",".{0,1000}copy\s.{0,1000}NTDS\\NTDS\.dit.{0,1000}Temp.{0,1000}","greyware_tool_keyword","copy","copy the NTDS.dit file from a Volume Shadow Copy which contains sensitive Active Directory data including password hashes for all domain users","T1003.003","TA0009","N/A","N/A","Collection","N/A","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","38875"
"*copy *sam.hive \\*",".{0,1000}copy\s.{0,1000}sam\.hive\s\\\\.{0,1000}","greyware_tool_keyword","reg","the commands are used to export the SAM and SYSTEM registry hives which contain sensitive Windows security data including hashed passwords for local accounts. By obtaining these hives an attacker can attempt to crack the hashes or use them in pass-the-hash attacks for unauthorized access.","T1003.002","TA0009","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Collection","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","38877"
"*copy *system.hive \\*",".{0,1000}copy\s.{0,1000}system\.hive\s\\\\.{0,1000}","greyware_tool_keyword","reg","the commands are used to export the SAM and SYSTEM registry hives which contain sensitive Windows security data including hashed passwords for local accounts. By obtaining these hives an attacker can attempt to crack the hashes or use them in pass-the-hash attacks for unauthorized access.","T1003.002","TA0009","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Collection","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","38878"
"*Copy New *gdrive://www.googleapis.com/GS_Sync/*",".{0,1000}Copy\sNew\s.{0,1000}gdrive\:\/\/www\.googleapis\.com\/GS_Sync\/.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","38882"
"*Copy New *sftp://*",".{0,1000}Copy\sNew\s.{0,1000}sftp\:\/\/.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","38883"
"*copy*C:\ProgramData\*.dll*\c$\*",".{0,1000}copy.{0,1000}C\:\\ProgramData\\.{0,1000}\.dll.{0,1000}\\c\$\\.{0,1000}","greyware_tool_keyword","copy","copy dll from Programdata to a remote computer","T1074 - T1021","TA0008","N/A","Dispossessor","Lateral Movement","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","38885"
"*copy-item *\roaming\microsoft\windows\start menu\programs\startup*",".{0,1000}copy\-item\s.{0,1000}\\roaming\\microsoft\\windows\\start\smenu\\programs\\startup.{0,1000}","greyware_tool_keyword","powershell","Copy file to startup via Powershell","T1050 - T1106 - T1547.009","TA0003 - TA0005 - TA0004","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","7","8","N/A","N/A","N/A","N/A","38888"
"*cp /bin/bash /tmp/*",".{0,1000}cp\s\/bin\/bash\s\/tmp\/.{0,1000}","greyware_tool_keyword","cp","copies the Bash binary to the /tmp/ directory","T1105 - T1036 - T1070","TA0005 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","8","7","N/A","N/A","N/A","N/A","38930"
"*cp /bin/sh /tmp/*",".{0,1000}cp\s\/bin\/sh\s\/tmp\/.{0,1000}","greyware_tool_keyword","cp","copies the Bash binary to the /tmp/ directory","T1105 - T1036 - T1070","TA0005 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","8","7","N/A","N/A","N/A","N/A","38931"
"*cp /etc/passwd*",".{0,1000}cp\s\/etc\/passwd.{0,1000}","greyware_tool_keyword","cp","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","38932"
"*cp /etc/shadow*",".{0,1000}cp\s\/etc\/shadow.{0,1000}","greyware_tool_keyword","cp","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","38934"
"*cp -i /bin/bash /tmp/*",".{0,1000}cp\s\-i\s\/bin\/bash\s\/tmp\/.{0,1000}","greyware_tool_keyword","cp","copies the Bash binary to the /tmp/ directory","T1105 - T1036 - T1070","TA0005 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","8","7","N/A","N/A","N/A","N/A","38936"
"*cp -i /bin/sh */crond*",".{0,1000}cp\s\-i\s\/bin\/sh\s.{0,1000}\/crond.{0,1000}","greyware_tool_keyword","crond","Masquerading as Linux Crond Process.Masquerading occurs when the name or location of an executable* legitimate or malicious. is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.","T1036 - T1564.003 - T1059.004","TA0005 - TA0004 - TA0002","N/A","N/A","Defense Evasion","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_masquerading_crond.yml","1","0","#linux","greyware tool - risks of False positive !","N/A","10","9115","2316","2025-04-17T19:43:35Z","2016-12-24T09:48:49Z","38937"
"*cp -i /bin/sh /tmp/*",".{0,1000}cp\s\-i\s\/bin\/sh\s\/tmp\/.{0,1000}","greyware_tool_keyword","cp","copies the Bash binary to the /tmp/ directory","T1105 - T1036 - T1070","TA0005 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","8","7","N/A","N/A","N/A","N/A","38938"
"*cpulimit -e xmrig *",".{0,1000}cpulimit\s\-e\sxmrig\s.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","38941"
"*cpulimit -l 100 -f -- /bin/sh -p*",".{0,1000}cpulimit\s\-l\s100\s\-f\s\-\-\s\/bin\/sh\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","38942"
"*crash.syncthing.net*",".{0,1000}crash\.syncthing\.net.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","1","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","38968"
"*Creating SSHTunnelForwarder*paramiko*",".{0,1000}Creating\sSSHTunnelForwarder.{0,1000}paramiko.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","0","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","39031"
"*croc send --code *",".{0,1000}croc\ssend\s\-\-code\s.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#linux","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","39079"
"*croc --socks5 *",".{0,1000}croc\s\-\-socks5\s.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#linux","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","39080"
"*crontab* sleep *ncat * -e /bin/bash*crontab*",".{0,1000}crontab.{0,1000}\ssleep\s.{0,1000}ncat\s.{0,1000}\s\-e\s\/bin\/bash.{0,1000}crontab.{0,1000}","greyware_tool_keyword","crontab","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Persistence","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","39085"
"*crowbar-forward -local=*",".{0,1000}crowbar\-forward\s\-local\=.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","N/A","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","39122"
"*csvde -f *",".{0,1000}csvde\s\-f\s.{0,1000}","greyware_tool_keyword","csvde","exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format","T1005","TA0009 - TA0007","N/A","N/A","Collection","https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732101(v=ws.11)","1","0","N/A","N/A","9","9","N/A","N/A","N/A","N/A","39175"
"*csvde -r * -f *",".{0,1000}csvde\s\-r\s.{0,1000}\s\-f\s.{0,1000}","greyware_tool_keyword","csvde","exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format","T1005","TA0009 - TA0007","N/A","N/A","Collection","https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732101(v=ws.11)","1","0","N/A","N/A","9","9","N/A","N/A","N/A","N/A","39176"
"*csvde.exe -f *",".{0,1000}csvde\.exe\s\-f\s.{0,1000}","greyware_tool_keyword","csvde","exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format","T1005","TA0009 - TA0007","N/A","N/A","Collection","https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732101(v=ws.11)","1","0","N/A","N/A","9","9","N/A","N/A","N/A","N/A","39177"
"*csvde.exe -r * -f *",".{0,1000}csvde\.exe\s\-r\s.{0,1000}\s\-f\s.{0,1000}","greyware_tool_keyword","csvde","exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format","T1005","TA0009 - TA0007","N/A","N/A","Collection","https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732101(v=ws.11)","1","0","N/A","N/A","9","9","N/A","N/A","N/A","N/A","39178"
"*csvde.exe"" -f *",".{0,1000}csvde\.exe\""\s\-f\s.{0,1000}","greyware_tool_keyword","csvde","exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format","T1005","TA0009 - TA0007","N/A","N/A","Collection","https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732101(v=ws.11)","1","0","N/A","N/A","9","9","N/A","N/A","N/A","N/A","39179"
"*curl http://*.png -k|dd skip=2446 bs=1|sh*",".{0,1000}curl\shttp\:\/\/.{0,1000}\.png\s\-k\|dd\sskip\=2446\sbs\=1\|sh.{0,1000}","greyware_tool_keyword","curl","potential malicious command with curl (|sh)","T1566","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://x.com/CraigHRowland/status/1782938242108837896","1","0","#linux","risk of false positive","9","10","N/A","N/A","N/A","N/A","39200"
"*curl https://*.png -k|dd skip=2446 bs=1|sh*",".{0,1000}curl\shttps\:\/\/.{0,1000}\.png\s\-k\|dd\sskip\=2446\sbs\=1\|sh.{0,1000}","greyware_tool_keyword","curl","potential malicious command with curl (|sh)","T1566","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://x.com/CraigHRowland/status/1782938242108837896","1","0","#linux","risk of false positive","9","10","N/A","N/A","N/A","N/A","39202"
"*curl https://api.hunter.io/v2/domain-search?domain=*",".{0,1000}curl\shttps\:\/\/api\.hunter\.io\/v2\/domain\-search\?domain\=.{0,1000}","greyware_tool_keyword","Hunter.io","used by attacker and pentester while gathering information. Hunter lets you find email addresses in seconds and connect with the people that matter for your business","T1597 - T1526 - T1087 - T1078 - T1056 - T1018 - T1016 - T1583 - T1589","TA0001 - TA0002 - TA0003 - TA0005 - TA0007 - TA0011","N/A","N/A","Reconnaissance","https://hunter.io/","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","39203"
"*curl https://api.hunter.io/v2/email-finder?domain=*",".{0,1000}curl\shttps\:\/\/api\.hunter\.io\/v2\/email\-finder\?domain\=.{0,1000}","greyware_tool_keyword","Hunter.io","used by attacker and pentester while gathering information. Hunter lets you find email addresses in seconds and connect with the people that matter for your business","T1597 - T1526 - T1087 - T1078 - T1056 - T1018 - T1016 - T1583 - T1589","TA0001 - TA0002 - TA0003 - TA0005 - TA0007 - TA0011","N/A","N/A","Reconnaissance","https://hunter.io/","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","39204"
"*curl https://api.hunter.io/v2/email-verifier?email=*",".{0,1000}curl\shttps\:\/\/api\.hunter\.io\/v2\/email\-verifier\?email\=.{0,1000}","greyware_tool_keyword","Hunter.io","used by attacker and pentester while gathering information. Hunter lets you find email addresses in seconds and connect with the people that matter for your business","T1597 - T1526 - T1087 - T1078 - T1056 - T1018 - T1016 - T1583 - T1589","TA0001 - TA0002 - TA0003 - TA0005 - TA0007 - TA0011","N/A","N/A","Reconnaissance","https://hunter.io/","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","39205"
"*curl https://termbin.com/*",".{0,1000}curl\shttps\:\/\/termbin\.com\/.{0,1000}","greyware_tool_keyword","termbin.com","accessing paste raw content","T1119","TA0009","N/A","N/A","Collection","termbin.com","1","0","#PastebinLike","N/A","8","8","N/A","N/A","N/A","N/A","39208"
"*curl*.interact.sh*",".{0,1000}curl.{0,1000}\.interact\.sh.{0,1000}","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C3","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","1","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","39219"
"*curl*nopaste.net*",".{0,1000}curl.{0,1000}nopaste\.net.{0,1000}","greyware_tool_keyword","nopaste.net","nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration","T1567.002 - T1036.005 - T1102 - T1071.001","TA0005 - TA0009 - TA0010","N/A","N/A","Collection","https://www.shellhub.io/","1","0","#Pastebinlike  #filehostingservice #linux","N/A","8","10","N/A","N/A","N/A","N/A","39221"
"*CurrentControlSet\Services\A1Agent*",".{0,1000}CurrentControlSet\\Services\\A1Agent.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","#servicename #registry","N/A","10","10","N/A","N/A","N/A","N/A","39223"
"*CurrentVersion\Uninstall\Splashtop Inc.\*",".{0,1000}CurrentVersion\\Uninstall\\Splashtop\sInc\.\\.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://hybrid-analysis.com/sample/18c10b0235bd341e065ac5c53ca04b68eaeacd98a120e043fb4883628baf644e/6267eb693836e7217b1a3c72","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","39224"
"*cut -d: -f1 /etc/passwd*",".{0,1000}cut\s\-d\:\s\-f1\s\/etc\/passwd.{0,1000}","greyware_tool_keyword","cut","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","39234"
"*cwn-log-collector-production-clone.*.elasticbeanstalk.com*",".{0,1000}cwn\-log\-collector\-production\-clone\..{0,1000}\.elasticbeanstalk\.com.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","39290"
"*CyberGhost 6 Service*",".{0,1000}CyberGhost\s6\sService.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","Windows Service Name installed","9","8","N/A","N/A","N/A","N/A","39295"
"*CyberGhost 7 Service*",".{0,1000}CyberGhost\s7\sService.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","Windows Service Name installed","9","8","N/A","N/A","N/A","N/A","39296"
"*CyberGhost 8 Service*",".{0,1000}CyberGhost\s8\sService.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","Windows Service Name installed","9","8","N/A","N/A","N/A","N/A","39297"
"*CyberGhost S.R.L.*",".{0,1000}CyberGhost\sS\.R\.L\..{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","39298"
"*CyberGhost Tunnel Client:*",".{0,1000}CyberGhost\sTunnel\sClient\:.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","Windows Service Name installed","9","8","N/A","N/A","N/A","N/A","39299"
"*cyberghost*\Dashboard.exe*",".{0,1000}cyberghost.{0,1000}\\Dashboard\.exe.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","39300"
"*cyberghost*\Dashboard.Service.exe*",".{0,1000}cyberghost.{0,1000}\\Dashboard\.Service\.exe.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","39301"
"*cyberghost*\wyUpdate.exe*",".{0,1000}cyberghost.{0,1000}\\wyUpdate\.exe.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","39302"
"*CyberGhost.Browser.dll*",".{0,1000}CyberGhost\.Browser\.dll.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","39303"
"*CyberGhost.exe*",".{0,1000}CyberGhost\.exe.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","1","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","39304"
"*CyberGhost.resources.dll*",".{0,1000}CyberGhost\.resources\.dll.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","39305"
"*CyberGhost.Service.exe*",".{0,1000}CyberGhost\.Service\.exe.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","1","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","39306"
"*CyberGhost.Service.InstallLog*",".{0,1000}CyberGhost\.Service\.InstallLog.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","39307"
"*CyberGhost.Service.pdb*",".{0,1000}CyberGhost\.Service\.pdb.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","39308"
"*CyberGhost.VPNServices.dll*",".{0,1000}CyberGhost\.VPNServices\.dll.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","39309"
"*CyberGhost6Service*",".{0,1000}CyberGhost6Service.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","Windows Service Name installed","9","8","N/A","N/A","N/A","N/A","39310"
"*CyberGhost7Service*",".{0,1000}CyberGhost7Service.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","Windows Service Name installed","9","8","N/A","N/A","N/A","N/A","39311"
"*CyberGhost8Service*",".{0,1000}CyberGhost8Service.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","Windows Service Name installed","9","8","N/A","N/A","N/A","N/A","39312"
"*CyberGhostTunnel$CyberGhost-WireGuard-1*",".{0,1000}CyberGhostTunnel\$CyberGhost\-WireGuard\-1.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","Windows Service Name installed","9","8","N/A","N/A","N/A","N/A","39313"
"*CyberGhostVPNSetup.exe*",".{0,1000}CyberGhostVPNSetup\.exe.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","1","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","39314"
"*CyberGhost-WireGuard-1.conf*",".{0,1000}CyberGhost\-WireGuard\-1\.conf.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","0","#VPN","Windows Service Name installed","9","8","N/A","N/A","N/A","N/A","39315"
"*cytool.exe event_collection disable*",".{0,1000}cytool\.exe\sevent_collection\sdisable.{0,1000}","greyware_tool_keyword","cytool","Disables event collection","T1562.001 - T1547.001 - T1055.001","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","39322"
"*cytool.exe protect disable*",".{0,1000}cytool\.exe\sprotect\sdisable.{0,1000}","greyware_tool_keyword","cytool","Disables protection on Cortex XDR files processes registry and services","T1562.001 - T1547.001 - T1055.001","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","39323"
"*cytool.exe runtime disable*",".{0,1000}cytool\.exe\sruntime\sdisable.{0,1000}","greyware_tool_keyword","cytool","Disables Cortex XDR (Even with tamper protection enabled)","T1562.001 - T1547.001 - T1055.001","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","39324"
"*cytool.exe startup disable*",".{0,1000}cytool\.exe\sstartup\sdisable.{0,1000}","greyware_tool_keyword","cytool","Disables the cortex agent on startup","T1562.001 - T1547.001 - T1055.001","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","39325"
"*d000953c31d5c05471066c7b81c33aa3673112fdf9bad30cef57a4561b460c48*",".{0,1000}d000953c31d5c05471066c7b81c33aa3673112fdf9bad30cef57a4561b460c48.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39330"
"*d00b56fb9a39f27ad1c1b95a397861ab2d9898e13f60046669c72b875dcd43f4*",".{0,1000}d00b56fb9a39f27ad1c1b95a397861ab2d9898e13f60046669c72b875dcd43f4.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","39331"
"*d0274f036468ef236d3a526bb6235289bdbe4c8828ee7feee1829a026f5f3bec*",".{0,1000}d0274f036468ef236d3a526bb6235289bdbe4c8828ee7feee1829a026f5f3bec.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/NoahShen/gotunnelme","1","0","#filehash","N/A","10","10","171","45","2018-01-06T04:41:15Z","2013-10-18T02:46:51Z","39344"
"*d02ab6045d52ced3ec80848b04e7675a294a62e3c17ad36429470fcb9b7323f6*",".{0,1000}d02ab6045d52ced3ec80848b04e7675a294a62e3c17ad36429470fcb9b7323f6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39346"
"*d034d92ecdfc79741edccb803113dd7af23f5cde96b165d7449d8f7c02b7d6cb*",".{0,1000}d034d92ecdfc79741edccb803113dd7af23f5cde96b165d7449d8f7c02b7d6cb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39348"
"*d04679accb8ad4bbd940d7afcb4d2765c3ea1421bb773b71e79f3f0233f847cd*",".{0,1000}d04679accb8ad4bbd940d7afcb4d2765c3ea1421bb773b71e79f3f0233f847cd.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","39352"
"*d04968fb362078ad799d7fd6fe84df42901f142a0e381ef0ffe388d97139aafb*",".{0,1000}d04968fb362078ad799d7fd6fe84df42901f142a0e381ef0ffe388d97139aafb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39353"
"*d075c00b275c76255d94d50dcff34b3e8238783c137551d3eeee8351eaaf2361*",".{0,1000}d075c00b275c76255d94d50dcff34b3e8238783c137551d3eeee8351eaaf2361.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","39364"
"*d079a0e04f148d409c460742d2a5d740a0a405f4a77d7cf0878becdcc0488bbd*",".{0,1000}d079a0e04f148d409c460742d2a5d740a0a405f4a77d7cf0878becdcc0488bbd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39365"
"*d08e1e80fa721e95a7e71a7fed9e2ce0b726207f1e3ee96d809a6f0b34de4c05*",".{0,1000}d08e1e80fa721e95a7e71a7fed9e2ce0b726207f1e3ee96d809a6f0b34de4c05.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","39371"
"*d0a44c5acf4946e913a8534d362d681bd50205d00549d3db028d8ce2802e9b86*",".{0,1000}d0a44c5acf4946e913a8534d362d681bd50205d00549d3db028d8ce2802e9b86.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","39378"
"*d0a70241212198566028cd3154c418e35cbe73a6cd22c2d851341e88cb650cb7*",".{0,1000}d0a70241212198566028cd3154c418e35cbe73a6cd22c2d851341e88cb650cb7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39379"
"*d0b5f9eb1f0aee1183c895a01bdb215c86b05c4fee9310c86ea9a9586351b750*",".{0,1000}d0b5f9eb1f0aee1183c895a01bdb215c86b05c4fee9310c86ea9a9586351b750.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39384"
"*d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb*",".{0,1000}d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","0","#filehash","N/A","7","10","N/A","N/A","N/A","N/A","39386"
"*d0cb6aee67e6002397f2a03aad19364e456d597ca2c632087530d19c8620e0b2*",".{0,1000}d0cb6aee67e6002397f2a03aad19364e456d597ca2c632087530d19c8620e0b2.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39389"
"*d0d4347afb60b25e067af0d693c644b76560164c793304e35af765d023c14df6*",".{0,1000}d0d4347afb60b25e067af0d693c644b76560164c793304e35af765d023c14df6.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","39393"
"*d0d66c649a64735a67735370f0790418b48abeccaa0506fa66f00a967e8c3b73*",".{0,1000}d0d66c649a64735a67735370f0790418b48abeccaa0506fa66f00a967e8c3b73.{0,1000}","greyware_tool_keyword","staqlab-tunnel","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/cocoflan/Staqlab-tunnel","1","0","#filehash","N/A","10","10","1","0","2020-05-19T06:43:14Z","2020-05-19T06:19:31Z","39395"
"*d0da5a5a737e7700297a3c419fa167541f5dbbe2572687bd0361f2a804e1aaf4*",".{0,1000}d0da5a5a737e7700297a3c419fa167541f5dbbe2572687bd0361f2a804e1aaf4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39396"
"*d0e4117d84d8a5e8a716a6cf6f06128a365465eb83e803a85ecd9ab2671468b4*",".{0,1000}d0e4117d84d8a5e8a716a6cf6f06128a365465eb83e803a85ecd9ab2671468b4.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","39398"
"*d0f33de8e813474ae320912f13a929d763aa012d38c706fb76a46d9c7212f7f5*",".{0,1000}d0f33de8e813474ae320912f13a929d763aa012d38c706fb76a46d9c7212f7f5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39403"
"*d1082f06795f50679df66d5bb31b29f7d02e7932ae0da48a972edbfcc067be90*",".{0,1000}d1082f06795f50679df66d5bb31b29f7d02e7932ae0da48a972edbfcc067be90.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39409"
"*d110395a75afff8f1e8c54c7ae5fbd9e085ec21da4c472e4fb11346c17d8652d*",".{0,1000}d110395a75afff8f1e8c54c7ae5fbd9e085ec21da4c472e4fb11346c17d8652d.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","39413"
"*D116CC32-BC4F-4FAD-B09C-0D6459D1C1B6*",".{0,1000}D116CC32\-BC4F\-4FAD\-B09C\-0D6459D1C1B6.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#GUIDproject","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","39415"
"*d11fdf3e02243a642c2158357522d457d4111058723c5ce79c355c40b4495350*",".{0,1000}d11fdf3e02243a642c2158357522d457d4111058723c5ce79c355c40b4495350.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","39416"
"*d12a87b47c9213d80b8dfe9626702c953ebbfa92320b01f5f8b42a520a232537*",".{0,1000}d12a87b47c9213d80b8dfe9626702c953ebbfa92320b01f5f8b42a520a232537.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","39417"
"*d12ea4fbcf04a2b0d848ed5b610b78055558e95b7cfd6461ee2e81ba4a7216b5*",".{0,1000}d12ea4fbcf04a2b0d848ed5b610b78055558e95b7cfd6461ee2e81ba4a7216b5.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","39418"
"*d134e9ea2c34c9efb4b500dbe9a7a9647c84a0768ad22c57f10ceaea95521e66*",".{0,1000}d134e9ea2c34c9efb4b500dbe9a7a9647c84a0768ad22c57f10ceaea95521e66.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39419"
"*d1409d4d6fc200f7f5569b844c0005eb1963a94a857ae4fb5caeb496783cca07*",".{0,1000}d1409d4d6fc200f7f5569b844c0005eb1963a94a857ae4fb5caeb496783cca07.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","39423"
"*d1455ccf2efda304183873600535c73e8205663b384ec30a8c9f2e6ecd0a91b0*",".{0,1000}d1455ccf2efda304183873600535c73e8205663b384ec30a8c9f2e6ecd0a91b0.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","#filehash","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","39427"
"*d166b7b1c5a74e9b9b4de99113c7a8e563a782d17664c2ffbb7e721df1062ef5*",".{0,1000}d166b7b1c5a74e9b9b4de99113c7a8e563a782d17664c2ffbb7e721df1062ef5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39436"
"*d166f3899cc7eb349d9ce4c8adc8f60e3a2908ed29ddf4a2e52e070d78e290ec*",".{0,1000}d166f3899cc7eb349d9ce4c8adc8f60e3a2908ed29ddf4a2e52e070d78e290ec.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","39437"
"*d172534380f802e8a74ef1ca3ae9bf0900d4c111cb79a9b6f4259a0bc8e744fa*",".{0,1000}d172534380f802e8a74ef1ca3ae9bf0900d4c111cb79a9b6f4259a0bc8e744fa.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","39441"
"*d18c1c2f4445bacac3a8bb9bf32d450a25028a7c94b30a1bc040942a5b47f661*",".{0,1000}d18c1c2f4445bacac3a8bb9bf32d450a25028a7c94b30a1bc040942a5b47f661.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39445"
"*d1905784a1ef416d990ea8cbe68e0af88e2d33a4b2a8b5f9a75e056405a7dcb5*",".{0,1000}d1905784a1ef416d990ea8cbe68e0af88e2d33a4b2a8b5f9a75e056405a7dcb5.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","39449"
"*d19215f26a1791d5f04cd626f65108628e507be6df194fec4fe25115d74469ab*",".{0,1000}d19215f26a1791d5f04cd626f65108628e507be6df194fec4fe25115d74469ab.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","#filehash","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","39450"
"*d1979e633d08e40784a902c1997aadb8288f6d1516c6785b620975e970543a92*",".{0,1000}d1979e633d08e40784a902c1997aadb8288f6d1516c6785b620975e970543a92.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39452"
"*d1a23b9adddc0a6dc7806cb8fb9db94adc7263f2712f379dafe654ed38fc6bec*",".{0,1000}d1a23b9adddc0a6dc7806cb8fb9db94adc7263f2712f379dafe654ed38fc6bec.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","39454"
"*d1a9af4f13225a46916c1d71c7645098a589ee5f9270aa018c915153c076b76f*",".{0,1000}d1a9af4f13225a46916c1d71c7645098a589ee5f9270aa018c915153c076b76f.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","39455"
"*d1b48128fb7f0428f84faab96ada38d68dcadfc58cc4ae31400825d4608e0c5b*",".{0,1000}d1b48128fb7f0428f84faab96ada38d68dcadfc58cc4ae31400825d4608e0c5b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39460"
"*d1c73f2571c1860b571e45fb43d46dfb7c73342cbd528b29a79a4cfda3f6edca*",".{0,1000}d1c73f2571c1860b571e45fb43d46dfb7c73342cbd528b29a79a4cfda3f6edca.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","39464"
"*d1d5d89ce34a0d1683d455a17c9dad480160e4b55bcf82fa231f41c19938b0d3*",".{0,1000}d1d5d89ce34a0d1683d455a17c9dad480160e4b55bcf82fa231f41c19938b0d3.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","39473"
"*d1d9b02741e5d8742853665aad6a36a74a977fb82108b894712008db8d170276*",".{0,1000}d1d9b02741e5d8742853665aad6a36a74a977fb82108b894712008db8d170276.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","39477"
"*d20f3e5c4081117ace9966329f8460b8c24ff862794a98233b4b23024b9efe58*",".{0,1000}d20f3e5c4081117ace9966329f8460b8c24ff862794a98233b4b23024b9efe58.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39497"
"*d21a159ec788b457b98da90633ff963124fe551ff66b86e48635d35175902fa0*",".{0,1000}d21a159ec788b457b98da90633ff963124fe551ff66b86e48635d35175902fa0.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","39500"
"*d21a159ec788b457b98da90633ff963124fe551ff66b86e48635d35175902fa0*",".{0,1000}d21a159ec788b457b98da90633ff963124fe551ff66b86e48635d35175902fa0.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","39501"
"*d21b617081093f98de5fc1e57700d4a104df67c4965f3fb99dc2650aefbce86f*",".{0,1000}d21b617081093f98de5fc1e57700d4a104df67c4965f3fb99dc2650aefbce86f.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","39502"
"*d21feb81faa65f44ab7c0c4c77d8e2fb012168ccec13b6b3aa63662812e14023*",".{0,1000}d21feb81faa65f44ab7c0c4c77d8e2fb012168ccec13b6b3aa63662812e14023.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","39506"
"*d231120f8c76d0e8ecc92451b7af6dfd4d174b04fa5d863bb59f887de1d6c4fa*",".{0,1000}d231120f8c76d0e8ecc92451b7af6dfd4d174b04fa5d863bb59f887de1d6c4fa.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39509"
"*d23d0c1f295a7399114b9a07fa987e7dc216dbe989b5d88530eb01d3c87c9c1f*",".{0,1000}d23d0c1f295a7399114b9a07fa987e7dc216dbe989b5d88530eb01d3c87c9c1f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39510"
"*d252cafb581626c5cdf72411d66eab796336cb02f4813b11ac34f628a603e482*",".{0,1000}d252cafb581626c5cdf72411d66eab796336cb02f4813b11ac34f628a603e482.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","39517"
"*d258f53b9e011e64920fb4f74c2cf0386993b9427de52c71b2147676422da83e*",".{0,1000}d258f53b9e011e64920fb4f74c2cf0386993b9427de52c71b2147676422da83e.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","39519"
"*d26ab2da54512ae49d5e012c9da66eac5b31be0fd3fa9d4856adad8b4fd5dba3*",".{0,1000}d26ab2da54512ae49d5e012c9da66eac5b31be0fd3fa9d4856adad8b4fd5dba3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39520"
"*d273dcfbaab605187495a344d65d3a39f423144bf005a36bee87c292ab202c69*",".{0,1000}d273dcfbaab605187495a344d65d3a39f423144bf005a36bee87c292ab202c69.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","39522"
"*d286f6313ade8206ad883cc2c55605964dbf469524cec7116a736d11d389eac9*",".{0,1000}d286f6313ade8206ad883cc2c55605964dbf469524cec7116a736d11d389eac9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39525"
"*d2a4c4347120893ff87e7928d1ecd76039e23c29856063ddbb8c7c472e55f2cc*",".{0,1000}d2a4c4347120893ff87e7928d1ecd76039e23c29856063ddbb8c7c472e55f2cc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39535"
"*d2b2455b755476d0b35c721ccdb84432e51812ab646a9210137c1e85b90d7de4*",".{0,1000}d2b2455b755476d0b35c721ccdb84432e51812ab646a9210137c1e85b90d7de4.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","#filehash","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","39538"
"*d2c77570cddbb514f155621f4999c4a6b46454b2aee4f5b48a05a89e57f087fa*",".{0,1000}d2c77570cddbb514f155621f4999c4a6b46454b2aee4f5b48a05a89e57f087fa.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","39541"
"*d2d9182fb399ec0a9af347939104765487ca82200e8d3e5ac873c0f309e29f6c*",".{0,1000}d2d9182fb399ec0a9af347939104765487ca82200e8d3e5ac873c0f309e29f6c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39545"
"*d2ec114cf44c9e15b158efd61850595daa1bc199732cb017d32abc19d66d4f9e*",".{0,1000}d2ec114cf44c9e15b158efd61850595daa1bc199732cb017d32abc19d66d4f9e.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","39551"
"*d2fa6048dc937b573fa2320647f97cbef00d74286c9e8f363b97463de92bcd75*",".{0,1000}d2fa6048dc937b573fa2320647f97cbef00d74286c9e8f363b97463de92bcd75.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","39554"
"*d30c42826f68de8a1df1e86a7caf75b3326ca30f579e1e5c20ad72ade25420a8*",".{0,1000}d30c42826f68de8a1df1e86a7caf75b3326ca30f579e1e5c20ad72ade25420a8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39561"
"*d321ce59062c8d96dacdfe13e84d1543a296c432291dd4488d79f6b94a565923*",".{0,1000}d321ce59062c8d96dacdfe13e84d1543a296c432291dd4488d79f6b94a565923.{0,1000}","greyware_tool_keyword","Powertool","tool abused by threat actors to desactive Antivirus","T1562.001 - T1089 - T1562.009","TA0005","N/A","Play - Dispossessor","Defense Evasion","https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","39567"
"*d3230193b881c103cfcae570a22a2f1a742c94fcead8448cd55c47ce820c09bc*",".{0,1000}d3230193b881c103cfcae570a22a2f1a742c94fcead8448cd55c47ce820c09bc.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","39568"
"*d3247f03dcd7b9335344ebba76a0b92370f32f1cb0e480c734da52db2bd8df60*",".{0,1000}d3247f03dcd7b9335344ebba76a0b92370f32f1cb0e480c734da52db2bd8df60.{0,1000}","greyware_tool_keyword","pslist","Microsoft sysinternal comandline tool to list running process abused by threat actors","T1057 - T1012 - T1106","TA0007","N/A","APT10 - APT15 - APT33 - APT34 - Sandworm - APT35 - CHRYSENE - menuPass - GhostEmperor - Magnallium - Elfin","Discovery","https://learn.microsoft.com/pt-br/sysinternals/downloads/pslist","1","0","#filehash","N/A","3","9","N/A","N/A","N/A","N/A","39570"
"*d33d83e8b98ce5413603f71b1c0b38c1b5bbe1d1c826b7ada84a7543a6cc6ea6*",".{0,1000}d33d83e8b98ce5413603f71b1c0b38c1b5bbe1d1c826b7ada84a7543a6cc6ea6.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","39578"
"*d341e25ece7b66006ffeae3f76194bb12a9d120368f0616e1ab58186dcaff932*",".{0,1000}d341e25ece7b66006ffeae3f76194bb12a9d120368f0616e1ab58186dcaff932.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","39580"
"*d34833e0daa78c9a9a36b3ff311596ec7d010afa18d95ca02fc6ee577630d81a*",".{0,1000}d34833e0daa78c9a9a36b3ff311596ec7d010afa18d95ca02fc6ee577630d81a.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","39584"
"*d3643c6685587b7cf9de48ad151df96b861da4d603b2777ab29b2d52f0ffee99*",".{0,1000}d3643c6685587b7cf9de48ad151df96b861da4d603b2777ab29b2d52f0ffee99.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39587"
"*d36f3421f55defb2882bb80dfb40367335953a7b54d0275c14ca99a2c0c47c6b*",".{0,1000}d36f3421f55defb2882bb80dfb40367335953a7b54d0275c14ca99a2c0c47c6b.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","39591"
"*d36f3a1a27095a0f9ff8c069efcc23472d667b75907afa395502cd3deb6d9321*",".{0,1000}d36f3a1a27095a0f9ff8c069efcc23472d667b75907afa395502cd3deb6d9321.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39592"
"*d377c470516465e280c764e07ea16f50cc090082e0a7b888a0b76e42aa1f832c*",".{0,1000}d377c470516465e280c764e07ea16f50cc090082e0a7b888a0b76e42aa1f832c.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","39593"
"*d38000d3b741f587f2ddaadafcec1b1764a44989115d2c674895366692b0d545*",".{0,1000}d38000d3b741f587f2ddaadafcec1b1764a44989115d2c674895366692b0d545.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","39596"
"*d3881b865311e774107ee50db4ee9a27cce669ccdd40e92c1990c4f1ec73e523*",".{0,1000}d3881b865311e774107ee50db4ee9a27cce669ccdd40e92c1990c4f1ec73e523.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","39602"
"*d39f61dbf2a753769c0efb7712dd7bfa6e1d1593ebaed06150f206f3b6ff7de2*",".{0,1000}d39f61dbf2a753769c0efb7712dd7bfa6e1d1593ebaed06150f206f3b6ff7de2.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","39610"
"*d3a481b40889bf4c6fd35b18941de04ddaa2316ad51977a5af7bdddf3650f808*",".{0,1000}d3a481b40889bf4c6fd35b18941de04ddaa2316ad51977a5af7bdddf3650f808.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","39611"
"*d3ac20c9e1aa6062e8454e12f8dcae4bb66ed6bef18e304268196066760947aa*",".{0,1000}d3ac20c9e1aa6062e8454e12f8dcae4bb66ed6bef18e304268196066760947aa.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","39614"
"*d3ae15d4a9cc5c19e380cea606bc247b3765f93928dd7ae2d03e1f0a4f623db9*",".{0,1000}d3ae15d4a9cc5c19e380cea606bc247b3765f93928dd7ae2d03e1f0a4f623db9.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","39615"
"*d3afed5d69df35d875e4243cd45f9f539a69c48c8f19f9e59ecc4b2422dfdb4e*",".{0,1000}d3afed5d69df35d875e4243cd45f9f539a69c48c8f19f9e59ecc4b2422dfdb4e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39616"
"*d3b331e8568b4aa59710b2a731541d625138fa0d37aa26fda679a6b8713827ad*",".{0,1000}d3b331e8568b4aa59710b2a731541d625138fa0d37aa26fda679a6b8713827ad.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","39617"
"*d3b9e8104fcf67fd9ac71d9cf0bc29d3c870ea60c79ce8b9e9d9bfc1d64c3809*",".{0,1000}d3b9e8104fcf67fd9ac71d9cf0bc29d3c870ea60c79ce8b9e9d9bfc1d64c3809.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","39618"
"*d3ca7fc7741d1c53f23d0412824e565483bca19a43258005abf2f41cb8e19fbc*",".{0,1000}d3ca7fc7741d1c53f23d0412824e565483bca19a43258005abf2f41cb8e19fbc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39622"
"*d3d1b199ed7e63c9deb5ce18c253a8cbe2c79c00f120d8a38fb987bf9add796c*",".{0,1000}d3d1b199ed7e63c9deb5ce18c253a8cbe2c79c00f120d8a38fb987bf9add796c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39627"
"*d3e630985cb4b429375d79dd506842da176a9cbe4e0afb992c694cab48f3e7ce*",".{0,1000}d3e630985cb4b429375d79dd506842da176a9cbe4e0afb992c694cab48f3e7ce.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","39630"
"*d3e8653dd2a94a1077031b324abffd914403d8477f16a6240525953af26e8e13*",".{0,1000}d3e8653dd2a94a1077031b324abffd914403d8477f16a6240525953af26e8e13.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39633"
"*d3ebd06d4b88d5e4393e19b093fc74c773cd41db3d3a04662864934d5cf7dd05*",".{0,1000}d3ebd06d4b88d5e4393e19b093fc74c773cd41db3d3a04662864934d5cf7dd05.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39635"
"*d3f7f5fce71cbd20a86771949c9fe143cf4732f69db1cd9beaafd6a6a9de795b*",".{0,1000}d3f7f5fce71cbd20a86771949c9fe143cf4732f69db1cd9beaafd6a6a9de795b.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","39636"
"*d3fc4d5bc4e176a51422c1cc9fc882b6ee646b0aa57dbb59feb42fa3c85783e8*",".{0,1000}d3fc4d5bc4e176a51422c1cc9fc882b6ee646b0aa57dbb59feb42fa3c85783e8.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","39639"
"*d4016a747a083cd6a02f81fc980adf7b318c625a00227ef9a216706318800165*",".{0,1000}d4016a747a083cd6a02f81fc980adf7b318c625a00227ef9a216706318800165.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","39643"
"*d40270cb6d23e194a1ecb483a41ed42d9edf803b6c207b7599ff5813036f5e5e*",".{0,1000}d40270cb6d23e194a1ecb483a41ed42d9edf803b6c207b7599ff5813036f5e5e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39644"
"*d4284fe74349d67fb89076845ce27d80a378d35b76622a57e32581ea1226859f*",".{0,1000}d4284fe74349d67fb89076845ce27d80a378d35b76622a57e32581ea1226859f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39650"
"*d42e64cfcb227a43ebd33e91b8bf5f49c8095f588477a9400d1107aab52b84f4*",".{0,1000}d42e64cfcb227a43ebd33e91b8bf5f49c8095f588477a9400d1107aab52b84f4.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","39651"
"*d44e3a415d99266b1759d1e452d3cf115ae01acb822bdff471f19f90c2cf7426*",".{0,1000}d44e3a415d99266b1759d1e452d3cf115ae01acb822bdff471f19f90c2cf7426.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","39662"
"*d454762487d1118fa84e8931d4ae93bdf0c39fa1f42deb177825eb8d94e8f989*",".{0,1000}d454762487d1118fa84e8931d4ae93bdf0c39fa1f42deb177825eb8d94e8f989.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","39665"
"*d458887ece9050b08d1d58c2718110643b87f254981cda6c86f25dd5559e3867*",".{0,1000}d458887ece9050b08d1d58c2718110643b87f254981cda6c86f25dd5559e3867.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","39668"
"*d458d70dd88048d1fc898d5422ed570e912d3f3ef3ee5928871438a08514f725*",".{0,1000}d458d70dd88048d1fc898d5422ed570e912d3f3ef3ee5928871438a08514f725.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","39669"
"*d48623a74a00577be0409d912f8197a110f13192eab99d3959ceb11496ed0903*",".{0,1000}d48623a74a00577be0409d912f8197a110f13192eab99d3959ceb11496ed0903.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","39675"
"*d49e100ae7518571c6b4953693cc63e975072203787c492f389326ea3b1e988f*",".{0,1000}d49e100ae7518571c6b4953693cc63e975072203787c492f389326ea3b1e988f.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","39680"
"*d4a4b8c5f774ed28466d584b62cc61f44d2f89f139c7df2e63aefcfc203c2f3a*",".{0,1000}d4a4b8c5f774ed28466d584b62cc61f44d2f89f139c7df2e63aefcfc203c2f3a.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","39681"
"*d4aad882569aff9ce3278da721369d41d831bb57284c4e40efe0730243b4b84a*",".{0,1000}d4aad882569aff9ce3278da721369d41d831bb57284c4e40efe0730243b4b84a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39683"
"*d4ad1e550ef4d054f3c44601772f9df630323da7b8d28303c649d36659c63e76*",".{0,1000}d4ad1e550ef4d054f3c44601772f9df630323da7b8d28303c649d36659c63e76.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","39685"
"*d4b47cb2d86b693e7999faff18e2d841a65cebfb0b561cf0592de1b596fde0b4*",".{0,1000}d4b47cb2d86b693e7999faff18e2d841a65cebfb0b561cf0592de1b596fde0b4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39686"
"*d4b4b82d0662242a987ebeb97286034aaebfff210180986e023a56513a1a300f*",".{0,1000}d4b4b82d0662242a987ebeb97286034aaebfff210180986e023a56513a1a300f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39687"
"*d4b7b74fc20c86b21e6fd045f0ba717eb40425261428f70501bf226b4ef62cc8*",".{0,1000}d4b7b74fc20c86b21e6fd045f0ba717eb40425261428f70501bf226b4ef62cc8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39688"
"*d4c1b56d9fb1ef2a6e3f9475a9a0ef9fa822a3e47dff1c3ca4ddba2b3ff0e68b*",".{0,1000}d4c1b56d9fb1ef2a6e3f9475a9a0ef9fa822a3e47dff1c3ca4ddba2b3ff0e68b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39693"
"*d50c5321bc4ecc9dc77f72e62e4f2456b4501af29f5d35a0d402b887a6f096c2*",".{0,1000}d50c5321bc4ecc9dc77f72e62e4f2456b4501af29f5d35a0d402b887a6f096c2.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","39709"
"*d516e6b86a3a8b8dd7e5abb426ca435077178539379c2253ba035b0a0b08bc8b*",".{0,1000}d516e6b86a3a8b8dd7e5abb426ca435077178539379c2253ba035b0a0b08bc8b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39711"
"*d520c8bd60a9f8da3a90b1b47194dfb17df78554a97de633fda813c0152c01b1*",".{0,1000}d520c8bd60a9f8da3a90b1b47194dfb17df78554a97de633fda813c0152c01b1.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","39714"
"*d5257c716525f4cc42778285074e6425b22a272333d08cc75fa27334025b4c90*",".{0,1000}d5257c716525f4cc42778285074e6425b22a272333d08cc75fa27334025b4c90.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","39715"
"*d5306863ae3c851f030b46f8a01db4595170dc8a875bf7e527d697ae122ae1bd*",".{0,1000}d5306863ae3c851f030b46f8a01db4595170dc8a875bf7e527d697ae122ae1bd.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39718"
"*d55689c6b7dd5abf42d07d297208abc256fcc57fea22d806d16b0d41650dbe70*",".{0,1000}d55689c6b7dd5abf42d07d297208abc256fcc57fea22d806d16b0d41650dbe70.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","39726"
"*d5687d84d518119cbdd84183bfe8cb29009d054794b3aed5bda7ad117a7e4d5e*",".{0,1000}d5687d84d518119cbdd84183bfe8cb29009d054794b3aed5bda7ad117a7e4d5e.{0,1000}","greyware_tool_keyword","SirTunnel","SirTunnel enables you to securely expose a webserver running on your computer to a public URL using HTTPS.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/anderspitman/SirTunnel","1","0","#filehash","N/A","10","10","1436","119","2024-03-24T20:15:50Z","2020-09-23T00:15:26Z","39731"
"*d57360ea543abdf4a3fa0b150ad4e0f2ca506f3d88c2c4e807cfaf684d9a73d9*",".{0,1000}d57360ea543abdf4a3fa0b150ad4e0f2ca506f3d88c2c4e807cfaf684d9a73d9.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","39735"
"*d57684855baf42e911b235c7ffb5a106aac875461d5faeb059c4d941e7b5cfd6*",".{0,1000}d57684855baf42e911b235c7ffb5a106aac875461d5faeb059c4d941e7b5cfd6.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","39737"
"*d57bf75bc694c0f583e9e23acee5dc35a2ab719a842adb52008ed494d0cd5979*",".{0,1000}d57bf75bc694c0f583e9e23acee5dc35a2ab719a842adb52008ed494d0cd5979.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","39740"
"*d57bf88fbac385c407440291aeeffce75f46a1fa251efd5e3edac9d60f1e6984*",".{0,1000}d57bf88fbac385c407440291aeeffce75f46a1fa251efd5e3edac9d60f1e6984.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","39741"
"*d57d7f7d9c174ed17d734fad8135900934b3b8a347743c0432f931b784be1d63*",".{0,1000}d57d7f7d9c174ed17d734fad8135900934b3b8a347743c0432f931b784be1d63.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39744"
"*d59838007c4724beca80ad34c6adc749c526f6de636d79e06565499d0e390110*",".{0,1000}d59838007c4724beca80ad34c6adc749c526f6de636d79e06565499d0e390110.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","39750"
"*d599ad55cf5281a8c69770267785aa5c72467bcd91e0a39f0e78a76723c32802*",".{0,1000}d599ad55cf5281a8c69770267785aa5c72467bcd91e0a39f0e78a76723c32802.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39751"
"*d5a54de1522f18cd135c4fc069fb3f2ee4a12fba0cc17d08a93215048df45189*",".{0,1000}d5a54de1522f18cd135c4fc069fb3f2ee4a12fba0cc17d08a93215048df45189.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","39752"
"*d5a69f708787b96bd6ec795b073a7bffe4d440bc64817e3a5b8e9fab9a9f8244*",".{0,1000}d5a69f708787b96bd6ec795b073a7bffe4d440bc64817e3a5b8e9fab9a9f8244.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39753"
"*d5be8ba1112a210428cac87772b6d7902a9b9299b9a658d03ffbc52e9d125593*",".{0,1000}d5be8ba1112a210428cac87772b6d7902a9b9299b9a658d03ffbc52e9d125593.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#filehash","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","39757"
"*d5c8a0366f1da07c7f8fee1ca50a96991c9e8e9dbcf9b45ce09c1018616172d3*",".{0,1000}d5c8a0366f1da07c7f8fee1ca50a96991c9e8e9dbcf9b45ce09c1018616172d3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39760"
"*d5c8fbea45f7ce94a5c4753e733ef530aae702a90eb67d7ac00faa8a9e8e9024*",".{0,1000}d5c8fbea45f7ce94a5c4753e733ef530aae702a90eb67d7ac00faa8a9e8e9024.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","39762"
"*d5d2ee272caa314a731dcc59ed4474c9f34953c617e8c29fdd86ea8c017f2e91*",".{0,1000}d5d2ee272caa314a731dcc59ed4474c9f34953c617e8c29fdd86ea8c017f2e91.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","39764"
"*d5e79002815d4d904942d07786fab82492f83912d175804e21c059c00efe3d95*",".{0,1000}d5e79002815d4d904942d07786fab82492f83912d175804e21c059c00efe3d95.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","39767"
"*d5e9c1240d27ba95d119b00be2319999d9113b754c36e238f8b5151330834fa5*",".{0,1000}d5e9c1240d27ba95d119b00be2319999d9113b754c36e238f8b5151330834fa5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39768"
"*d5f0bd19109ae3e6385b613848cc09bee2d9b9a853c56ee82b75c888a2369499*",".{0,1000}d5f0bd19109ae3e6385b613848cc09bee2d9b9a853c56ee82b75c888a2369499.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","39770"
"*d5f1ce259c6bc7d54e2f670d336d7cefa1246ad42bd6c81188f4dafb997a342a*",".{0,1000}d5f1ce259c6bc7d54e2f670d336d7cefa1246ad42bd6c81188f4dafb997a342a.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","39771"
"*d6373caf2bb26e7956c976d7d9142a082a0c259525bac3d5bb2fcfcbbfa63bc6*",".{0,1000}d6373caf2bb26e7956c976d7d9142a082a0c259525bac3d5bb2fcfcbbfa63bc6.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","39782"
"*d63a94ec88f903d6bf9a4912276133242b569d0308b2f4ba29b3cfa786ce46d1*",".{0,1000}d63a94ec88f903d6bf9a4912276133242b569d0308b2f4ba29b3cfa786ce46d1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39785"
"*d63b7a3365a5374daa0f9418d26334c3e913d762599071d1d7e629b2e675e4e7*",".{0,1000}d63b7a3365a5374daa0f9418d26334c3e913d762599071d1d7e629b2e675e4e7.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","39786"
"*d6430b77260fe3cd4fde6422317cbf232f7af5e29bd81267d10f48b01afec850*",".{0,1000}d6430b77260fe3cd4fde6422317cbf232f7af5e29bd81267d10f48b01afec850.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","39788"
"*d64a88d7358e05461e8a42520e7c56dc7220c0320495213333ff91ff3b5274d2*",".{0,1000}d64a88d7358e05461e8a42520e7c56dc7220c0320495213333ff91ff3b5274d2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39790"
"*d6541e6233d5baf5190b494f434dcf30943c33d4bb78266cac230eb905a10f50*",".{0,1000}d6541e6233d5baf5190b494f434dcf30943c33d4bb78266cac230eb905a10f50.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","39797"
"*d66a79fcbac667d28014c15003770a35bd941c346e87fb8e4e1b7fd02c3291c9*",".{0,1000}d66a79fcbac667d28014c15003770a35bd941c346e87fb8e4e1b7fd02c3291c9.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","39805"
"*d67778ebd40bff99e1f248b1612d64f70191632b64af60ea53403d2550f2d640*",".{0,1000}d67778ebd40bff99e1f248b1612d64f70191632b64af60ea53403d2550f2d640.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","39809"
"*d6777b4c6f1d93d8b23df1499c0ca56a9531ff823b07b923e094c9e9dba0d304*",".{0,1000}d6777b4c6f1d93d8b23df1499c0ca56a9531ff823b07b923e094c9e9dba0d304.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","39810"
"*d686b1a4135947718e7a8157a8cb6694ed50e2267713de1972941148a8859789*",".{0,1000}d686b1a4135947718e7a8157a8cb6694ed50e2267713de1972941148a8859789.{0,1000}","greyware_tool_keyword","stunnel","Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs","T1573 - T1071 - T1090","TA0010 - TA0011 - TA0003","N/A","APT37 - APT38 - Kimsuky","C2","https://www.stunnel.org/index.html","1","0","#filehash","N/A","7","8","N/A","N/A","N/A","N/A","39815"
"*d68eab271b4e5ec8de105d2bf87d9b3bf6b1f56634bc2259573ea371883d31f0*",".{0,1000}d68eab271b4e5ec8de105d2bf87d9b3bf6b1f56634bc2259573ea371883d31f0.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","39817"
"*d692deb721e9ac81db35e26542abbc64f26aebb0f232dab53d390de7a03461da*",".{0,1000}d692deb721e9ac81db35e26542abbc64f26aebb0f232dab53d390de7a03461da.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","39818"
"*d6c358a2b66fae4f2c9fa4ffa8cd37f6ab9b7d27c83414f70c1d6a210812f0fa*",".{0,1000}d6c358a2b66fae4f2c9fa4ffa8cd37f6ab9b7d27c83414f70c1d6a210812f0fa.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","39830"
"*d6d55eb0eabd43a50f6de2f77b7b67e2136578e8d5ab0dfbbefe21bda3937e91*",".{0,1000}d6d55eb0eabd43a50f6de2f77b7b67e2136578e8d5ab0dfbbefe21bda3937e91.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","39831"
"*d6debc94457abfce0e9fb02187fab3555dcef123591e4b167743d6322f02594a*",".{0,1000}d6debc94457abfce0e9fb02187fab3555dcef123591e4b167743d6322f02594a.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","39834"
"*d6e5f1a398a35682f888bbce3b6187389d845778327479fb80091cd7ffcf78c7*",".{0,1000}d6e5f1a398a35682f888bbce3b6187389d845778327479fb80091cd7ffcf78c7.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","#filehash","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","39836"
"*d6e656ad3fba0ef5630a6607f3b02ee5920085a8fc724e7617d959300d809cab*",".{0,1000}d6e656ad3fba0ef5630a6607f3b02ee5920085a8fc724e7617d959300d809cab.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","39837"
"*d70cda7c8116dab7b29389db19375fcec3422cc05737f8f151803ad767eaac80*",".{0,1000}d70cda7c8116dab7b29389db19375fcec3422cc05737f8f151803ad767eaac80.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","39846"
"*d7102b8487a285583c69c54bf0bb7a40148eee6050e45ced1d0380bf83ae7aaa*",".{0,1000}d7102b8487a285583c69c54bf0bb7a40148eee6050e45ced1d0380bf83ae7aaa.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","39847"
"*d71402e86412d4e7a04585f68e9945454cecdac2c3e6d95ba000b8809109e7ff*",".{0,1000}d71402e86412d4e7a04585f68e9945454cecdac2c3e6d95ba000b8809109e7ff.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39848"
"*d71ba928d2755294ac049a66949606ee82e0e0a7bbb87760ae9fd1bcf24c0b8c*",".{0,1000}d71ba928d2755294ac049a66949606ee82e0e0a7bbb87760ae9fd1bcf24c0b8c.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","39850"
"*d71bbdd588cd4f1507ea794ed63be80a7cb3bbb1d30430150dd8800adec83fd5*",".{0,1000}d71bbdd588cd4f1507ea794ed63be80a7cb3bbb1d30430150dd8800adec83fd5.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","39851"
"*d72dd4d052362db7dee1bb2ed177279d4b4f6199288b7a0f9f377accc67e8f01*",".{0,1000}d72dd4d052362db7dee1bb2ed177279d4b4f6199288b7a0f9f377accc67e8f01.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","39856"
"*d72df0b6f38c46c3a730b2a16cb073e4b454e3da73d929298b4c342165f670f6*",".{0,1000}d72df0b6f38c46c3a730b2a16cb073e4b454e3da73d929298b4c342165f670f6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39857"
"*d736a57972bb7ee3398cf6b45f30e5455d51266f5305987534b45a4ef505f965*",".{0,1000}d736a57972bb7ee3398cf6b45f30e5455d51266f5305987534b45a4ef505f965.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39858"
"*d7646ca3a26760fe5633288d79d7b6a44cfc19a85c5315f94e0861963f1c601e*",".{0,1000}d7646ca3a26760fe5633288d79d7b6a44cfc19a85c5315f94e0861963f1c601e.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","39873"
"*d76e6248bbbac71a6066ad5c2e1908971c04e82db9ec2b14024c5bd8256a0e16*",".{0,1000}d76e6248bbbac71a6066ad5c2e1908971c04e82db9ec2b14024c5bd8256a0e16.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39875"
"*d76ff4ce0fd6ea09c3585da889e833b060e62752d4459e0982805596ceb1f4d0*",".{0,1000}d76ff4ce0fd6ea09c3585da889e833b060e62752d4459e0982805596ceb1f4d0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39876"
"*d77577b4a183167f9e8b5f798e3f71fa4f41c81d1db9ce37c68bb6decfbdf737*",".{0,1000}d77577b4a183167f9e8b5f798e3f71fa4f41c81d1db9ce37c68bb6decfbdf737.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","39877"
"*d789739fc4f5928ee0cb38a4520f9562562cffb2e3a48ab3cd6ba0c6e8b4cfb5*",".{0,1000}d789739fc4f5928ee0cb38a4520f9562562cffb2e3a48ab3cd6ba0c6e8b4cfb5.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","39883"
"*d79111ec8fa3659c887dd4e82f8ce6ff39391de6860ca0c2045469d6ab76a44f*",".{0,1000}d79111ec8fa3659c887dd4e82f8ce6ff39391de6860ca0c2045469d6ab76a44f.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","39885"
"*d7a7a6085fa6a9f8de0ae2c221c1ef110b9afc2a0122a058482ef3974d031ac0*",".{0,1000}d7a7a6085fa6a9f8de0ae2c221c1ef110b9afc2a0122a058482ef3974d031ac0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","39895"
"*d7b7a7f5495c5fa5ab70827e041e6f48b2e3a13d26c83706369f8b83080a2e8f*",".{0,1000}d7b7a7f5495c5fa5ab70827e041e6f48b2e3a13d26c83706369f8b83080a2e8f.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","39899"
"*d7c2ffe601af16d168d881b88817df81e9bc8646e56643545bd9a11f01ebac6a*",".{0,1000}d7c2ffe601af16d168d881b88817df81e9bc8646e56643545bd9a11f01ebac6a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","39902"
"*d7ebe2b8352754e396c34d75c90e53ecd5fc15edb4492fc52eaba80a3ae991eb*",".{0,1000}d7ebe2b8352754e396c34d75c90e53ecd5fc15edb4492fc52eaba80a3ae991eb.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","39911"
"*d7eceeb90b1e75b17c42c6cef5b42e0ef1dc615efba9424bafce718304c7ee43*",".{0,1000}d7eceeb90b1e75b17c42c6cef5b42e0ef1dc615efba9424bafce718304c7ee43.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","39912"
"*d7eee6b4038ca7d25bd062a2fabcf5d2c5683a9e59623d6a6a25472ed877f78f*",".{0,1000}d7eee6b4038ca7d25bd062a2fabcf5d2c5683a9e59623d6a6a25472ed877f78f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39913"
"*d7f98934b1bf71960575a07e022836d6d9d68919885a0766b52c50d30cfa926c*",".{0,1000}d7f98934b1bf71960575a07e022836d6d9d68919885a0766b52c50d30cfa926c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39915"
"*d80046ee572c3222790560fc51c02de131507d5425bed6cecca98bc3f3ca50e9*",".{0,1000}d80046ee572c3222790560fc51c02de131507d5425bed6cecca98bc3f3ca50e9.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","39916"
"*d810084b9bb4b7c552be24f744165d6a46d777d39bf36f3a5951df7108b77437*",".{0,1000}d810084b9bb4b7c552be24f744165d6a46d777d39bf36f3a5951df7108b77437.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","39922"
"*d8289c3873b04fe89664452f40f859431572e3417ef3fc102d7eacf8f8b288cf*",".{0,1000}d8289c3873b04fe89664452f40f859431572e3417ef3fc102d7eacf8f8b288cf.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","39926"
"*d83b468e63c93a1496d8205ae9ac103540e23f1bb9410fca97020ab661552e11*",".{0,1000}d83b468e63c93a1496d8205ae9ac103540e23f1bb9410fca97020ab661552e11.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","39931"
"*d83e8652c11bd2324721eaf55a2308c71be9233ef15ce72ce06c3e9fedab6320*",".{0,1000}d83e8652c11bd2324721eaf55a2308c71be9233ef15ce72ce06c3e9fedab6320.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39934"
"*d8445e3bd78bac3cc8f8a3f23b68ab971fb85ff061059f8256e41c6b892374f4*",".{0,1000}d8445e3bd78bac3cc8f8a3f23b68ab971fb85ff061059f8256e41c6b892374f4.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","39935"
"*d84969f4cdb8cb0518ecff3a0e9b8de406586afbd3ed9d7307691b375d2eb70b*",".{0,1000}d84969f4cdb8cb0518ecff3a0e9b8de406586afbd3ed9d7307691b375d2eb70b.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","39936"
"*d84efd06178700a83d135862d6c7419dce2e12df92c78850dc7cc5b1da482abd*",".{0,1000}d84efd06178700a83d135862d6c7419dce2e12df92c78850dc7cc5b1da482abd.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","#filehash","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","39938"
"*d86c3884cb7ea73c0fd5e67c49e5375cd30fa5209a46f1bb620c1a8f52964488*",".{0,1000}d86c3884cb7ea73c0fd5e67c49e5375cd30fa5209a46f1bb620c1a8f52964488.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","39954"
"*d86d0e7d28948669b8180e8e16ae68db0fd794e918842ac4a21c58b8f41b75ee*",".{0,1000}d86d0e7d28948669b8180e8e16ae68db0fd794e918842ac4a21c58b8f41b75ee.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39955"
"*d885e7309ccdb44151ee091e2b75c54cdcb02b701ff6e4de6217afad5eb30e6e*",".{0,1000}d885e7309ccdb44151ee091e2b75c54cdcb02b701ff6e4de6217afad5eb30e6e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39960"
"*d8902a73e518bf15abfd269a8e75d3aac0965e09a185f0aef9c99ef3e903bdac*",".{0,1000}d8902a73e518bf15abfd269a8e75d3aac0965e09a185f0aef9c99ef3e903bdac.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39964"
"*d8aa3176d3cdb0deede2becaa1c383db0c78404f829c2dd06de86736fde68a09*",".{0,1000}d8aa3176d3cdb0deede2becaa1c383db0c78404f829c2dd06de86736fde68a09.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","39969"
"*d8cade3974728b8a3221c96a2b4c6beca41f13a2092cfd65deea83be6c78c6a0*",".{0,1000}d8cade3974728b8a3221c96a2b4c6beca41f13a2092cfd65deea83be6c78c6a0.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","39973"
"*d8d88c5aecf5f0b27208387cc830fd094e2b0e7230a965728a6862ee9c8278e0*",".{0,1000}d8d88c5aecf5f0b27208387cc830fd094e2b0e7230a965728a6862ee9c8278e0.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","39974"
"*d8e28bded459511fc27e300d88c4bee0fda36e7e6222d6d9b9a32e5986163881*",".{0,1000}d8e28bded459511fc27e300d88c4bee0fda36e7e6222d6d9b9a32e5986163881.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39976"
"*d8ff06a0103bf12f790b0c95c41a7c5907d48d1d11a8e68ba2f4b78129a28d30*",".{0,1000}d8ff06a0103bf12f790b0c95c41a7c5907d48d1d11a8e68ba2f4b78129a28d30.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39980"
"*d9032c75bd7e249aeb2df614ae73f50b2a488008efe492e9a6709e97bcf69da5*",".{0,1000}d9032c75bd7e249aeb2df614ae73f50b2a488008efe492e9a6709e97bcf69da5.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","39982"
"*d90e2fb20e7db4b605b0de5eac4f830f38f94fc2093cca54cb6eb7b4c46d68fa*",".{0,1000}d90e2fb20e7db4b605b0de5eac4f830f38f94fc2093cca54cb6eb7b4c46d68fa.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","39985"
"*d90f7f2b3421cf2f3342f143358dcbeed09ce2580338f184b31c79ab4a24a5de*",".{0,1000}d90f7f2b3421cf2f3342f143358dcbeed09ce2580338f184b31c79ab4a24a5de.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","39989"
"*d9473d3695626684a9cae93f417516900fd0f21a03f61e6943f50435c762ac73*",".{0,1000}d9473d3695626684a9cae93f417516900fd0f21a03f61e6943f50435c762ac73.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","40001"
"*d9499b5feb59b820c0b9610da94455e1ef96ea018e170261ffabedda39044cce*",".{0,1000}d9499b5feb59b820c0b9610da94455e1ef96ea018e170261ffabedda39044cce.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","40002"
"*d9aebc560abab311a8fe955f4e01952d542e033c368751f892dfa69f504b1eab*",".{0,1000}d9aebc560abab311a8fe955f4e01952d542e033c368751f892dfa69f504b1eab.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40024"
"*d9b6a53b78a6ac70f165ebebd6ebea9de40da7b200a92d576ac3d687a27e158e*",".{0,1000}d9b6a53b78a6ac70f165ebebd6ebea9de40da7b200a92d576ac3d687a27e158e.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","40029"
"*d9bc47b827286a20cdd880d7d1abb2ac7b0bf164bfeab44fcfbbd1fb29f815bf*",".{0,1000}d9bc47b827286a20cdd880d7d1abb2ac7b0bf164bfeab44fcfbbd1fb29f815bf.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","40032"
"*d9d826b12867990006f7a5bc6f015d0effde87b65427c0a3f7b23370314ad16f*",".{0,1000}d9d826b12867990006f7a5bc6f015d0effde87b65427c0a3f7b23370314ad16f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","40038"
"*da0f02b6a9829a8719731e156b78f7a647075d53d48d784ba530a2477f76f263*",".{0,1000}da0f02b6a9829a8719731e156b78f7a647075d53d48d784ba530a2477f76f263.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40047"
"*da1645fa73088118140bdcc6e29203194532b81a7653a17632e3bf191a41a372*",".{0,1000}da1645fa73088118140bdcc6e29203194532b81a7653a17632e3bf191a41a372.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40050"
"*da409444f4db4761ccf441e1e9ba8ba39ab8e63bf0dcc8054308aa5e805379d6*",".{0,1000}da409444f4db4761ccf441e1e9ba8ba39ab8e63bf0dcc8054308aa5e805379d6.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","40058"
"*da638646b76966fe9ba2ab4a49aa9fa74324e58d5abaec2ebf9657069a905699*",".{0,1000}da638646b76966fe9ba2ab4a49aa9fa74324e58d5abaec2ebf9657069a905699.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40062"
"*daabc151e0d5a6436c71bceedf79759369a11edb7fc75a2dd9b2f32098ac2b65*",".{0,1000}daabc151e0d5a6436c71bceedf79759369a11edb7fc75a2dd9b2f32098ac2b65.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","40079"
"*dab18572b7ed5e6c70ae7e1973a6af974aed0ab30bed7d385a92ae7cc22851ac*",".{0,1000}dab18572b7ed5e6c70ae7e1973a6af974aed0ab30bed7d385a92ae7cc22851ac.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","40080"
"*dacdb4976fd75ab2fd7bb22f1b2f9d986f5d92c29555ce2b165c020e2816a200*",".{0,1000}dacdb4976fd75ab2fd7bb22f1b2f9d986f5d92c29555ce2b165c020e2816a200.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","#filehash","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","40086"
"*dae5e6e39107a66dc5c8ea59f6f27b16c54bd6be31f57e3281f6d87de30e05b0*",".{0,1000}dae5e6e39107a66dc5c8ea59f6f27b16c54bd6be31f57e3281f6d87de30e05b0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40093"
"*dae86be018d5317f61477f260e8508149e769688aa642327fc6caba5786cc26d*",".{0,1000}dae86be018d5317f61477f260e8508149e769688aa642327fc6caba5786cc26d.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","40095"
"*daf162e5cc90599aab036b7bb4ed6d4c521b2f5732a6cb40b08a00e6714deaa3*",".{0,1000}daf162e5cc90599aab036b7bb4ed6d4c521b2f5732a6cb40b08a00e6714deaa3.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","40099"
"*DameWare Development Common Data\Mini Remote Control*",".{0,1000}DameWare\sDevelopment\sCommon\sData\\Mini\sRemote\sControl.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","40115"
"*DameWare Development\Agent Configuration*",".{0,1000}DameWare\sDevelopment\\Agent\sConfiguration.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","40116"
"*dameware remote everywhere agent - [dameware]*",".{0,1000}dameware\sremote\severywhere\sagent\s\-\s\[dameware\].{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","40117"
"*DameWare Remote Support.exe*",".{0,1000}DameWare\sRemote\sSupport\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","40118"
"*damewareagent.msi*",".{0,1000}damewareagent\.msi.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","40119"
"*damewareremoteeverywhereagent.exe*",".{0,1000}damewareremoteeverywhereagent\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","40120"
"*damewareremoteeverywhereconsole.exe*",".{0,1000}damewareremoteeverywhereconsole\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","40121"
"*daps94/SirTunnel*",".{0,1000}daps94\/SirTunnel.{0,1000}","greyware_tool_keyword","SirTunnel","SirTunnel enables you to securely expose a webserver running on your computer to a public URL using HTTPS.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/anderspitman/SirTunnel","1","1","N/A","N/A","10","10","1436","119","2024-03-24T20:15:50Z","2020-09-23T00:15:26Z","40135"
"*dashboard.tunnelmole.com*",".{0,1000}dashboard\.tunnelmole\.com.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","1","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","40158"
"*-data.rel.tunnels.api.visualstudio.com*",".{0,1000}\-data\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","vscode","built-in port forwarding. This feature allows you to share locally running services over the internet to other people and devices.","T1090 - T1003 - T1571","TA0010 - TA0002 - TA0009","N/A","N/A","C2","https://twitter.com/code/status/1699869087071899669","0","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","40164"
"*data.syncthing.net*",".{0,1000}data\.syncthing\.net.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","1","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","40165"
"*dataplicity.portforward.Service*",".{0,1000}dataplicity\.portforward\.Service.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#content","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","40178"
"*dataplicity.subcommands.run*",".{0,1000}dataplicity\.subcommands\.run.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#content","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","40179"
"*db015ab1-abcd-1234-5678-133337c0ffee*",".{0,1000}db015ab1\-abcd\-1234\-5678\-133337c0ffee.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","0","#GUIDproject","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","40197"
"*db195f43c7e99cd90369d0598c414025df797c3496e8dd9299162fae7d013833*",".{0,1000}db195f43c7e99cd90369d0598c414025df797c3496e8dd9299162fae7d013833.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40205"
"*db20e3d1a1eb02a323d1d3abcdd7adfdb71c04965988edb4e75fbe28c03858bc*",".{0,1000}db20e3d1a1eb02a323d1d3abcdd7adfdb71c04965988edb4e75fbe28c03858bc.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","40209"
"*db2975501126fc0f61097acdff7484655e5d37b01de8c509c2c5e0e88591fb42*",".{0,1000}db2975501126fc0f61097acdff7484655e5d37b01de8c509c2c5e0e88591fb42.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","40212"
"*db312dd2a5735817125933d4fcee8ebab756c9f402e35c687b5f967658628307*",".{0,1000}db312dd2a5735817125933d4fcee8ebab756c9f402e35c687b5f967658628307.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","40215"
"*db351869cc3fdf6b88678f72515adc4ce5600462880100306d5597eb3e2ed516*",".{0,1000}db351869cc3fdf6b88678f72515adc4ce5600462880100306d5597eb3e2ed516.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40219"
"*db3860e4549af28d87aa83f2035a57c5d081b179e40d4c828db19c3c3545831e*",".{0,1000}db3860e4549af28d87aa83f2035a57c5d081b179e40d4c828db19c3c3545831e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40222"
"*db53bdef3b270e45fb9efc489af2948be7c7fa1e3a5cae9698f2832e628bcd3b*",".{0,1000}db53bdef3b270e45fb9efc489af2948be7c7fa1e3a5cae9698f2832e628bcd3b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","40226"
"*db5dd550a11b68ef48f084413db4cfe87f677cda58c7168f777abfcdc63d6479*",".{0,1000}db5dd550a11b68ef48f084413db4cfe87f677cda58c7168f777abfcdc63d6479.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#filehash","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","40232"
"*db5df4b216cfc30f8a23337a875331dfa29a90ec6d1330aa834bd5eb641c2c6a*",".{0,1000}db5df4b216cfc30f8a23337a875331dfa29a90ec6d1330aa834bd5eb641c2c6a.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","40233"
"*db6cf2fe1a2aef656873303d04ae8125bde61b11eccd551dc57969353a2c8141*",".{0,1000}db6cf2fe1a2aef656873303d04ae8125bde61b11eccd551dc57969353a2c8141.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","40240"
"*db71a0c966e917def48ab32e67962d37dbfb4ad527f3e3c9615d6a45a69ba69b*",".{0,1000}db71a0c966e917def48ab32e67962d37dbfb4ad527f3e3c9615d6a45a69ba69b.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","40241"
"*db73ab5dce549d531bd7e8ec51a89bf5040da07200e2834e7b652a0384db783b*",".{0,1000}db73ab5dce549d531bd7e8ec51a89bf5040da07200e2834e7b652a0384db783b.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","40242"
"*db778fca7bf230b926b5ebb34d3b97bb3be5a89bec8254f824ccdd57ba2b31e8*",".{0,1000}db778fca7bf230b926b5ebb34d3b97bb3be5a89bec8254f824ccdd57ba2b31e8.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","40243"
"*db80349f17c39f502a631afda7cf5b95b2a85cdcafa92359b9f4d0375772c440*",".{0,1000}db80349f17c39f502a631afda7cf5b95b2a85cdcafa92359b9f4d0375772c440.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","40247"
"*db8f43c3b82fa1517800e8672750708886820c4eafe4d72f96773898ad996588*",".{0,1000}db8f43c3b82fa1517800e8672750708886820c4eafe4d72f96773898ad996588.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","40253"
"*db9de96c8020db93542e0abe95168831257d9ab6e68ff0430e28deb019e31640*",".{0,1000}db9de96c8020db93542e0abe95168831257d9ab6e68ff0430e28deb019e31640.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40255"
"*db9fe305a4ca18b39e80a2b5bf0f6ea32bf41b968798897703647bbeb39e11f7*",".{0,1000}db9fe305a4ca18b39e80a2b5bf0f6ea32bf41b968798897703647bbeb39e11f7.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","40257"
"*dba96683300231f309727df9f7aa6648bd50d67ae0babf6c3304ab212bd40d39*",".{0,1000}dba96683300231f309727df9f7aa6648bd50d67ae0babf6c3304ab212bd40d39.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40259"
"*dbdbnchagbkhknegmhgikkleoogjcfge*",".{0,1000}dbdbnchagbkhknegmhgikkleoogjcfge.{0,1000}","greyware_tool_keyword","Hideman VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","40280"
"*dbddf4f46acf5b70e2885afac12a8c7caca7f3ea2d431011050635441869131f*",".{0,1000}dbddf4f46acf5b70e2885afac12a8c7caca7f3ea2d431011050635441869131f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40281"
"*dbe8f08cde1240ef9425df1a9412d4810d1bc9cbeada6b4129da15492e118af1*",".{0,1000}dbe8f08cde1240ef9425df1a9412d4810d1bc9cbeada6b4129da15492e118af1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40283"
"*dbe984e84ff23af911cf29adb0c3f9fe665f873708b5937a44b156846029a43f*",".{0,1000}dbe984e84ff23af911cf29adb0c3f9fe665f873708b5937a44b156846029a43f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","40284"
"*dbe98c8b66436859514f07786c6903ca2805083615201adc1d1d63d1fa66d14b*",".{0,1000}dbe98c8b66436859514f07786c6903ca2805083615201adc1d1d63d1fa66d14b.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","40285"
"*dbf3490648efe876bd9a98d53e4d9110bf5e02a3914c0dd4b2a48db4a09799b5*",".{0,1000}dbf3490648efe876bd9a98d53e4d9110bf5e02a3914c0dd4b2a48db4a09799b5.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","40288"
"*dbf767a606cbb7c653296843204fe570a8b59b622faa3315ecf555ecc6e0803f*",".{0,1000}dbf767a606cbb7c653296843204fe570a8b59b622faa3315ecf555ecc6e0803f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","40291"
"*dc0cea82985d2d307bfe4f5bd44736410c481b1d6070bac185b90bf1b53a7e5c*",".{0,1000}dc0cea82985d2d307bfe4f5bd44736410c481b1d6070bac185b90bf1b53a7e5c.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","40295"
"*dc11292f98803ea780d812c6a0cb957a303f0668f36a0fbdf08196c6458a12cc*",".{0,1000}dc11292f98803ea780d812c6a0cb957a303f0668f36a0fbdf08196c6458a12cc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40296"
"*dc1c0ca64990cbd3f509f404f6cdef395895bed206de7d320052267586bdf416*",".{0,1000}dc1c0ca64990cbd3f509f404f6cdef395895bed206de7d320052267586bdf416.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","40302"
"*dc2112e7872f7aabd0548c2c74bcb3c09abda32da66efa287a4c7d5b305bdc6f*",".{0,1000}dc2112e7872f7aabd0548c2c74bcb3c09abda32da66efa287a4c7d5b305bdc6f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40304"
"*dc3220af2b22469da26209d4b376858c11160127e83bce09f85cd0c27a44d5d0*",".{0,1000}dc3220af2b22469da26209d4b376858c11160127e83bce09f85cd0c27a44d5d0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","40311"
"*dc3544d369e57c44211b4d294186038898043b1b872c4204bf01513bf0635ecf*",".{0,1000}dc3544d369e57c44211b4d294186038898043b1b872c4204bf01513bf0635ecf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40312"
"*dc3934092975417bf1fb22470daa452b7c1e8aeb82984fe2afb83bc3ea090198*",".{0,1000}dc3934092975417bf1fb22470daa452b7c1e8aeb82984fe2afb83bc3ea090198.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40313"
"*dc42d5e6752383656c1cc05459bd10dd9f6a25c3c715a38d1c14dc0391a00982*",".{0,1000}dc42d5e6752383656c1cc05459bd10dd9f6a25c3c715a38d1c14dc0391a00982.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","40317"
"*dc57b353d32389a0af8a7ccb2054633ac502d899bb5bc9e656e91849215a57a1*",".{0,1000}dc57b353d32389a0af8a7ccb2054633ac502d899bb5bc9e656e91849215a57a1.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","40320"
"*dc76f7c6b506d3ec4a92d9a0cda9678c3cb58a9096587dde15897709c7b23a33*",".{0,1000}dc76f7c6b506d3ec4a92d9a0cda9678c3cb58a9096587dde15897709c7b23a33.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","40327"
"*dc8ddf520783dad3b74770b0ad90d0201b090ef858dee7971825b7e45424f799*",".{0,1000}dc8ddf520783dad3b74770b0ad90d0201b090ef858dee7971825b7e45424f799.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","40332"
"*dc91864dd189d8c80a0af5d1ec1078cf26fd921967938a04e55fbf1987871944*",".{0,1000}dc91864dd189d8c80a0af5d1ec1078cf26fd921967938a04e55fbf1987871944.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40336"
"*dcb2717dd9c64e62a47b08565d50d43f8be857b9febd6f3a150941f95ce7ba44*",".{0,1000}dcb2717dd9c64e62a47b08565d50d43f8be857b9febd6f3a150941f95ce7ba44.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","40341"
"*dcb311e963ca2521c5e08f9701c7973043a6af15b7eba73595bc31a43dbd9abb*",".{0,1000}dcb311e963ca2521c5e08f9701c7973043a6af15b7eba73595bc31a43dbd9abb.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","40342"
"*dccda6bc37067f48e8efcfdeb8bb67b3a4475ef693bc10228bcba271a24ce5de*",".{0,1000}dccda6bc37067f48e8efcfdeb8bb67b3a4475ef693bc10228bcba271a24ce5de.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","40349"
"*dcd12874e909f6f973d17a9a9a4bb2bb5c0eb1dde3c840a01d9b8a2f89217e76*",".{0,1000}dcd12874e909f6f973d17a9a9a4bb2bb5c0eb1dde3c840a01d9b8a2f89217e76.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","40351"
"*dce52871edb60f241f17fc6a43f236ab53b4b42813c1af0de929ec261eca2637*",".{0,1000}dce52871edb60f241f17fc6a43f236ab53b4b42813c1af0de929ec261eca2637.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","40355"
"*dd if=/dev/nul*",".{0,1000}dd\sif\=\/dev\/nul.{0,1000}","greyware_tool_keyword","dd","Detects overwriting (effectively wiping/deleting) the file","T1070.004 - T1485","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","10466","2904","2025-04-21T13:09:54Z","2017-10-11T17:23:32Z","40407"
"*dd if=/dev/zero*",".{0,1000}dd\sif\=\/dev\/zero.{0,1000}","greyware_tool_keyword","dd","Detects overwriting (effectively wiping/deleting) the file","T1070.004 - T1485","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","10466","2904","2025-04-21T13:09:54Z","2017-10-11T17:23:32Z","40408"
"*dd01f5fd5874d12b64228e10f0e91d849837797160d83b91ad230c3caaa40ff6*",".{0,1000}dd01f5fd5874d12b64228e10f0e91d849837797160d83b91ad230c3caaa40ff6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40409"
"*dd13203ab3267c855d002587f7be0509403d9d199f3b8f1f482b275189bc203d*",".{0,1000}dd13203ab3267c855d002587f7be0509403d9d199f3b8f1f482b275189bc203d.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","40414"
"*dd174e6ae3e31d412415793d6673f25c1ea4fac29a8893fe28ff378a928d1c0f*",".{0,1000}dd174e6ae3e31d412415793d6673f25c1ea4fac29a8893fe28ff378a928d1c0f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40418"
"*dd177de3063581532bfbdb69d3e9fd8e14ceb99c6024b8b834f3ee39a41c4e51*",".{0,1000}dd177de3063581532bfbdb69d3e9fd8e14ceb99c6024b8b834f3ee39a41c4e51.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40419"
"*dd1de5874d1287a59c05bcc7c8c298c9efaaf7b3471bc6baf9f3ed645951313d*",".{0,1000}dd1de5874d1287a59c05bcc7c8c298c9efaaf7b3471bc6baf9f3ed645951313d.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","40420"
"*dd2eb9c46d44cf9f19ebc8f66878d1d83d57577e2db6385e16df68a28557cd89*",".{0,1000}dd2eb9c46d44cf9f19ebc8f66878d1d83d57577e2db6385e16df68a28557cd89.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40422"
"*dd3e4227210af530698b5669fda6ca0e604cf23aeeb5693f9f700aa9bce6256d*",".{0,1000}dd3e4227210af530698b5669fda6ca0e604cf23aeeb5693f9f700aa9bce6256d.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","40427"
"*dd420764e615be9eeca958d60c1adf0e7ed806d2de93f9638b5af105ffd7f007*",".{0,1000}dd420764e615be9eeca958d60c1adf0e7ed806d2de93f9638b5af105ffd7f007.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40430"
"*dd4a876937f29c0732fe28b12d83372eab31a776a0a5c59f774190163bc6d442*",".{0,1000}dd4a876937f29c0732fe28b12d83372eab31a776a0a5c59f774190163bc6d442.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","40432"
"*dd518c110de3900f1df5bc5b042508e85ece12f4906e5868803e1a00fc2aa2ac*",".{0,1000}dd518c110de3900f1df5bc5b042508e85ece12f4906e5868803e1a00fc2aa2ac.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40434"
"*dd53ac86689c6ca265dd0d8f1034e7abd37a250cb947cb086c7118696d4e3ec3*",".{0,1000}dd53ac86689c6ca265dd0d8f1034e7abd37a250cb947cb086c7118696d4e3ec3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40435"
"*dd550c264f7af33bca01b0e32d4504e8e69b0b7ab99b472d8b59b818c83b7b96*",".{0,1000}dd550c264f7af33bca01b0e32d4504e8e69b0b7ab99b472d8b59b818c83b7b96.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","40436"
"*dd625dc8684d4a9a60e5aea80ec9379841cc80f2c60e40d9737c89de5b32fb04*",".{0,1000}dd625dc8684d4a9a60e5aea80ec9379841cc80f2c60e40d9737c89de5b32fb04.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","40439"
"*dd71ab6e67f428fbef9937631774ab3cb08102fde4f9cc4ec5a8c27e29a18a65*",".{0,1000}dd71ab6e67f428fbef9937631774ab3cb08102fde4f9cc4ec5a8c27e29a18a65.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","40443"
"*dd781cfd710345cca2df4d306245298efb61dc447d8004dd5542c1b2083e39a7*",".{0,1000}dd781cfd710345cca2df4d306245298efb61dc447d8004dd5542c1b2083e39a7.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","40445"
"*dd7fef5e3594eb18dd676e550e128d4b64cc5a469ff6954a677dc414265db468*",".{0,1000}dd7fef5e3594eb18dd676e550e128d4b64cc5a469ff6954a677dc414265db468.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","#filehash","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","40448"
"*dd8057968d3560e9ecb42b2ed50b796ec09573d5263f689c8e0633a8b8a7127a*",".{0,1000}dd8057968d3560e9ecb42b2ed50b796ec09573d5263f689c8e0633a8b8a7127a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","40449"
"*dd90d845a111bc52b3d81dd597c5eaf0ef41d2278383a668f8932d8faefccbda*",".{0,1000}dd90d845a111bc52b3d81dd597c5eaf0ef41d2278383a668f8932d8faefccbda.{0,1000}","greyware_tool_keyword","Universal Virus Sniffer","Universal Virus Sniffer detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","Phobos","Defense Evasion","https://www.majorgeeks.com/files/details/universal_virus_sniffer.html","1","0","#filehash","N/A","8","10","N/A","N/A","N/A","N/A","40455"
"*dd9f9362f115314d3ba6b5eb8e49128fd5052e195a679caae0729640ef42d95f*",".{0,1000}dd9f9362f115314d3ba6b5eb8e49128fd5052e195a679caae0729640ef42d95f.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","40462"
"*dda4a8958cfd93dd0262179e2a004fadcd37bb7f6fb6f380aa2751a03e249c6c*",".{0,1000}dda4a8958cfd93dd0262179e2a004fadcd37bb7f6fb6f380aa2751a03e249c6c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40464"
"*dda6b391a168711d19c4499aba12c914e222dd053def0c21d054d66c53226bcc*",".{0,1000}dda6b391a168711d19c4499aba12c914e222dd053def0c21d054d66c53226bcc.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","40465"
"*ddc7e4a39c307d93871a3198d2e888e697a0106b5ebc7002e9361d0f49ba2b21*",".{0,1000}ddc7e4a39c307d93871a3198d2e888e697a0106b5ebc7002e9361d0f49ba2b21.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","40472"
"*ddcefa1ee3f141a9cee6d2e6e03c3c33bfd9a3db08cc1b3d41e4c7b72e4989ba*",".{0,1000}ddcefa1ee3f141a9cee6d2e6e03c3c33bfd9a3db08cc1b3d41e4c7b72e4989ba.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40475"
"*ddf89e5b9fd98708bf83fb8bbfb3c7baed2d5183035bfc0c794507d509235072*",".{0,1000}ddf89e5b9fd98708bf83fb8bbfb3c7baed2d5183035bfc0c794507d509235072.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40486"
"*ddfa313aa3d4038579635361c32c98d8a885e8e9b7f53224dd0df22b42fa618d*",".{0,1000}ddfa313aa3d4038579635361c32c98d8a885e8e9b7f53224dd0df22b42fa618d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40487"
"*ddfb0598ad97db5738e82403d0e932d2df9591e7e2998f425b56360b75d56c71*",".{0,1000}ddfb0598ad97db5738e82403d0e932d2df9591e7e2998f425b56360b75d56c71.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","40488"
"*de00ce580104a4afe01a1294a554d922103cf5a048708d022b3c231c5d841779*",".{0,1000}de00ce580104a4afe01a1294a554d922103cf5a048708d022b3c231c5d841779.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","40497"
"*de04a4f93837236a62fcd753c4ae7f64ebdbd8880ee2faffd0b950dcc2bc744b*",".{0,1000}de04a4f93837236a62fcd753c4ae7f64ebdbd8880ee2faffd0b950dcc2bc744b.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","40498"
"*de10b700cffb64956f55e044a9ce830d9b775af10560b54f21b2fc125c801618*",".{0,1000}de10b700cffb64956f55e044a9ce830d9b775af10560b54f21b2fc125c801618.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","40502"
"*de3397d1084686a5ab9f82fae2aa65f417cef7d7c2cc12f7eb9da51c0a404de6*",".{0,1000}de3397d1084686a5ab9f82fae2aa65f417cef7d7c2cc12f7eb9da51c0a404de6.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","40505"
"*de3f8129b3a84690c971d6f79a1ce6de1d172801d966604390e3f16c377100ef*",".{0,1000}de3f8129b3a84690c971d6f79a1ce6de1d172801d966604390e3f16c377100ef.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40508"
"*de4038e39b557638be260ddeb85bf3e6e806aef81ac07b681b0303414baf99bd*",".{0,1000}de4038e39b557638be260ddeb85bf3e6e806aef81ac07b681b0303414baf99bd.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","40509"
"*de4be9f031e2d9d10bcc70a409aaa0e5d311460828d2c6a5404deaa4f7da98ea*",".{0,1000}de4be9f031e2d9d10bcc70a409aaa0e5d311460828d2c6a5404deaa4f7da98ea.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","40511"
"*de6262f886175411573c98fe2d5838449b4fc2472a07748964159a468ed0ccdf*",".{0,1000}de6262f886175411573c98fe2d5838449b4fc2472a07748964159a468ed0ccdf.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","40515"
"*de63f778f0650db9c0c00c3772d7f87a6c21ca64e1249e55392ecbeb9bc352a3*",".{0,1000}de63f778f0650db9c0c00c3772d7f87a6c21ca64e1249e55392ecbeb9bc352a3.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40516"
"*de777ae5bdfb563ee399e8a82ef9935b79a79b4ca481fa25206693258b1af5e7*",".{0,1000}de777ae5bdfb563ee399e8a82ef9935b79a79b4ca481fa25206693258b1af5e7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40520"
"*de7cab0e59a003edd943523dfefa1d038ee1edd914548625fa97324ce680516b*",".{0,1000}de7cab0e59a003edd943523dfefa1d038ee1edd914548625fa97324ce680516b.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","40522"
"*de9c3e61bc6fd881bf70235f0cb50091076f714734045cf5602926c8945f7aa6*",".{0,1000}de9c3e61bc6fd881bf70235f0cb50091076f714734045cf5602926c8945f7aa6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40526"
"*dea0f108ba1485baca081dcb34a83c472a0bfa75e4f8483d3c2fce06229fb06b*",".{0,1000}dea0f108ba1485baca081dcb34a83c472a0bfa75e4f8483d3c2fce06229fb06b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40527"
"*dea4f15255d1b7f31845c80e1a49ace858044561465d60e5d8bbc029a404b150*",".{0,1000}dea4f15255d1b7f31845c80e1a49ace858044561465d60e5d8bbc029a404b150.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","40528"
"*debbc69c2926f0062b8243a484cd5710c6ba290f738e26a6e6ff403c3a536843*",".{0,1000}debbc69c2926f0062b8243a484cd5710c6ba290f738e26a6e6ff403c3a536843.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","40537"
"*debdf9b5cd864002a9a44b75be3d7be91cfb09a5aedc31b1d0492d0ee98410e2*",".{0,1000}debdf9b5cd864002a9a44b75be3d7be91cfb09a5aedc31b1d0492d0ee98410e2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40539"
"*debugfs /dev/*",".{0,1000}debugfs\s\/dev\/.{0,1000}","greyware_tool_keyword","debugdfs","Linux SIEM Bypass with debugdfs shell","T1059 - T1053 - T1037","TA0008 - TA0002","N/A","N/A","Credential Access","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Anti-Forensics.md","1","0","#linux","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","40549"
"*dec4ee8bffdeb1c87164239a4104760f440b6399fefc897edd37f7094ebeb87c*",".{0,1000}dec4ee8bffdeb1c87164239a4104760f440b6399fefc897edd37f7094ebeb87c.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","40558"
"*dec51bba37da4ecf4df8994cb21931fdfcc4f661c362cb8392f44229d42ef337*",".{0,1000}dec51bba37da4ecf4df8994cb21931fdfcc4f661c362cb8392f44229d42ef337.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","40559"
"*deda21817db09e3239b1cd5be4b8bfdeb8a603a285b72169927c246970b99b00*",".{0,1000}deda21817db09e3239b1cd5be4b8bfdeb8a603a285b72169927c246970b99b00.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","40605"
"*dedc5cd6e34d8636eab14c6ea858d1b83de7b546b69eb5538ea6a2ec69a8b5d5*",".{0,1000}dedc5cd6e34d8636eab14c6ea858d1b83de7b546b69eb5538ea6a2ec69a8b5d5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40607"
"*def06c3e5b0c881be0f66be65c9e78fd8d867d42acc12e60a290a6a76c2b4d77*",".{0,1000}def06c3e5b0c881be0f66be65c9e78fd8d867d42acc12e60a290a6a76c2b4d77.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40623"
"*def14719031db5f38976c4b41b7d303f5ddb1dd59a31183094873cdcfc1242c0*",".{0,1000}def14719031db5f38976c4b41b7d303f5ddb1dd59a31183094873cdcfc1242c0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40624"
"*def26f6de141f3f90c975923f007cd0acf66422357d9dc78bbb2bdba3f7184a5*",".{0,1000}def26f6de141f3f90c975923f007cd0acf66422357d9dc78bbb2bdba3f7184a5.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","40625"
"*def48c83f905c40247c041df1797df5ee70a2b233f15f559df160960edbb150f*",".{0,1000}def48c83f905c40247c041df1797df5ee70a2b233f15f559df160960edbb150f.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40627"
"*def7512aaa595d7cad9b2e237a0ee99e778bbae0a30dd2eba75d099fc80f310f*",".{0,1000}def7512aaa595d7cad9b2e237a0ee99e778bbae0a30dd2eba75d099fc80f310f.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#filehash","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","40628"
"*DEFAULT\Software\AeroAdmin*",".{0,1000}DEFAULT\\Software\\AeroAdmin.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","40634"
"*define RemComSVCEXE*",".{0,1000}define\sRemComSVCEXE.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","40671"
"*del %userprofile%\documents\Default.rdp*",".{0,1000}del\s\%userprofile\%\\documents\\Default\.rdp.{0,1000}","greyware_tool_keyword","del","CleanRDP.bat script erasing RDP traces used by Dispossessor ransomware group","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","40673"
"*del /f /s /q /a %AppData%*",".{0,1000}del\s\/f\s\/s\s\/q\s\/a\s\%AppData\%.{0,1000}","greyware_tool_keyword","del","CleanRDP.bat script erasing RDP traces used by Dispossessor ransomware group","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","40689"
"*del Default.rdp*",".{0,1000}del\sDefault\.rdp.{0,1000}","greyware_tool_keyword","del","removes the Default.rdp file likely to erase evidence of RDP connections","T1070.004","TA0005","N/A","N/A","Defense Evasion","https://github.com/xiaoy-sec/Pentest_Note/blob/52156f816f0c2497c25343c2e872130193acca80/wiki/%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87/Windows%E6%8F%90%E6%9D%83/RDP%26Firewall/%E5%88%A0%E9%99%A4%E7%97%95%E8%BF%B9.md?plain=1#L4","1","0","N/A","N/A","10","10","3875","951","2023-05-22T03:50:57Z","2020-06-15T02:58:36Z","40713"
"*delbasiD epyTputratS- *",".{0,1000}delbasiD\sepyTputratS\-\s.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","40716"
"*Description=Monero miner service*",".{0,1000}Description\=Monero\sminer\sservice.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","40753"
"*'Description'>Dameware products</Data>*",".{0,1000}\'Description\'\>Dameware\sproducts\<\/Data\>.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","40754"
"*Description'>PAExec Application*",".{0,1000}Description\'\>PAExec\sApplication.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","40756"
"*'Description'>VNC server</Data>*",".{0,1000}\'Description\'\>VNC\sserver\<\/Data\>.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","40757"
"*Desktop\AnyDesk.lnk*",".{0,1000}Desktop\\AnyDesk\.lnk.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","40762"
"*'Details'>paexec application*",".{0,1000}\'Details\'\>paexec\sapplication.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","#registry","registry value","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","40767"
"*Detection may be stuck, First confirm whether the device hijack in *",".{0,1000}Detection\smay\sbe\sstuck,\sFirst\sconfirm\swhether\sthe\sdevice\shijack\sin\s.{0,1000}","greyware_tool_keyword","Powertool","tool abused by threat actors to desactive Antivirus","T1562.001 - T1089 - T1562.009","TA0005","N/A","Play - Dispossessor","Defense Evasion","https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml","1","0","#content","N/A","10","10","N/A","N/A","N/A","N/A","40773"
"*device.remote.it*",".{0,1000}device\.remote\.it.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","1","N/A","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","40778"
"*devtunnel create *",".{0,1000}devtunnel\screate\s.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","40780"
"*devtunnel host -p *",".{0,1000}devtunnel\shost\s\-p\s.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","40781"
"*devtunnel user login*",".{0,1000}devtunnel\suser\slogin.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","40782"
"*devtunnel* user login -*",".{0,1000}devtunnel.{0,1000}\suser\slogin\s\-.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","40783"
"*devtunnel.exe *",".{0,1000}devtunnel\.exe\s.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","40784"
"*devtunnel.exe*host -p *",".{0,1000}devtunnel\.exe.{0,1000}host\s\-p\s.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","40785"
"*df0a51bf7623a3d0c67f707feb0a086fd15d08a6e0413392fca280e540854fce*",".{0,1000}df0a51bf7623a3d0c67f707feb0a086fd15d08a6e0413392fca280e540854fce.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40788"
"*df132038b69a2e69319d01d79c7523cc7d97399d2134fd555484e52f760a7778*",".{0,1000}df132038b69a2e69319d01d79c7523cc7d97399d2134fd555484e52f760a7778.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40792"
"*df1b9ddfb57a7fa9b93b250a689e392171764364ff929a701e7a2df763904b78*",".{0,1000}df1b9ddfb57a7fa9b93b250a689e392171764364ff929a701e7a2df763904b78.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","0","#filehash","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","40794"
"*df1ecdc0031475f4481f32911d5222f265ca016bc23a2ce5febe24339f473c02*",".{0,1000}df1ecdc0031475f4481f32911d5222f265ca016bc23a2ce5febe24339f473c02.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","40796"
"*DF1F9EF7E4D85B0CEAD7F286C16E0DB63A3742F927248B35D4EFDD3E3554A079*",".{0,1000}DF1F9EF7E4D85B0CEAD7F286C16E0DB63A3742F927248B35D4EFDD3E3554A079.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#filehash","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","40797"
"*df278eebd151b6ff62ceae968e3a4203a58d447712ec3fdb62551b25299a61e1*",".{0,1000}df278eebd151b6ff62ceae968e3a4203a58d447712ec3fdb62551b25299a61e1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40798"
"*df2bca8190a27477227f92a6825dce00fda7e2f5c2a2a3da67638b016ff62502*",".{0,1000}df2bca8190a27477227f92a6825dce00fda7e2f5c2a2a3da67638b016ff62502.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","40799"
"*df331b6bcc463f2caae8c4d892f473e2a4a37a8970cc8e38a776735d6feaa140*",".{0,1000}df331b6bcc463f2caae8c4d892f473e2a4a37a8970cc8e38a776735d6feaa140.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","40803"
"*df37d932eb846e608187b0aca6d182467ff24c548a044b9206a93913ec93c752*",".{0,1000}df37d932eb846e608187b0aca6d182467ff24c548a044b9206a93913ec93c752.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","40806"
"*df39fd5831826cb988eb5bfdfb4a98ca75eda8c03f6acdc286a7741448849c9b*",".{0,1000}df39fd5831826cb988eb5bfdfb4a98ca75eda8c03f6acdc286a7741448849c9b.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","40807"
"*df52291409a56fd512402124a94b51dda27c0b5caf2c93d36932e6ce2268bb3c*",".{0,1000}df52291409a56fd512402124a94b51dda27c0b5caf2c93d36932e6ce2268bb3c.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","40811"
"*df557d2f31842b7476600808e4582cd1e0e28580747275b9021c78cce7d4e9f8*",".{0,1000}df557d2f31842b7476600808e4582cd1e0e28580747275b9021c78cce7d4e9f8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40812"
"*df5b10dce307f6a8cbec606b0eaaf11dff457a5cc46c1b16f62cd29d39e610a1*",".{0,1000}df5b10dce307f6a8cbec606b0eaaf11dff457a5cc46c1b16f62cd29d39e610a1.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","40813"
"*df63a02d4cf67f0dde9d0b86b7206da34acbd5519103d475c0812e3104e258f7*",".{0,1000}df63a02d4cf67f0dde9d0b86b7206da34acbd5519103d475c0812e3104e258f7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40815"
"*df7356db409cc406294211063bf387a8b590289370811b1d10d6fdd1023c3250*",".{0,1000}df7356db409cc406294211063bf387a8b590289370811b1d10d6fdd1023c3250.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","40821"
"*df7cb781f9310ee813100f683eed73260d4e235e6055b26cbddd798e29ae386f*",".{0,1000}df7cb781f9310ee813100f683eed73260d4e235e6055b26cbddd798e29ae386f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40824"
"*df8a6b5079a27c69eba33a8aead354e5a83773df80debba30b3d39f3b90085f4*",".{0,1000}df8a6b5079a27c69eba33a8aead354e5a83773df80debba30b3d39f3b90085f4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40826"
"*dfb21c50807a7fe098be6e333af0807a1b22f67abf42e036d06f06d594a01fbc*",".{0,1000}dfb21c50807a7fe098be6e333af0807a1b22f67abf42e036d06f06d594a01fbc.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","40832"
"*dfb3aea9e6fe5eccecfaf6e280416d9c93b0b2d89a0094cb83e19002197c851b*",".{0,1000}dfb3aea9e6fe5eccecfaf6e280416d9c93b0b2d89a0094cb83e19002197c851b.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","40833"
"*dfb7cd69256fb8b7d188f6819643ec10475b489c7d82c1950480e7b96f20116a*",".{0,1000}dfb7cd69256fb8b7d188f6819643ec10475b489c7d82c1950480e7b96f20116a.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","40835"
"*dfca25f7d51972cf38fe3340b8e9967c67532d5bc6d776c0284b741433c94184*",".{0,1000}dfca25f7d51972cf38fe3340b8e9967c67532d5bc6d776c0284b741433c94184.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","40839"
"*dfd2a510010aa652da30a1d05de760782d9e7dc8598ff9f1f3d4da2d734269cf*",".{0,1000}dfd2a510010aa652da30a1d05de760782d9e7dc8598ff9f1f3d4da2d734269cf.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","40841"
"*dfd7bc3410c018dc8bcf897696ddfb10e7aaf5a584b8220ae3949ec87205ea4c*",".{0,1000}dfd7bc3410c018dc8bcf897696ddfb10e7aaf5a584b8220ae3949ec87205ea4c.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","40844"
"*DFE11C77-62FA-4011-8398-38626C02E382*",".{0,1000}DFE11C77\-62FA\-4011\-8398\-38626C02E382.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#GUIDproject","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","40847"
"*dfedf8e6a6cdb480ee00545da5e7d5370b5b7057d0b274f3a6f9cf4a192a87e6*",".{0,1000}dfedf8e6a6cdb480ee00545da5e7d5370b5b7057d0b274f3a6f9cf4a192a87e6.{0,1000}","greyware_tool_keyword","VncSharp","VncSharp is a GPL implementation of the VNC Remote Framebuffer (RFB) Protocol for the .NET Framework","T1021.001 - T1219  - T1071.001","TA0007 - TA0008","Carbanak","FIN7 - Carbanak","Lateral Movement","https://github.com/humphd/VncSharp","1","0","#filehash","N/A","8","3","246","179","2019-02-18T16:04:27Z","2012-03-05T15:23:41Z","40849"
"*dff7e5c9de46a140ab872e56ef4a68533fa916b501290c7bbff09428622cddde*",".{0,1000}dff7e5c9de46a140ab872e56ef4a68533fa916b501290c7bbff09428622cddde.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","40852"
"*dffc17b4b0f9c841d94802e2c9578758dbb52ca1ab967a506992c26aabecc43a*",".{0,1000}dffc17b4b0f9c841d94802e2c9578758dbb52ca1ab967a506992c26aabecc43a.{0,1000}","greyware_tool_keyword","speedtest","legitimate tool from speedtest.net abused by threat actors to assess the network speed and determine the feasibility and duration of their exfiltration efforts","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","","Dispossessor - Dagon Locker","Data Exfiltration","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#filehash","high false positive risk","4","5","N/A","N/A","N/A","N/A","40853"
"*dffda71c77c271cafc2f77aa007daea58f32a3562da3a3b924701117c058a336*",".{0,1000}dffda71c77c271cafc2f77aa007daea58f32a3562da3a3b924701117c058a336.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","40854"
"*dfkdflfgjdajbhocmfjolpjbebdkcjog*",".{0,1000}dfkdflfgjdajbhocmfjolpjbebdkcjog.{0,1000}","greyware_tool_keyword","Free Avira Phantom VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","40856"
"*d-h.st/users/powertool*",".{0,1000}d\-h\.st\/users\/powertool.{0,1000}","greyware_tool_keyword","Powertool","tool abused by threat actors to desactive Antivirus","T1562.001 - T1089 - T1562.009","TA0005","N/A","Play - Dispossessor","Defense Evasion","https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","40866"
"*dhadilbmmjiooceioladdphemaliiobo*",".{0,1000}dhadilbmmjiooceioladdphemaliiobo.{0,1000}","greyware_tool_keyword","Free Proxy VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","40867"
"*dig * axfr *@*",".{0,1000}dig\s.{0,1000}\saxfr\s.{0,1000}\@.{0,1000}","greyware_tool_keyword","dig","classic DNS Zone transfer request. The idea behind it is to attempt to duplicate all the DNS records for a given zone (or domain). This is a technique often used by attackers to gather information about the infrastructure of a target organization.","T1018","TA0007","N/A","N/A","Reconnaissance","https://linux.die.net/man/1/dig","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","40883"
"*dig *@* axfr*",".{0,1000}dig\s.{0,1000}\@.{0,1000}\saxfr.{0,1000}","greyware_tool_keyword","dig","classic DNS Zone transfer request. The idea behind it is to attempt to duplicate all the DNS records for a given zone (or domain). This is a technique often used by attackers to gather information about the infrastructure of a target organization.","T1018","TA0007","N/A","N/A","Reconnaissance","https://linux.die.net/man/1/dig","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","40884"
"*dig axfr * @*",".{0,1000}dig\saxfr\s.{0,1000}\s\@.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","40885"
"*dir /a /b c:\windows\kb*",".{0,1000}dir\s\/a\s\/b\sc\:\\windows\\kb.{0,1000}","greyware_tool_keyword","dir","lists files and directories in the c:\windows\kb directory related to updates or system configurations","T1059.003 - T1083 - T1106","TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","40900"
"*dir /a C:\pagefile.sys | findstr /R *",".{0,1000}dir\s\/a\sC\:\\pagefile\.sys\s\|\sfindstr\s\/R\s.{0,1000}","greyware_tool_keyword","findstr","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","N/A","Discovery","https://github.com/ice-wzl/wmiexec2","1","0","N/A","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","40901"
"*dir /a:h C:\Users\*\AppData\Local\Microsoft\Credentials\*",".{0,1000}dir\s\/a\:h\sC\:\\Users\\.{0,1000}\\AppData\\Local\\Microsoft\\Credentials\\.{0,1000}","greyware_tool_keyword","dir","Find Potential Credential in Files - This directory often contains encrypted credentials or other sensitive files related to user accounts","T1005 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","40902"
"*dir /a:h C:\Users\*\AppData\Roaming\Microsoft\Credentials\*",".{0,1000}dir\s\/a\:h\sC\:\\Users\\.{0,1000}\\AppData\\Roaming\\Microsoft\\Credentials\\.{0,1000}","greyware_tool_keyword","dir","Find Potential Credential in Files - This directory often contains encrypted credentials or other sensitive files related to user accounts","T1005 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","40903"
"*dir /b /ad ""C:\Users""*",".{0,1000}dir\s\/b\s\/ad\s\""C\:\\Users\"".{0,1000}","greyware_tool_keyword","dir","List Users with dir","T1087 - T1033","TA0005 - TA0007","N/A","N/A","Discovery","https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","40904"
"*dir /b/a %appdata%\Microsoft\Credentials\ 2>nul*",".{0,1000}dir\s\/b\/a\s\%appdata\%\\Microsoft\\Credentials\\\s2\>nul.{0,1000}","greyware_tool_keyword","dir","associated with PEASS-ng - Privilege Escalation Awesome Scripts suite","T1098","TA0004 - TA0005","N/A","N/A","Privilege Escalation","https://github.com/peass-ng/PEASS-ng","1","0","N/A","N/A","10","10","17347","3209","2025-04-01T04:29:00Z","2019-01-13T19:58:24Z","40905"
"*dir /b/a %localappdata%\Microsoft\Credentials\ 2>nul*",".{0,1000}dir\s\/b\/a\s\%localappdata\%\\Microsoft\\Credentials\\\s2\>nul.{0,1000}","greyware_tool_keyword","dir","associated with PEASS-ng - Privilege Escalation Awesome Scripts suite","T1098","TA0004 - TA0005","N/A","N/A","Privilege Escalation","https://github.com/peass-ng/PEASS-ng","1","0","N/A","N/A","10","10","17347","3209","2025-04-01T04:29:00Z","2019-01-13T19:58:24Z","40907"
"*dir C:\Users\*\AppData\Local\Microsoft\Credentials*",".{0,1000}dir\sC\:\\Users\\.{0,1000}\\AppData\\Local\\Microsoft\\Credentials.{0,1000}","greyware_tool_keyword","dir","Find the IDs of protected secrets for a specific user","T1552 - T1552.004","TA0006 - TA0007","N/A","N/A","Discovery","https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","40909"
"*Disable-AADIntTenantMsolAccess*",".{0,1000}Disable\-AADIntTenantMsolAccess.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","40951"
"*Disable-LdapClientWinEvent -ProcessName *",".{0,1000}Disable\-LdapClientWinEvent\s\-ProcessName\s.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","0","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","40975"
"*disk2vhd.exe*",".{0,1000}disk2vhd\.exe.{0,1000}","greyware_tool_keyword","Disk2vhd","convert physical disks into Virtual Hard Disk (VHD) files -attackers can leverage it for Collection","T1560.002 - T1012 - T1560.003","TA0005 - TA0009","N/A","N/A","Collection","N/A","1","1","N/A","N/A","8","4","N/A","N/A","N/A","N/A","41032"
"*Disk2vhd.zip*",".{0,1000}Disk2vhd\.zip.{0,1000}","greyware_tool_keyword","Disk2vhd","convert physical disks into Virtual Hard Disk (VHD) files -attackers can leverage it for Collection","T1560.002 - T1012 - T1560.003","TA0005 - TA0009","N/A","N/A","Collection","N/A","1","1","N/A","N/A","8","4","N/A","N/A","N/A","N/A","41033"
"*disk2vhd64.exe*",".{0,1000}disk2vhd64\.exe.{0,1000}","greyware_tool_keyword","Disk2vhd","convert physical disks into Virtual Hard Disk (VHD) files -attackers can leverage it for Collection","T1560.002 - T1012 - T1560.003","TA0005 - TA0009","N/A","N/A","Collection","N/A","1","1","N/A","N/A","8","4","N/A","N/A","N/A","N/A","41034"
"*diskshadow /s *",".{0,1000}diskshadow\s\/s\s.{0,1000}","greyware_tool_keyword","diskshadow","diskshadow.exe abused by attackers with a script to create a VSS on a DC or delete the shadow copies on the systems","T1003 - T1084 - T1070","TA0006 - TA0007 - TA0005","N/A","BlackBasta","Credential Access","https://x.com/SecurityAura/status/1869579192905703735","1","0","N/A","could be legitimate scripts","10","10","N/A","N/A","N/A","N/A","41040"
"*diskshadow list shadows all*",".{0,1000}diskshadow\slist\sshadows\sall.{0,1000}","greyware_tool_keyword","diskshadow","List shadow copies using diskshadow","T1059.003 - T1059.001 - T1005","TA0002 - TA0005 - TA0010","N/A","N/A","discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41041"
"*diskshadow -s *",".{0,1000}diskshadow\s\-s\s.{0,1000}","greyware_tool_keyword","diskshadow","diskshadow.exe abused by attackers with a script to create a VSS on a DC or delete the shadow copies on the systems","T1003 - T1084 - T1070","TA0006 - TA0007 - TA0005","N/A","BlackBasta","Credential Access","https://x.com/SecurityAura/status/1869579192905703735","1","0","N/A","could be legitimate scripts","10","10","N/A","N/A","N/A","N/A","41042"
"*diskshadow.exe /s *",".{0,1000}diskshadow\.exe\s\/s\s.{0,1000}","greyware_tool_keyword","diskshadow","diskshadow.exe abused by attackers with a script to create a VSS on a DC or delete the shadow copies on the systems","T1003 - T1084 - T1070","TA0006 - TA0007 - TA0005","N/A","BlackBasta","Credential Access","https://x.com/SecurityAura/status/1869579192905703735","1","0","N/A","could be legitimate scripts","10","10","N/A","N/A","N/A","N/A","41043"
"*diskshadow.exe list shadows all*",".{0,1000}diskshadow\.exe\slist\sshadows\sall.{0,1000}","greyware_tool_keyword","diskshadow","List shadow copies using diskshadow","T1059.003 - T1059.001 - T1005","TA0002 - TA0005 - TA0010","N/A","N/A","discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41044"
"*diskshadow.exe -s *",".{0,1000}diskshadow\.exe\s\-s\s.{0,1000}","greyware_tool_keyword","diskshadow","diskshadow.exe abused by attackers with a script to create a VSS on a DC or delete the shadow copies on the systems","T1003 - T1084 - T1070","TA0006 - TA0007 - TA0005","N/A","BlackBasta","Credential Access","https://x.com/SecurityAura/status/1869579192905703735","1","0","N/A","could be legitimate scripts","10","10","N/A","N/A","N/A","N/A","41045"
"*diskshadow.exe"" /s *",".{0,1000}diskshadow\.exe\""\s\/s\s.{0,1000}","greyware_tool_keyword","diskshadow","diskshadow.exe abused by attackers with a script to create a VSS on a DC or delete the shadow copies on the systems","T1003 - T1084 - T1070","TA0006 - TA0007 - TA0005","N/A","BlackBasta","Credential Access","https://x.com/SecurityAura/status/1869579192905703735","1","0","N/A","could be legitimate scripts","10","10","N/A","N/A","N/A","N/A","41046"
"*diskshadow.exe"" list shadows all*",".{0,1000}diskshadow\.exe\""\slist\sshadows\sall.{0,1000}","greyware_tool_keyword","diskshadow","List shadow copies using diskshadow","T1059.003 - T1059.001 - T1005","TA0002 - TA0005 - TA0010","N/A","N/A","discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41047"
"*diskshadow.exe"" -s *",".{0,1000}diskshadow\.exe\""\s\-s\s.{0,1000}","greyware_tool_keyword","diskshadow","diskshadow.exe abused by attackers with a script to create a VSS on a DC or delete the shadow copies on the systems","T1003 - T1084 - T1070","TA0006 - TA0007 - TA0005","N/A","BlackBasta","Credential Access","https://x.com/SecurityAura/status/1869579192905703735","1","0","N/A","could be legitimate scripts","10","10","N/A","N/A","N/A","N/A","41048"
"*dism  /online /enable-feature /featurename:IIS-WebServerRole /all*",".{0,1000}dism\s\s\/online\s\/enable\-feature\s\/featurename\:IIS\-WebServerRole\s\/all.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A","41049"
"*dism  /online /enable-feature /featurename:WindowsPowerShellWebAccess /all*",".{0,1000}dism\s\s\/online\s\/enable\-feature\s\/featurename\:WindowsPowerShellWebAccess\s\/all.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A","41050"
"*dism.exe*/enable-feature*WindowsPowerShellWebAccess *",".{0,1000}dism\.exe.{0,1000}\/enable\-feature.{0,1000}WindowsPowerShellWebAccess\s.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A","41051"
"*DisplayName -match ""Sophos Anti-Virus""*",".{0,1000}DisplayName\s\-match\s\""Sophos\sAnti\-Virus\"".{0,1000}","greyware_tool_keyword","powershell","Uninstall Sophos - searching for the name","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41053"
"*DisplayName -match ""Sophos AutoUpdate""*",".{0,1000}DisplayName\s\-match\s\""Sophos\sAutoUpdate\"".{0,1000}","greyware_tool_keyword","powershell","Uninstall Sophos - searching for the name","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41054"
"*DisplayName -match ""Sophos Client Firewall""*",".{0,1000}DisplayName\s\-match\s\""Sophos\sClient\sFirewall\"".{0,1000}","greyware_tool_keyword","powershell","Uninstall Sophos - searching for the name","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41055"
"*DisplayName -match ""Sophos Endpoint Defense""*",".{0,1000}DisplayName\s\-match\s\""Sophos\sEndpoint\sDefense\"".{0,1000}","greyware_tool_keyword","powershell","Uninstall Sophos - searching for the name","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41056"
"*DisplayName -match ""Sophos Network Threat Protection""*",".{0,1000}DisplayName\s\-match\s\""Sophos\sNetwork\sThreat\sProtection\"".{0,1000}","greyware_tool_keyword","powershell","Uninstall Sophos - searching for the name","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41057"
"*DisplayName -match ""Sophos Remote Management System""*",".{0,1000}DisplayName\s\-match\s\""Sophos\sRemote\sManagement\sSystem\"".{0,1000}","greyware_tool_keyword","powershell","Uninstall Sophos - searching for the name","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41058"
"*DisplayName -match ""Sophos System Protection""*",".{0,1000}DisplayName\s\-match\s\""Sophos\sSystem\sProtection\"".{0,1000}","greyware_tool_keyword","powershell","Uninstall Sophos - searching for the name","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41059"
"*dl.wireshark.org*",".{0,1000}dl\.wireshark\.org.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","41089"
"*dmsetup create base <<EOF*0 3534848 linear /dev/loop0 94208* EOF*./dmsetup ls --exec '/bin/sh -p -s*",".{0,1000}dmsetup\screate\sbase\s\<\<EOF.{0,1000}0\s3534848\slinear\s\/dev\/loop0\s94208.{0,1000}\sEOF.{0,1000}\.\/dmsetup\sls\s\-\-exec\s\'\/bin\/sh\s\-p\s\-s.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","41148"
"*dnefedniw  eteled cs*",".{0,1000}dnefedniw\s\seteled\scs.{0,1000}","greyware_tool_keyword","sc","script to dismantle complete windows defender protection and even bypass tamper protection  - Disable Windows-Defender Permanently.","T1562.001","TA0005","N/A","Snatch","Defense Evasion","https://github.com/swagkarna/Defeat-Defender-V1.2.0","1","0","N/A","N/A","10","10","1530","316","2023-10-20T17:55:09Z","2020-12-10T07:22:06Z","41150"
"*dnf install *megacmd*",".{0,1000}dnf\sinstall\s.{0,1000}megacmd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","41155"
"*dnf install croc*",".{0,1000}dnf\sinstall\scroc.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#linux","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","41156"
"*dnscmd . /enumrecords /zone *",".{0,1000}dnscmd\s\.\s\/enumrecords\s\/zone\s.{0,1000}","greyware_tool_keyword","dnscmd","the actor gather information about the target environment","T1016 - T1069.002 - T1069.001 - T1082","TA0007 - TA0009","N/A","Volt Typhoon - APT41","Reconnaissance","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","41223"
"*dnscmd . /enumzones*",".{0,1000}dnscmd\s\.\s\/enumzones.{0,1000}","greyware_tool_keyword","dnscmd","the actor gather information about the target environment","T1016 - T1069.002 - T1069.001 - T1082","TA0007 - TA0009","N/A","Volt Typhoon - APT41","Reconnaissance","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","41224"
"*docker build -t expose *",".{0,1000}docker\sbuild\s\-t\sexpose\s.{0,1000}","greyware_tool_keyword","expose","tunneling service - written in pure PHP","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/beyondcode/expose","1","0","N/A","N/A","10","10","4367","280","2025-04-04T13:57:03Z","2020-04-14T19:18:38Z","41314"
"*docker exec -it wiretap-client-1 bash*",".{0,1000}docker\sexec\s\-it\swiretap\-client\-1\sbash.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#linux","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","41321"
"*docker push rclone/*",".{0,1000}docker\spush\srclone\/.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41325"
"*docker run */.config/pcopy*",".{0,1000}docker\srun\s.{0,1000}\/\.config\/pcopy.{0,1000}","greyware_tool_keyword","nopaste.net","nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration","T1567.002 - T1036.005 - T1102 - T1071.001","TA0005 - TA0009 - TA0010","N/A","N/A","Collection","https://www.shellhub.io/","1","0","#Pastebinlike  #filehostingservice #linux","N/A","8","10","N/A","N/A","N/A","N/A","41328"
"*docker run -d -p * -e CROC_PASS=*",".{0,1000}docker\srun\s\-d\s\-p\s.{0,1000}\s\-e\sCROC_PASS\=.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","N/A","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","41332"
"*docker run expose *",".{0,1000}docker\srun\sexpose\s.{0,1000}","greyware_tool_keyword","expose","tunneling service - written in pure PHP","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/beyondcode/expose","1","0","N/A","N/A","10","10","4367","280","2025-04-04T13:57:03Z","2020-04-14T19:18:38Z","41333"
"*docker run -v /:/mnt --rm -it alpine chroot /mnt sh*",".{0,1000}docker\srun\s\-v\s\/\:\/mnt\s\-\-rm\s\-it\salpine\schroot\s\/mnt\ssh.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","N/A","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","41343"
"*donate.ssl.xmrig.com*",".{0,1000}donate\.ssl\.xmrig\.com.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","41401"
"*donate.v2.xmrig.com:3333*",".{0,1000}donate\.v2\.xmrig\.com\:3333.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","41402"
"*donate.xmrig.com*",".{0,1000}donate\.xmrig\.com.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","41403"
"*dorgreen1@gmail.com*",".{0,1000}dorgreen1\@gmail\.com.{0,1000}","greyware_tool_keyword","evilrdp","Th evil twin of aardwolfgui using the aardwolf RDP client library that gives you extended control over the target and additional scripting capabilities from the command line.","T1021.001 - T1056.001 - T1113 - T1078.002 - T1105 - T1090.002 - T1059.001","TA0008 - TA0002 - TA0005 - TA0001 - TA0009 - TA0010 - TA0011","N/A","Black Basta","C2","https://github.com/skelsec/evilrdp","1","0","#email","N/A","10","10","299","31","2025-03-15T13:37:21Z","2023-11-29T13:44:58Z","41435"
"*download.anydesk.com*",".{0,1000}download\.anydesk\.com.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt","RMM","https://anydesk.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41455"
"*download.cyberghostvpn.com*",".{0,1000}download\.cyberghostvpn\.com.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","1","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","41456"
"*download.filezilla-project.org*",".{0,1000}download\.filezilla\-project\.org.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","1","N/A","PUA risk of legitimate usage","5","7","N/A","N/A","N/A","N/A","41457"
"*download.global.mspa.n-able.com/*",".{0,1000}download\.global\.mspa\.n\-able\.com\/.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41458"
"*download.radmin.com*",".{0,1000}download\.radmin\.com.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41460"
"*download.radmin-vpn.com*",".{0,1000}download\.radmin\-vpn\.com.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41461"
"*download.remotepc.com*",".{0,1000}download\.remotepc\.com.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41462"
"*download.teamviewer.com.cdn.cloudflare.net*",".{0,1000}download\.teamviewer\.com\.cdn\.cloudflare\.net.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","1","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","41463"
"*download.wireguard.com/windows-client/*",".{0,1000}download\.wireguard\.com\/windows\-client\/.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","41465"
"*Downloading*%MINER_LOCATION%*",".{0,1000}Downloading.{0,1000}\%MINER_LOCATION\%.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","41484"
"*downloads.nordcdn.com/apps/vpn-extension/*",".{0,1000}downloads\.nordcdn\.com\/apps\/vpn\-extension\/.{0,1000}","greyware_tool_keyword","NordVPN","OVPN configuration for nordvpn accessed within corporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://nordvpn.com","1","1","#VPN","N/A","8","10","N/A","N/A","N/A","N/A","41486"
"*downloads.remote.it/remoteit/install_agent.sh*",".{0,1000}downloads\.remote\.it\/remoteit\/install_agent\.sh.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","1","N/A","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","41487"
"*downloads.surfshark.com*",".{0,1000}downloads\.surfshark\.com.{0,1000}","greyware_tool_keyword","surfshark VPN","usage of surfsharkVPN client","T1090 - T1573","TA0005 - TA010","N/A","N/A","Defense Evasion","","1","1","N/A","N/A","7","8","N/A","N/A","N/A","N/A","41488"
"*downloads.zohocdn.com*",".{0,1000}downloads\.zohocdn\.com.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41489"
"*downloads.zohodl.com.cn*",".{0,1000}downloads\.zohodl\.com\.cn.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","41490"
"*downloads2.surfshark.com*",".{0,1000}downloads2\.surfshark\.com.{0,1000}","greyware_tool_keyword","surfshark VPN","usage of surfsharkVPN client","T1090 - T1573","TA0005 - TA010","N/A","N/A","Defense Evasion","","1","1","N/A","N/A","7","8","N/A","N/A","N/A","N/A","41492"
"*dpapi.py backupkeys -t */*@*",".{0,1000}dpapi\.py\sbackupkeys\s\-t\s.{0,1000}\/.{0,1000}\@.{0,1000}","greyware_tool_keyword","dpapi.py","the command is used to extract the Data Protection API (DPAPI) backup keys from a target system. DPAPI is a Windows API that provides data protection services to secure sensitive data. such as private keys. passwords. and other secrets. By obtaining the DPAPI backup keys. an attacker can potentially decrypt sensitive data stored on the target system or impersonate users. gaining unauthorized access to other systems and resources.","T1552.006","TA0009","N/A","N/A","Collection","N/A","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","41497"
"*dpplabbmogkhghncfbfdeeokoefdjegm*",".{0,1000}dpplabbmogkhghncfbfdeeokoefdjegm.{0,1000}","greyware_tool_keyword","Proxy SwitchySharp","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","41550"
"*dropbearconvert openssh dropbear*",".{0,1000}dropbearconvert\sopenssh\sdropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","N/A","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","41569"
"*dropbearkey -t *",".{0,1000}dropbearkey\s\-t\s.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","N/A","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","41570"
"*dropbearkey -y -f *",".{0,1000}dropbearkey\s\-y\s\-f\s.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","N/A","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","41571"
"*DSInternals\DSInternals.Replication.dll*",".{0,1000}DSInternals\\DSInternals\.Replication\.dll.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","41583"
"*DSInternals\DSInternals.Replication.Interop.dll*",".{0,1000}DSInternals\\DSInternals\.Replication\.Interop\.dll.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","41584"
"*DSInternals\DSInternals.Replication.Model.dll*",".{0,1000}DSInternals\\DSInternals\.Replication\.Model\.dll.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","41585"
"*DSInternals\msvcp140.dll*",".{0,1000}DSInternals\\msvcp140\.dll.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","41586"
"*DSInternals\NDceRpc.Microsoft.dll*",".{0,1000}DSInternals\\NDceRpc\.Microsoft\.dll.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","41587"
"*DSInternals\vcruntime140.dll*",".{0,1000}DSInternals\\vcruntime140\.dll.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","41588"
"*DSInternals\vcruntime140_1.dll*",".{0,1000}DSInternals\\vcruntime140_1\.dll.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","41589"
"*dsquery * -filter *(objectClass=trustedDomain)* -attr *",".{0,1000}dsquery\s.{0,1000}\s\-filter\s.{0,1000}\(objectClass\=trustedDomain\).{0,1000}\s\-attr\s.{0,1000}","greyware_tool_keyword","dsquery","enumerate domain trusts with dsquery","T1482 - T1018","TA0007","N/A","APT41 - FIN8","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","41592"
"*dummy.remote.moe*",".{0,1000}dummy\.remote\.moe.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","0","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","41614"
"*dumpcap -*",".{0,1000}dumpcap\s\-.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","41658"
"*Dumped by AvDump*",".{0,1000}Dumped\sby\sAvDump.{0,1000}","greyware_tool_keyword","AVDump","Avast AV to dump LSASS (C:\Program Files\Avast Software\Avast)","T1003.001 - T1059.001 - T1106","TA0006","N/A","Dispossessor","Credential Access","N/A","1","0","#content","lolbin","8","9","N/A","N/A","N/A","N/A","41664"
"*DumpProcessPid -targetPID * -outputFile*",".{0,1000}DumpProcessPid\s\-targetPID\s.{0,1000}\s\-outputFile.{0,1000}","greyware_tool_keyword","SentinelAgent","dump a process with SentinelAgent.exe","T1003 - T1055","TA0006 - TA0005","N/A","N/A","Credential Access","https://gist.github.com/adamsvoboda/8e248c6b7fb812af5d04daba141c867e","1","0","N/A","N/A","8","7","N/A","N/A","N/A","N/A","41695"
"*dwagent_install.log*",".{0,1000}dwagent_install\.log.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","41704"
"*dwagent_unistall.log*",".{0,1000}dwagent_unistall\.log.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","41705"
"*dwaggdi_x86_32.dll*",".{0,1000}dwaggdi_x86_32\.dll.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","41706"
"*dwaggdi_x86_64.dll*",".{0,1000}dwaggdi_x86_64\.dll.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","41707"
"*dwagscreencapture.dll*",".{0,1000}dwagscreencapture\.dll.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","41708"
"*dwagscreencapturebitblt.dll*",".{0,1000}dwagscreencapturebitblt\.dll.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","41709"
"*dwagscreencapturedesktopduplication.dll*",".{0,1000}dwagscreencapturedesktopduplication\.dll.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","41710"
"*dwservice/agent*",".{0,1000}dwservice\/agent.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","41711"
"*e00d839edac7e43f8756ac53d803ea51ca8fdf7b58a888f021d2964ecc3c4351*",".{0,1000}e00d839edac7e43f8756ac53d803ea51ca8fdf7b58a888f021d2964ecc3c4351.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","41722"
"*e010e0aa32e87164f562b23b09290e0cb1dd3a634beab90c015a7f6db2afc295*",".{0,1000}e010e0aa32e87164f562b23b09290e0cb1dd3a634beab90c015a7f6db2afc295.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","41723"
"*e023e84ae168c960b037db2d17b215362e19076f40f746f9190bb963302a4d77*",".{0,1000}e023e84ae168c960b037db2d17b215362e19076f40f746f9190bb963302a4d77.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41728"
"*e0272a3f67b105e1dccc1392e13988601fc5ba98f92a66671746e9ada9022604*",".{0,1000}e0272a3f67b105e1dccc1392e13988601fc5ba98f92a66671746e9ada9022604.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41730"
"*e028c07ede569edf05373d2f271fa4ae6f4c0ecfed56c1c22d46b1b3c85a34df*",".{0,1000}e028c07ede569edf05373d2f271fa4ae6f4c0ecfed56c1c22d46b1b3c85a34df.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","41731"
"*e0502577758a772235d8b9ca555e54fdca4570ce4e61a7afc84575e3b95e6747*",".{0,1000}e0502577758a772235d8b9ca555e54fdca4570ce4e61a7afc84575e3b95e6747.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","41740"
"*e05409fc66a81a3eab2410908bf37f7cf497c88edb27cbcc92d8f5f1917e195f*",".{0,1000}e05409fc66a81a3eab2410908bf37f7cf497c88edb27cbcc92d8f5f1917e195f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41743"
"*E0695F0F-0FAF-44BC-AE55-A1FCBFE70271*",".{0,1000}E0695F0F\-0FAF\-44BC\-AE55\-A1FCBFE70271.{0,1000}","greyware_tool_keyword","VncSharp","VncSharp is a GPL implementation of the VNC Remote Framebuffer (RFB) Protocol for the .NET Framework","T1021.001 - T1219  - T1071.001","TA0007 - TA0008","Carbanak","FIN7 - Carbanak","Lateral Movement","https://github.com/humphd/VncSharp","1","0","#GUIDproject","N/A","8","3","246","179","2019-02-18T16:04:27Z","2012-03-05T15:23:41Z","41751"
"*e07196fcbeefe4576e84ad0c98dfccd505eb8eed76b3066fde1fc5709037c6f8*",".{0,1000}e07196fcbeefe4576e84ad0c98dfccd505eb8eed76b3066fde1fc5709037c6f8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41754"
"*e079f9dbcc51b905759c6a17d46979181b432b6e195aafaf3a3453b7d1d687dc*",".{0,1000}e079f9dbcc51b905759c6a17d46979181b432b6e195aafaf3a3453b7d1d687dc.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","41758"
"*e08ab2c0c649bc8d642c0587c57a19183467debabf900244f903e2adb96cf7a7*",".{0,1000}e08ab2c0c649bc8d642c0587c57a19183467debabf900244f903e2adb96cf7a7.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","41763"
"*e0955f1c4b9c89c926928109a080924c6400136bc2bce8d673ebf42c1d54d510*",".{0,1000}e0955f1c4b9c89c926928109a080924c6400136bc2bce8d673ebf42c1d54d510.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","41767"
"*e0a35750d7771ee98cdf9f92b8c061e29c746301d4a62b7789ee063fcf40a012*",".{0,1000}e0a35750d7771ee98cdf9f92b8c061e29c746301d4a62b7789ee063fcf40a012.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41769"
"*e0b8976e986ef0ed0901560810a81cc80cf8c332e087edd35f50e9a5a88c79ae*",".{0,1000}e0b8976e986ef0ed0901560810a81cc80cf8c332e087edd35f50e9a5a88c79ae.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","41771"
"*e0bb1a2b4ddfb4d1fbb10b80772c9ed067e8c78b5508814177a2e88fbe6421db*",".{0,1000}e0bb1a2b4ddfb4d1fbb10b80772c9ed067e8c78b5508814177a2e88fbe6421db.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41772"
"*e0c0eda604f9a3db5f838575a25896f8713eddbca720ceb46db4f98cda952cd2*",".{0,1000}e0c0eda604f9a3db5f838575a25896f8713eddbca720ceb46db4f98cda952cd2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41775"
"*e0d8fbe3a59bbf36170e5307ef979b4035784e35c0675ecc9309d35b7000a78e*",".{0,1000}e0d8fbe3a59bbf36170e5307ef979b4035784e35c0675ecc9309d35b7000a78e.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","41782"
"*e0db3369783d27acde635da924c59a7dc6551636239650d99bdd81768637416f*",".{0,1000}e0db3369783d27acde635da924c59a7dc6551636239650d99bdd81768637416f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41783"
"*e0dca6ebd175563726b1a7f83614b53194a8945421241b3b2fba18784bc4db7a*",".{0,1000}e0dca6ebd175563726b1a7f83614b53194a8945421241b3b2fba18784bc4db7a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","41785"
"*e0e5f40f9ebdbdbb29d6084e448401335ae802bdfdbe3604abcabbb92baa0d35*",".{0,1000}e0e5f40f9ebdbdbb29d6084e448401335ae802bdfdbe3604abcabbb92baa0d35.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","41790"
"*e0f22e76771f73fd1b8b91f8ed3c6d2ecc3f5bf1b8b72e8a0208ddc43bc83191*",".{0,1000}e0f22e76771f73fd1b8b91f8ed3c6d2ecc3f5bf1b8b72e8a0208ddc43bc83191.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","41791"
"*e0fca5495cc0f8c293d185530a3ebd81f9a304c6804c4d0cdaea8b6b8ea8513c*",".{0,1000}e0fca5495cc0f8c293d185530a3ebd81f9a304c6804c4d0cdaea8b6b8ea8513c.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","41793"
"*e105000f9beb2d9659ead318f0f8a9a3acf90606024c5eef2fe11a4d140c4ee2*",".{0,1000}e105000f9beb2d9659ead318f0f8a9a3acf90606024c5eef2fe11a4d140c4ee2.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","41795"
"*e10eff3227d730806c99dc8ac0f38a2262ed5ab3a86d90b4acb7efbb2d6d2def*",".{0,1000}e10eff3227d730806c99dc8ac0f38a2262ed5ab3a86d90b4acb7efbb2d6d2def.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","41796"
"*e1167085d98313b940710377908862a133a471e476163d929b16fe74efee5356*",".{0,1000}e1167085d98313b940710377908862a133a471e476163d929b16fe74efee5356.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","41798"
"*e11bbacc2254a1aaf69807117f5dd21bba924ff5dba6bff978a401bfee10640c*",".{0,1000}e11bbacc2254a1aaf69807117f5dd21bba924ff5dba6bff978a401bfee10640c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","41800"
"*e11c8f5673861b72e624373d2ebfed1cc50ebd59c8633da4b87a1e2361a53c02*",".{0,1000}e11c8f5673861b72e624373d2ebfed1cc50ebd59c8633da4b87a1e2361a53c02.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","41801"
"*e11e21d85234c890f047955456c220a95dfcb6f010fadd20fcb9e15ea43a4cf7*",".{0,1000}e11e21d85234c890f047955456c220a95dfcb6f010fadd20fcb9e15ea43a4cf7.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","41805"
"*e124760dda781a328d0ca851b38a124eff12f1814fa4b70458565c69b546559d*",".{0,1000}e124760dda781a328d0ca851b38a124eff12f1814fa4b70458565c69b546559d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","41808"
"*e1382bc1b7fe6c39cd5ada3e9ce8f9cdd16a544c10fc787d3b66d42c0d70606b*",".{0,1000}e1382bc1b7fe6c39cd5ada3e9ce8f9cdd16a544c10fc787d3b66d42c0d70606b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41812"
"*e140fc0a38963bc0013b0dc560f5fb8a2ac2b8a61ebb563fd45a549a699ef46b*",".{0,1000}e140fc0a38963bc0013b0dc560f5fb8a2ac2b8a61ebb563fd45a549a699ef46b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41815"
"*e1618fe1b30e7d0b85c5f8326b07c29b06082044828fd6af11cdf517ae252d48*",".{0,1000}e1618fe1b30e7d0b85c5f8326b07c29b06082044828fd6af11cdf517ae252d48.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41821"
"*e16e14a5902618298c24b6b6a2503d83d435bd647dcbdc2a20fa5f7285c57168*",".{0,1000}e16e14a5902618298c24b6b6a2503d83d435bd647dcbdc2a20fa5f7285c57168.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","41823"
"*e16e725b1a703f35d47a43e9c74996017703a65bcfd2fe042af15185ac856e29*",".{0,1000}e16e725b1a703f35d47a43e9c74996017703a65bcfd2fe042af15185ac856e29.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","41824"
"*e16fca64d823fe922146ce8d9d908a4fff879dd5a89985f547661706579eb240*",".{0,1000}e16fca64d823fe922146ce8d9d908a4fff879dd5a89985f547661706579eb240.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","41825"
"*e1856edfa60e8d06444b394b671f087d0773dcac63c6799e8954bf9d46c6b3c5*",".{0,1000}e1856edfa60e8d06444b394b671f087d0773dcac63c6799e8954bf9d46c6b3c5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41830"
"*e1899d929b6435421aa16fbbfe75431a8cfaab9a9f751a3a6594792a4a75f517*",".{0,1000}e1899d929b6435421aa16fbbfe75431a8cfaab9a9f751a3a6594792a4a75f517.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","41832"
"*e195429f06e01890fa50719ead4dfdc338b80c9703f6d6c7b9e12c234ff2f39f*",".{0,1000}e195429f06e01890fa50719ead4dfdc338b80c9703f6d6c7b9e12c234ff2f39f.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","41834"
"*e1aad78efc4a500f13014eacfd687f10060d703e896efd1c60930e3167e4d2ff*",".{0,1000}e1aad78efc4a500f13014eacfd687f10060d703e896efd1c60930e3167e4d2ff.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","41842"
"*e1c6aea6094d317f351d9260fd6ea1a148f8a102c919c7067e2d39cd1016a8f7*",".{0,1000}e1c6aea6094d317f351d9260fd6ea1a148f8a102c919c7067e2d39cd1016a8f7.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","41848"
"*e1d7927c9f4b7bc9e5079ca22857b46ea5e39fd4d1fbe415ac24c12ec7b912f9*",".{0,1000}e1d7927c9f4b7bc9e5079ca22857b46ea5e39fd4d1fbe415ac24c12ec7b912f9.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","41853"
"*e1d81195194f684a0df34da1b4ff305d1c033283521c02f36a6f5cdeffcd6f2d*",".{0,1000}e1d81195194f684a0df34da1b4ff305d1c033283521c02f36a6f5cdeffcd6f2d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","41854"
"*e1e0882b31d096b3d7c4dd7e433dec30e36d165610621f4e34a705b35fac5335*",".{0,1000}e1e0882b31d096b3d7c4dd7e433dec30e36d165610621f4e34a705b35fac5335.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","41856"
"*e1e0d3e30646550711722e8794192b05aa51adea9e4e02941ac19e67fbbc4c0f*",".{0,1000}e1e0d3e30646550711722e8794192b05aa51adea9e4e02941ac19e67fbbc4c0f.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","41857"
"*e1f0a372e98f0f21fbbcea25ce9c8b55b3a9f813e20945c281fc015d72398722*",".{0,1000}e1f0a372e98f0f21fbbcea25ce9c8b55b3a9f813e20945c281fc015d72398722.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41862"
"*e1f6be0e39290a73ebd45a3f6254015badf0f451307ded5d96d2a3acb91e0642*",".{0,1000}e1f6be0e39290a73ebd45a3f6254015badf0f451307ded5d96d2a3acb91e0642.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","41863"
"*e1fa98aad857ad4bd52fb9aa42ba37b69aabfc0c1300da1d815b4e29c88d4270*",".{0,1000}e1fa98aad857ad4bd52fb9aa42ba37b69aabfc0c1300da1d815b4e29c88d4270.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","41866"
"*e1ff2208b3786cac801ffb470b9475fbb3ced74eb503bfde7aa7f22af113989d*",".{0,1000}e1ff2208b3786cac801ffb470b9475fbb3ced74eb503bfde7aa7f22af113989d.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","#filehash","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","41867"
"*e1ff5a314c147e1e6d7e7ae3d302cc0b1734a4e8aa20d35d2c3e786b1438e164*",".{0,1000}e1ff5a314c147e1e6d7e7ae3d302cc0b1734a4e8aa20d35d2c3e786b1438e164.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","41868"
"*e2047b43e87456568a505b84c45f52e0d2ed146896ec1e3fceb72e818200f11f*",".{0,1000}e2047b43e87456568a505b84c45f52e0d2ed146896ec1e3fceb72e818200f11f.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","41870"
"*e20a5a7af7ee08db7008f0496f29b839d101f3d913410c24ec901273865567c4*",".{0,1000}e20a5a7af7ee08db7008f0496f29b839d101f3d913410c24ec901273865567c4.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","41872"
"*e20d90b0670c637a65125f89467170efb3fc227a78f44ee585a6d3fb55b6a881*",".{0,1000}e20d90b0670c637a65125f89467170efb3fc227a78f44ee585a6d3fb55b6a881.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","41873"
"*e20f6b94475b463c5fde8de986f50c941d90acd40308f942650d8df55c248c4f*",".{0,1000}e20f6b94475b463c5fde8de986f50c941d90acd40308f942650d8df55c248c4f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41874"
"*e213492166555a1f97e9b176f4726d8697e211333e0a48d93a078e76f757cedb*",".{0,1000}e213492166555a1f97e9b176f4726d8697e211333e0a48d93a078e76f757cedb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41877"
"*e22208e946ede07f56ef60c1c89de817b453967663ce4867628dff77761bd429*",".{0,1000}e22208e946ede07f56ef60c1c89de817b453967663ce4867628dff77761bd429.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","41884"
"*e2427a6915366b0ca85299968e96e0dc9a05764f38ee6e1db31e8bab5cec9d35*",".{0,1000}e2427a6915366b0ca85299968e96e0dc9a05764f38ee6e1db31e8bab5cec9d35.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41891"
"*e245d857b943531a9617677179564e03675f992c6e4b6876090279b1fa8f3e7c*",".{0,1000}e245d857b943531a9617677179564e03675f992c6e4b6876090279b1fa8f3e7c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","41892"
"*e24c34b9f0331577e380c04356b2816f1728875cdc09518e056e3ce8b7613f64*",".{0,1000}e24c34b9f0331577e380c04356b2816f1728875cdc09518e056e3ce8b7613f64.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41893"
"*e25b9a19ddc6406c8e3d0bf1a517440468af9e0a2df3bc7036998c9b59042005*",".{0,1000}e25b9a19ddc6406c8e3d0bf1a517440468af9e0a2df3bc7036998c9b59042005.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41897"
"*e2760a77c208012b4efcd2f6920498bde88b086b2d57d7561a477b84484b0da8*",".{0,1000}e2760a77c208012b4efcd2f6920498bde88b086b2d57d7561a477b84484b0da8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41901"
"*e27a87c132686f3e27675a53a2bce7c65328ac148ed2d7e11aefd657224d7d20*",".{0,1000}e27a87c132686f3e27675a53a2bce7c65328ac148ed2d7e11aefd657224d7d20.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","41906"
"*e27f8c61205a5fa71ce1d1dc4f3a79f10d58ec2fd7f05b07c26a4742beaf4edc*",".{0,1000}e27f8c61205a5fa71ce1d1dc4f3a79f10d58ec2fd7f05b07c26a4742beaf4edc.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","41909"
"*e29ac4e7c3603251b1d04f9d4ec29809f558efa7b6aff5be6b3c780d145387e3*",".{0,1000}e29ac4e7c3603251b1d04f9d4ec29809f558efa7b6aff5be6b3c780d145387e3.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","41916"
"*e2a5be5bc8d923fb310f98b974e5dcfe0c308dedd9efe931923793ad7bdace9e*",".{0,1000}e2a5be5bc8d923fb310f98b974e5dcfe0c308dedd9efe931923793ad7bdace9e.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","41919"
"*e2a6179880b852366edc395685fa0e82eec542e9c8a2c3483d30d5740941a0e0*",".{0,1000}e2a6179880b852366edc395685fa0e82eec542e9c8a2c3483d30d5740941a0e0.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","41920"
"*e2ad65bd782f8e3faa19426d408b84ca2d1cd0b4a3d12668febb8d94aca0457c*",".{0,1000}e2ad65bd782f8e3faa19426d408b84ca2d1cd0b4a3d12668febb8d94aca0457c.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","41921"
"*e2cbbea92145e924cec43ae92bbb865aa3b31e5323af273724ab2a56cf01e972*",".{0,1000}e2cbbea92145e924cec43ae92bbb865aa3b31e5323af273724ab2a56cf01e972.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","41926"
"*e2d664ab3604b082e17dbd728c89bfdb82b5616f92defbe0cec24d94674c5818*",".{0,1000}e2d664ab3604b082e17dbd728c89bfdb82b5616f92defbe0cec24d94674c5818.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","41927"
"*e2dd4933cc48caba288be96ba5b226c7edb5be940c0452d9bc7faa28ab66847f*",".{0,1000}e2dd4933cc48caba288be96ba5b226c7edb5be940c0452d9bc7faa28ab66847f.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","41929"
"*e2f75360702bcdc390997de7b2557f21a1f28d7ebd4d1ca74cf2e38849185bcb*",".{0,1000}e2f75360702bcdc390997de7b2557f21a1f28d7ebd4d1ca74cf2e38849185bcb.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","41937"
"*e2f8762686702dff4531d4b3f9c066803aec324b5e5acd80cc42fe67fb732e71*",".{0,1000}e2f8762686702dff4531d4b3f9c066803aec324b5e5acd80cc42fe67fb732e71.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41938"
"*e2ffe6675e592cf2760e3b9de2fd6a7c0298226b76f86f26b084de63ff4be574*",".{0,1000}e2ffe6675e592cf2760e3b9de2fd6a7c0298226b76f86f26b084de63ff4be574.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","41942"
"*e308c72138c1dc9e72e28a47cbf7bfaaed2cf37c3e9e97cc5a597b2cc06ac85d*",".{0,1000}e308c72138c1dc9e72e28a47cbf7bfaaed2cf37c3e9e97cc5a597b2cc06ac85d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41949"
"*e31519c2fa99c4739269b273268b45293a7f02b98a71426028cb37d4ffad95ca*",".{0,1000}e31519c2fa99c4739269b273268b45293a7f02b98a71426028cb37d4ffad95ca.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","41955"
"*e31cae3bfd37dedab001475b1571ddd186de0d4f01d4809b6e5b836e3a37c312*",".{0,1000}e31cae3bfd37dedab001475b1571ddd186de0d4f01d4809b6e5b836e3a37c312.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","41957"
"*e33075389b77f94a816ac45bf1d0ce2b540fd98dafac9828602625088967762f*",".{0,1000}e33075389b77f94a816ac45bf1d0ce2b540fd98dafac9828602625088967762f.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","41959"
"*e343919768a7ccd17805088d7871dfcf70e19fe55dc7523e7f58b93aefd83a55*",".{0,1000}e343919768a7ccd17805088d7871dfcf70e19fe55dc7523e7f58b93aefd83a55.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41962"
"*e34406bea3c780144b827a7308a0468c53f773e4da11fb02ebfc91f76ecc754c*",".{0,1000}e34406bea3c780144b827a7308a0468c53f773e4da11fb02ebfc91f76ecc754c.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","41963"
"*e35620841c35cc70619f963842c207107b9c52217e4c807c72178181ad5e3695*",".{0,1000}e35620841c35cc70619f963842c207107b9c52217e4c807c72178181ad5e3695.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","41966"
"*e3584150cc2cc74f7582e84f91ae9c258e63b67e722b0219a6378212c03ee85a*",".{0,1000}e3584150cc2cc74f7582e84f91ae9c258e63b67e722b0219a6378212c03ee85a.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","41968"
"*e367bbc84b75901ae680472b7b848ee4f10fbc356e7dd8de5c2c46000cf78818*",".{0,1000}e367bbc84b75901ae680472b7b848ee4f10fbc356e7dd8de5c2c46000cf78818.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/localtunnel/localtunnel","1","0","#filehash","N/A","10","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","41971"
"*e369b92cecfa897281c727a565a81ce86ab629088bde9d95d690ad86284713ef*",".{0,1000}e369b92cecfa897281c727a565a81ce86ab629088bde9d95d690ad86284713ef.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","41972"
"*e36f536b03bdd6ef314ecf87df08cb5388d311b417e4b94bc63f1195c8a7ceae*",".{0,1000}e36f536b03bdd6ef314ecf87df08cb5388d311b417e4b94bc63f1195c8a7ceae.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","41973"
"*e37228d7dc5e4766d9070bca5f0d616ae04887d7f6ee7b30cc8ea5a0190c7441*",".{0,1000}e37228d7dc5e4766d9070bca5f0d616ae04887d7f6ee7b30cc8ea5a0190c7441.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","41975"
"*e373f4331ba91d4862d2b9f8646c9e18e20b93445cbe203ed86336cbfccab6d8*",".{0,1000}e373f4331ba91d4862d2b9f8646c9e18e20b93445cbe203ed86336cbfccab6d8.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","41977"
"*e377afeb481b30d9979fcbf636df6b5c4f9449b44f6c3d21a768aa5cb8767cb6*",".{0,1000}e377afeb481b30d9979fcbf636df6b5c4f9449b44f6c3d21a768aa5cb8767cb6.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","41980"
"*E377F156-BAED-4086-B534-3CC43164607A*",".{0,1000}E377F156\-BAED\-4086\-B534\-3CC43164607A.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","#GUIDproject","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","41981"
"*e3a9686198e872ef6984215ebcd18a3c2f57c8ca009dc3c23b485a88a92fff01*",".{0,1000}e3a9686198e872ef6984215ebcd18a3c2f57c8ca009dc3c23b485a88a92fff01.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","41993"
"*e3bbd11937075f6f6bb49c9118eea1579ef207967e89ef6b36fa91ebb81f729a*",".{0,1000}e3bbd11937075f6f6bb49c9118eea1579ef207967e89ef6b36fa91ebb81f729a.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","41998"
"*e3bc166f9e3cd64e1eee1061f26cb80347f2cd4997971c91f3ae9cbe5cf35999*",".{0,1000}e3bc166f9e3cd64e1eee1061f26cb80347f2cd4997971c91f3ae9cbe5cf35999.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","41999"
"*e3c1c5f76c339c8e11dc25697e8b9b7f7b5ad7c1cf6a63eba8e52b0d6a5f33b5*",".{0,1000}e3c1c5f76c339c8e11dc25697e8b9b7f7b5ad7c1cf6a63eba8e52b0d6a5f33b5.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","42001"
"*e3c567b8467ec2c69311aeb4af04169074c07b188053cb6a5e6aa0e57660e2ba*",".{0,1000}e3c567b8467ec2c69311aeb4af04169074c07b188053cb6a5e6aa0e57660e2ba.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42003"
"*e4077938492c759faad74dcd118a8e901352181f1d146efd18b81c745a088231*",".{0,1000}e4077938492c759faad74dcd118a8e901352181f1d146efd18b81c745a088231.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42016"
"*e40c82c2798591a11de31b07fd186529519ca493490cbfe55dfc26a5a1fd9634*",".{0,1000}e40c82c2798591a11de31b07fd186529519ca493490cbfe55dfc26a5a1fd9634.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42019"
"*e40c9f18d7f47c131876d6ef9a29385802e0d006e75ead9906a980c751fbee16*",".{0,1000}e40c9f18d7f47c131876d6ef9a29385802e0d006e75ead9906a980c751fbee16.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42020"
"*e415807ec90293945012e78bfc528d3585e7672ca050cd3b56084e112c2d0249*",".{0,1000}e415807ec90293945012e78bfc528d3585e7672ca050cd3b56084e112c2d0249.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","42022"
"*e41dc72ece30584c3e9c7772ba01a9f17e4e348805521382d16299e4694ac467*",".{0,1000}e41dc72ece30584c3e9c7772ba01a9f17e4e348805521382d16299e4694ac467.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42024"
"*e43d66b7a4fa09a0714c573fbe4996770d9d85e31912480e73344124017098f9*",".{0,1000}e43d66b7a4fa09a0714c573fbe4996770d9d85e31912480e73344124017098f9.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","#filehash","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","42031"
"*e45eeac40ace7b050f9747d79954c4b7bb82792b727a691799694f109938b338*",".{0,1000}e45eeac40ace7b050f9747d79954c4b7bb82792b727a691799694f109938b338.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","42036"
"*e4951caf71f529f6510592a3c05ae61d0fd2f04e39684aabcd87159349d71688*",".{0,1000}e4951caf71f529f6510592a3c05ae61d0fd2f04e39684aabcd87159349d71688.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42047"
"*e4997313fa56907981be64b670a5609df81c55ebeecc8fd26a8d7471c4f62317*",".{0,1000}e4997313fa56907981be64b670a5609df81c55ebeecc8fd26a8d7471c4f62317.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42049"
"*e4a6b203697794386d11faebc4da7ffe7c03262755b4ac64e0c4ae633eccdc0b*",".{0,1000}e4a6b203697794386d11faebc4da7ffe7c03262755b4ac64e0c4ae633eccdc0b.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42052"
"*e4b3ee4b8853f1e92de5e0a4d80da98eedeeb537c148c7a270ca5322e9b9d23d*",".{0,1000}e4b3ee4b8853f1e92de5e0a4d80da98eedeeb537c148c7a270ca5322e9b9d23d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42057"
"*e4b62f88bc61b3a1ef4cc83ba6aebefefec75ab246d83e8708c3cf1c8c3240b4*",".{0,1000}e4b62f88bc61b3a1ef4cc83ba6aebefefec75ab246d83e8708c3cf1c8c3240b4.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","42058"
"*e4bf082697fb0b4f13cbe088436f0a2b43024812b903553f48917c7dadfd4248*",".{0,1000}e4bf082697fb0b4f13cbe088436f0a2b43024812b903553f48917c7dadfd4248.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42061"
"*e4c1685563f2c9ed84801c3e2730cbdeb38d9554d388329dfa77eb0b54ac0877*",".{0,1000}e4c1685563f2c9ed84801c3e2730cbdeb38d9554d388329dfa77eb0b54ac0877.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42062"
"*e4c382716cdf1d4d582eb2ac3279f498c8e335d119737fa390a766296738ee87*",".{0,1000}e4c382716cdf1d4d582eb2ac3279f498c8e335d119737fa390a766296738ee87.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","42064"
"*e4c962237d4b3e6e4af1be6082ef976c32b80d17b5c24079b9c59f0ba9775e7e*",".{0,1000}e4c962237d4b3e6e4af1be6082ef976c32b80d17b5c24079b9c59f0ba9775e7e.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","42066"
"*e4d2ed3af31f30f40f83a73dd6c4dcce275ae8cc85d52c7f30a51bfdb7ebeec2*",".{0,1000}e4d2ed3af31f30f40f83a73dd6c4dcce275ae8cc85d52c7f30a51bfdb7ebeec2.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","42069"
"*e4e4ef54d935c9de34f40e748702f5cbec400bd36b5977a22fcf1040d6945046*",".{0,1000}e4e4ef54d935c9de34f40e748702f5cbec400bd36b5977a22fcf1040d6945046.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42074"
"*e51ade54e9a3d5e699e5e0aa1fc832c377db7bf8c7e948809a1dab9e01c122cb*",".{0,1000}e51ade54e9a3d5e699e5e0aa1fc832c377db7bf8c7e948809a1dab9e01c122cb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42084"
"*e51ba62ce6bfed434f3402945a9aa89f4b312076dfc597b5cae6f25ea0525bc8*",".{0,1000}e51ba62ce6bfed434f3402945a9aa89f4b312076dfc597b5cae6f25ea0525bc8.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","42086"
"*e51c2e66cc4407d842afa1c1f700549da5efd37a6bd2dcc5c8094b777c72bc76*",".{0,1000}e51c2e66cc4407d842afa1c1f700549da5efd37a6bd2dcc5c8094b777c72bc76.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","42087"
"*e5350eb7c85f40bd5eeb5df8b3cd58805d39b2469a1c1c9817957fbab77e9427*",".{0,1000}e5350eb7c85f40bd5eeb5df8b3cd58805d39b2469a1c1c9817957fbab77e9427.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42093"
"*e5469979ac08d21bad44cd7696187e80d4ef78b60f473a954936de4cbc3d0381*",".{0,1000}e5469979ac08d21bad44cd7696187e80d4ef78b60f473a954936de4cbc3d0381.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","42100"
"*e54a67a249e4e87a3ee0ab2c0cd5edf58cd52eee67b5f2df4d15fad38c1880b3*",".{0,1000}e54a67a249e4e87a3ee0ab2c0cd5edf58cd52eee67b5f2df4d15fad38c1880b3.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42102"
"*e54a93d0138fae68b4876b8f9ba5f88d2ce5b0d238a7fca6925ad6d0aeac5d98*",".{0,1000}e54a93d0138fae68b4876b8f9ba5f88d2ce5b0d238a7fca6925ad6d0aeac5d98.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","42103"
"*e57919a0e3a63705ef452bb2a6bc440f7a6273a8205ed9ce2ccfd063ea9b2215*",".{0,1000}e57919a0e3a63705ef452bb2a6bc440f7a6273a8205ed9ce2ccfd063ea9b2215.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42114"
"*e5866c7ffaffc7c1cfb1ec9c259ca3ba600167bd2907c77cd3c68cd6b647f3a9*",".{0,1000}e5866c7ffaffc7c1cfb1ec9c259ca3ba600167bd2907c77cd3c68cd6b647f3a9.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","42116"
"*e58805777cadba322e4e1b6a15969b34fbeddd0e473fe043f6fb976e71652b27*",".{0,1000}e58805777cadba322e4e1b6a15969b34fbeddd0e473fe043f6fb976e71652b27.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42117"
"*e59ee7929f1c67c3aae6aa1f31299e0403430e7f25aecbcc572e19db79451d96*",".{0,1000}e59ee7929f1c67c3aae6aa1f31299e0403430e7f25aecbcc572e19db79451d96.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42127"
"*e5c06f9e0f1115bde8f8a3148bae2b291f4c38d65d223455654158349b439357*",".{0,1000}e5c06f9e0f1115bde8f8a3148bae2b291f4c38d65d223455654158349b439357.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42134"
"*e5d799f4ebb0f0a02c6c7efb0fd946a9a9f7b8283c5ccb697132974711060ccf*",".{0,1000}e5d799f4ebb0f0a02c6c7efb0fd946a9a9f7b8283c5ccb697132974711060ccf.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","42139"
"*e5db8bb52276b1501846a85a0fb40066da27a24ba6a58ec5d91d1de4bffca28d*",".{0,1000}e5db8bb52276b1501846a85a0fb40066da27a24ba6a58ec5d91d1de4bffca28d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42140"
"*e60b16e124c84e2368a0bb9dd85a282a163ad1cc9946745ab14adcca5075d13f*",".{0,1000}e60b16e124c84e2368a0bb9dd85a282a163ad1cc9946745ab14adcca5075d13f.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42146"
"*e60e06956a8e8cdcba7688b6cb9b9815ada2b025e87b94d717172c02b9aa6c91*",".{0,1000}e60e06956a8e8cdcba7688b6cb9b9815ada2b025e87b94d717172c02b9aa6c91.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42149"
"*e6139b506d55565bb81ff034a8ec03349ee6f0938c27cbe846f22853e8770b7a*",".{0,1000}e6139b506d55565bb81ff034a8ec03349ee6f0938c27cbe846f22853e8770b7a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42151"
"*e61df02bd13c250267ded9f0db8ef0e0f3a3eea63efbb8d041190883b0cee0cb*",".{0,1000}e61df02bd13c250267ded9f0db8ef0e0f3a3eea63efbb8d041190883b0cee0cb.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42154"
"*e6225af4ab483e49445f0021bc05efc405e544e7a725eb6ecb3f8777a8783109*",".{0,1000}e6225af4ab483e49445f0021bc05efc405e544e7a725eb6ecb3f8777a8783109.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","42156"
"*e626c24d81970be447e683730e22ff4fccfbc720b6b9dff41bbd2f2419766380*",".{0,1000}e626c24d81970be447e683730e22ff4fccfbc720b6b9dff41bbd2f2419766380.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42157"
"*e63896070e742e2f06c696a551b5cbf082acad80d48391b42cf2d040823793e6*",".{0,1000}e63896070e742e2f06c696a551b5cbf082acad80d48391b42cf2d040823793e6.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42165"
"*e63b787de388b158b538006003db536fa48dec43ad26080afe44d42d93ee2115*",".{0,1000}e63b787de388b158b538006003db536fa48dec43ad26080afe44d42d93ee2115.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42166"
"*e6403e735f7ad321c83f64f4ecf5c3043dc167a4adb3163241003215b00ace9c*",".{0,1000}e6403e735f7ad321c83f64f4ecf5c3043dc167a4adb3163241003215b00ace9c.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","42167"
"*e64474e508d054c891d808e0702db18d3bf4304af5ae6ec2997c8aa59f4240e4*",".{0,1000}e64474e508d054c891d808e0702db18d3bf4304af5ae6ec2997c8aa59f4240e4.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","42169"
"*e64b92d84cbc44c0fec1914a969d981321ab8f9cae7ebc73a0c80b9d6989e208*",".{0,1000}e64b92d84cbc44c0fec1914a969d981321ab8f9cae7ebc73a0c80b9d6989e208.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42171"
"*e65c9a1f0df529989ffe63d0a85d24a0d0a8afd529abf6ececb3953b9f5ecdee*",".{0,1000}e65c9a1f0df529989ffe63d0a85d24a0d0a8afd529abf6ececb3953b9f5ecdee.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42174"
"*e6663f66bf62806df2a44df29ee6b2e3b9023cf42e9b6567afe86a0510b49ee3*",".{0,1000}e6663f66bf62806df2a44df29ee6b2e3b9023cf42e9b6567afe86a0510b49ee3.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42178"
"*e66d1f7ddfdcd26036e52c644284857b23144ff7b0644f9d66350b6996659c23*",".{0,1000}e66d1f7ddfdcd26036e52c644284857b23144ff7b0644f9d66350b6996659c23.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","42180"
"*e66e1d2a59507e235e6302d1a00e7bb3df833ba25b7151ef2d7521dbc1c2e3f3*",".{0,1000}e66e1d2a59507e235e6302d1a00e7bb3df833ba25b7151ef2d7521dbc1c2e3f3.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","42181"
"*e671c90f050cc03b06a1c976db31a1f2f1a498730c63bb2a29d92c9e47af5f66*",".{0,1000}e671c90f050cc03b06a1c976db31a1f2f1a498730c63bb2a29d92c9e47af5f66.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42182"
"*e674a3b1a74f65ff587eef1080d3ce789484615f66af8c9c332231e9304f5220*",".{0,1000}e674a3b1a74f65ff587eef1080d3ce789484615f66af8c9c332231e9304f5220.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","42183"
"*e67faadd41e6236f2bd67d35c9dfd807ff2941027686632f6f4c339dea8ef263*",".{0,1000}e67faadd41e6236f2bd67d35c9dfd807ff2941027686632f6f4c339dea8ef263.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42184"
"*e69868c907f4f9eadc4d550bb98318654e03202eeaa9ceb2ef86adaf4ae1f37e*",".{0,1000}e69868c907f4f9eadc4d550bb98318654e03202eeaa9ceb2ef86adaf4ae1f37e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42190"
"*e6a44ca1eba3f76b885cf4954dbe33f0164eaa600366fdad610ffa9b2a23fa33*",".{0,1000}e6a44ca1eba3f76b885cf4954dbe33f0164eaa600366fdad610ffa9b2a23fa33.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42195"
"*e6a85ade86d4ae629e14eecf8883a618a8ddfd4c02bedc77cbb1a9e3219a56f0*",".{0,1000}e6a85ade86d4ae629e14eecf8883a618a8ddfd4c02bedc77cbb1a9e3219a56f0.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","42196"
"*e6bc7e02ba9b4084bcb08ef26a530f521de8e56ac2fb86249f443510f1a5617a*",".{0,1000}e6bc7e02ba9b4084bcb08ef26a530f521de8e56ac2fb86249f443510f1a5617a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42199"
"*e6c9ef3c9ee804ca3bed5f13f5e179f9ef16b7b2513cdfc33974902faa0f7516*",".{0,1000}e6c9ef3c9ee804ca3bed5f13f5e179f9ef16b7b2513cdfc33974902faa0f7516.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","42202"
"*e6d749a36fc5258973fff424ebf1728d5c41a4482ea4a2b69a7b99ec837297e7*",".{0,1000}e6d749a36fc5258973fff424ebf1728d5c41a4482ea4a2b69a7b99ec837297e7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42206"
"*e6d90023e2588a3c52798d2bee864c6e87066b6e8867b518c4f59c75a4d60cdc*",".{0,1000}e6d90023e2588a3c52798d2bee864c6e87066b6e8867b518c4f59c75a4d60cdc.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42207"
"*e6e45b8cce5e26017e9c4033b2c9d21a32a30c850f13c39095f8aa2571241c81*",".{0,1000}e6e45b8cce5e26017e9c4033b2c9d21a32a30c850f13c39095f8aa2571241c81.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42213"
"*e6fe3c2968b235f58bdd9b5e0d1eefafb1e577c9fc7a533eb88e198d11773b2d*",".{0,1000}e6fe3c2968b235f58bdd9b5e0d1eefafb1e577c9fc7a533eb88e198d11773b2d.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","42222"
"*e707c714f870d5b2d1b921cbc994be2b426ae52f201cb19ed1b1c5d61e308fc2*",".{0,1000}e707c714f870d5b2d1b921cbc994be2b426ae52f201cb19ed1b1c5d61e308fc2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42225"
"*e717e4a46f338480838e760a05b7a628ccca57b0d4d705a67359bf9481fa58ae*",".{0,1000}e717e4a46f338480838e760a05b7a628ccca57b0d4d705a67359bf9481fa58ae.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","42229"
"*e7189f807b01325fee3ffc6ce00e3ee187d36aa2a2c8263bbea13d35553388c4*",".{0,1000}e7189f807b01325fee3ffc6ce00e3ee187d36aa2a2c8263bbea13d35553388c4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42230"
"*e72b920398bb89524ed5b4725188c4e6859bc54c5d91e3e954704d4fcad5ee50*",".{0,1000}e72b920398bb89524ed5b4725188c4e6859bc54c5d91e3e954704d4fcad5ee50.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42235"
"*e7324ded6fb6dd380f5b682f60a5cdd26ccb2adf03f0a2d4fa7d179258fedfad*",".{0,1000}e7324ded6fb6dd380f5b682f60a5cdd26ccb2adf03f0a2d4fa7d179258fedfad.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42237"
"*e73c16e92842b5e4889ca8e7b88901ddd5b59f85394e82ca8554c75d26250ebb*",".{0,1000}e73c16e92842b5e4889ca8e7b88901ddd5b59f85394e82ca8554c75d26250ebb.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42241"
"*e73e6a2bc3fc1900fb2810bf53bed0471149fb07c60917027661d9d654c0f6e8*",".{0,1000}e73e6a2bc3fc1900fb2810bf53bed0471149fb07c60917027661d9d654c0f6e8.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42242"
"*e746327fc595317f4fd949c7e46bdfcdcd70a74c9402dc65fef045ec8a2c621d*",".{0,1000}e746327fc595317f4fd949c7e46bdfcdcd70a74c9402dc65fef045ec8a2c621d.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42244"
"*e749b296484dbb4329fc0e4dff5fe963ddc7ff3450042ce267fdd1b5abcd2fdb*",".{0,1000}e749b296484dbb4329fc0e4dff5fe963ddc7ff3450042ce267fdd1b5abcd2fdb.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","42245"
"*e750475e2594a84524d937f7ee405611f4237851d4a8d119f4d41b6127d2aa82*",".{0,1000}e750475e2594a84524d937f7ee405611f4237851d4a8d119f4d41b6127d2aa82.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","42249"
"*e76a240d76ab6e15db2077ea6742538a2cc9471b48467b7b5930831a37a1c140*",".{0,1000}e76a240d76ab6e15db2077ea6742538a2cc9471b48467b7b5930831a37a1c140.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","42257"
"*e76cf4f44dc62c008bb203fa88eb3e942e7f28dafe6a264d2f5970a8befa142f*",".{0,1000}e76cf4f44dc62c008bb203fa88eb3e942e7f28dafe6a264d2f5970a8befa142f.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42258"
"*e7836e1d44fe8ea29276fba8ea5fd5c94a242c2ec8d04850a62625c7792bff46*",".{0,1000}e7836e1d44fe8ea29276fba8ea5fd5c94a242c2ec8d04850a62625c7792bff46.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","42262"
"*e7ad0cf754fa39b84ce801efadf247786a2d93e3126101562414da5bee4173e0*",".{0,1000}e7ad0cf754fa39b84ce801efadf247786a2d93e3126101562414da5bee4173e0.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","42272"
"*e7ae22a62f42e92811bb79ed2a268d4794a640a1d61282985f5dfd1b1d583b60*",".{0,1000}e7ae22a62f42e92811bb79ed2a268d4794a640a1d61282985f5dfd1b1d583b60.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42273"
"*e7aed3b9cea264001849c7bb2bbd56a8772816c065663c6e954890a72be441b7*",".{0,1000}e7aed3b9cea264001849c7bb2bbd56a8772816c065663c6e954890a72be441b7.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42274"
"*e7b023d273158532a333ecb9abb1d46b35287a3b9950a33ddd3f2d5b479dabc2*",".{0,1000}e7b023d273158532a333ecb9abb1d46b35287a3b9950a33ddd3f2d5b479dabc2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42275"
"*e7b060f41a2322c481867f623ee711a321d6fb554fe816251f1381d1669a68c8*",".{0,1000}e7b060f41a2322c481867f623ee711a321d6fb554fe816251f1381d1669a68c8.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","42277"
"*e7c7c93448d7780b741496d34b10423f266ba09a8ebf1093b6d186e1f4c9e60a*",".{0,1000}e7c7c93448d7780b741496d34b10423f266ba09a8ebf1093b6d186e1f4c9e60a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42282"
"*e7d98e4e44285444aba188cbb830136e556f302ab36ebfe7296541d06c0a2d6f*",".{0,1000}e7d98e4e44285444aba188cbb830136e556f302ab36ebfe7296541d06c0a2d6f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42291"
"*e7e6fcf7d0b2ce3732fbeb5c7e48bb4a2f9f8bbca49ad55d13a57e9abb661481*",".{0,1000}e7e6fcf7d0b2ce3732fbeb5c7e48bb4a2f9f8bbca49ad55d13a57e9abb661481.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","42293"
"*e7e999c455e3e34a8ae2238395af8d0b50dda79499bca470547ffba7ff0c4b39*",".{0,1000}e7e999c455e3e34a8ae2238395af8d0b50dda79499bca470547ffba7ff0c4b39.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42294"
"*e7ebcee1c02d30c722b9fbb6d875a8c6ce17525ea2f8b2bd5766c36233af8bc4*",".{0,1000}e7ebcee1c02d30c722b9fbb6d875a8c6ce17525ea2f8b2bd5766c36233af8bc4.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","42295"
"*e7ed209233b6de35d7532af4e3806a358da2ffada1d4c1dda6d6d88e3af97787*",".{0,1000}e7ed209233b6de35d7532af4e3806a358da2ffada1d4c1dda6d6d88e3af97787.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42296"
"*e7ed5baca1c5f53c18e8d01bdb0e4d0f78b82bc72cb3afedac54a8ef8209ca34*",".{0,1000}e7ed5baca1c5f53c18e8d01bdb0e4d0f78b82bc72cb3afedac54a8ef8209ca34.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","42297"
"*e7edb375a27ed498dd02c9692a14138a00568436f6e954ec890302e7bdc735e9*",".{0,1000}e7edb375a27ed498dd02c9692a14138a00568436f6e954ec890302e7bdc735e9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42298"
"*e7f39694ec1f97181d17f0f9b8fbad820c5bc98289602f7a960916142596c4b3*",".{0,1000}e7f39694ec1f97181d17f0f9b8fbad820c5bc98289602f7a960916142596c4b3.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","42300"
"*e7f434888e992b2679e221199354f80eaee1e7c3c546043f37aeefa3fbe252ae*",".{0,1000}e7f434888e992b2679e221199354f80eaee1e7c3c546043f37aeefa3fbe252ae.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","42301"
"*e7f6c011776e8db7cd330b54174fd76f7d0216b612387a5ffcfb81e6f0919683*",".{0,1000}e7f6c011776e8db7cd330b54174fd76f7d0216b612387a5ffcfb81e6f0919683.{0,1000}","greyware_tool_keyword","VncSharp","VncSharp is a GPL implementation of the VNC Remote Framebuffer (RFB) Protocol for the .NET Framework","T1021.001 - T1219  - T1071.001","TA0007 - TA0008","Carbanak","FIN7 - Carbanak","Lateral Movement","https://github.com/humphd/VncSharp","1","0","#filehash","N/A","8","3","246","179","2019-02-18T16:04:27Z","2012-03-05T15:23:41Z","42302"
"*e7fa900d838ef4f60b8ca8f7cdb1090aa1a490ee381ce25b687ef11625425db7*",".{0,1000}e7fa900d838ef4f60b8ca8f7cdb1090aa1a490ee381ce25b687ef11625425db7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42304"
"*e7ff1472a7294417e4f1dcd1c882de9f81f214b3f68f34ef4b8adca5af593c6c*",".{0,1000}e7ff1472a7294417e4f1dcd1c882de9f81f214b3f68f34ef4b8adca5af593c6c.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42308"
"*e8118e74c74a62a1d8dc291cb626f46d0056b1284726c2a5d671e20a5e92270c*",".{0,1000}e8118e74c74a62a1d8dc291cb626f46d0056b1284726c2a5d671e20a5e92270c.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","42313"
"*e82ae72bb202db9bae86dc81cf4df152b6d8d3b5062295004b8ae92088904dc7*",".{0,1000}e82ae72bb202db9bae86dc81cf4df152b6d8d3b5062295004b8ae92088904dc7.{0,1000}","greyware_tool_keyword","tunnel","Tunnel is a server/client package that enables to proxy public connections to your local machine over a tunnel connection from the local machine to the public server. What this means is, you can share your localhost even if it doesn't have a Public IP or if it's not reachable from outside","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/koding/tunnel","1","0","#filehash","N/A","10","10","328","72","2023-10-20T13:43:58Z","2015-05-28T07:26:42Z","42320"
"*e82af253493df53255c7b584a450116e07f66374f4065e7da23df79597b043ff*",".{0,1000}e82af253493df53255c7b584a450116e07f66374f4065e7da23df79597b043ff.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42321"
"*e82bcb39e340b7dccdfbf649ffcbef1f7ca0d90e0d217e29bb67a95dc1cdab24*",".{0,1000}e82bcb39e340b7dccdfbf649ffcbef1f7ca0d90e0d217e29bb67a95dc1cdab24.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42323"
"*e84ef4bf8f7150620cdbb98da7f38f397eddc996b2b93dc7b00f8ae39a28635c*",".{0,1000}e84ef4bf8f7150620cdbb98da7f38f397eddc996b2b93dc7b00f8ae39a28635c.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42330"
"*e85105a9dafcfb10b38227ad4657d329e7ac579a19740e71e1a121919832c2a3*",".{0,1000}e85105a9dafcfb10b38227ad4657d329e7ac579a19740e71e1a121919832c2a3.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","42331"
"*e854c1bb27c02fbf6f86bbd1ca750d9cf70cd3a978d142e6d97119bc81cb1ee7*",".{0,1000}e854c1bb27c02fbf6f86bbd1ca750d9cf70cd3a978d142e6d97119bc81cb1ee7.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","42332"
"*e8662d80d2cc9acc5f8f4d8a1c1a5ff7717b2fa71919a405d0eed8b64c8c1d88*",".{0,1000}e8662d80d2cc9acc5f8f4d8a1c1a5ff7717b2fa71919a405d0eed8b64c8c1d88.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","42334"
"*e897afa92d40de471b6e4df62b9ec0b9039110f08a4c26324419bed5309d3f36*",".{0,1000}e897afa92d40de471b6e4df62b9ec0b9039110f08a4c26324419bed5309d3f36.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","42344"
"*e89d561ea667d268c732e32b45d1f8be6fac62b9624f9f8020360db70c57df7f*",".{0,1000}e89d561ea667d268c732e32b45d1f8be6fac62b9624f9f8020360db70c57df7f.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#filehash","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","42346"
"*e8a2563e142a7165030209e28eddd16861dae29b09c5e9e6c047c2b7f3e2688d*",".{0,1000}e8a2563e142a7165030209e28eddd16861dae29b09c5e9e6c047c2b7f3e2688d.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","42348"
"*e8b4edf6ac96c960c5462302cbd33c5d4673f2c1f88b6166b79e4766508c658b*",".{0,1000}e8b4edf6ac96c960c5462302cbd33c5d4673f2c1f88b6166b79e4766508c658b.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42353"
"*e8c7827dae5c757ddfdd23ef8c97c24315a9c06dcecdde7ceb45dd21145d7a2a*",".{0,1000}e8c7827dae5c757ddfdd23ef8c97c24315a9c06dcecdde7ceb45dd21145d7a2a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42360"
"*e8e3e2c16aee37f48167a81cf38e071e7d0fcfceb2a060c3357f9cbb55fe78b6*",".{0,1000}e8e3e2c16aee37f48167a81cf38e071e7d0fcfceb2a060c3357f9cbb55fe78b6.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42369"
"*e8e73f8cb4babe6bf59cdfa6090a183d1f8be8da8e13b19d5b8d66126800b41f*",".{0,1000}e8e73f8cb4babe6bf59cdfa6090a183d1f8be8da8e13b19d5b8d66126800b41f.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","42372"
"*e8ea6411a9baa77588224ebbe6ebf21517cfeaf9b1933eef19246f955beaab4c*",".{0,1000}e8ea6411a9baa77588224ebbe6ebf21517cfeaf9b1933eef19246f955beaab4c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42373"
"*e8f71ea9428bb466651b9cd3a2ed3a726d1a07712bd611330def1ebfcbc68b47*",".{0,1000}e8f71ea9428bb466651b9cd3a2ed3a726d1a07712bd611330def1ebfcbc68b47.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","0","#filehash","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","42375"
"*e90254549780eb809f13048dbbea4ee473e0ee4aa0d506d89c463881cd6351c1*",".{0,1000}e90254549780eb809f13048dbbea4ee473e0ee4aa0d506d89c463881cd6351c1.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42381"
"*e90c0327bdf81bc4b5ebca4701cd2bfeb5f62a63c2e78e04756e3219ce01d990*",".{0,1000}e90c0327bdf81bc4b5ebca4701cd2bfeb5f62a63c2e78e04756e3219ce01d990.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","42383"
"*e921f0ac3edb45ea8f1c6b8110ed0be263aaedfb6a5ee98968d5836d3f1aadfc*",".{0,1000}e921f0ac3edb45ea8f1c6b8110ed0be263aaedfb6a5ee98968d5836d3f1aadfc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42389"
"*e92cabfa2aff26a45e7dcf1b7156b0b24ef53a96bff707812d64c476c9a57f7f*",".{0,1000}e92cabfa2aff26a45e7dcf1b7156b0b24ef53a96bff707812d64c476c9a57f7f.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","42392"
"*e94efe0f4337a2d8d91bf3933d6bd71fc6671fe5045d65d977448b3f2c7747ec*",".{0,1000}e94efe0f4337a2d8d91bf3933d6bd71fc6671fe5045d65d977448b3f2c7747ec.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42398"
"*e9672eb5f7ced453ef15ebd7a395be9c56c7ce750453883c7bc9e39005035a94*",".{0,1000}e9672eb5f7ced453ef15ebd7a395be9c56c7ce750453883c7bc9e39005035a94.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#filehash","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","42403"
"*e96e655341857f858ba7deb75afcc9eea4b8cd24af772720653ec7ce0617eeef*",".{0,1000}e96e655341857f858ba7deb75afcc9eea4b8cd24af772720653ec7ce0617eeef.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","42404"
"*e9894baec4b491e0ee3bce3a760b33546ee03270f9ea6155f5dbebd66d820c11*",".{0,1000}e9894baec4b491e0ee3bce3a760b33546ee03270f9ea6155f5dbebd66d820c11.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","42415"
"*e993520ee27c8050bb1ba0889edd66769181f966edbd48cd117ec13dbb60320f*",".{0,1000}e993520ee27c8050bb1ba0889edd66769181f966edbd48cd117ec13dbb60320f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42422"
"*e99d21c07b1b29361d6eb4895c350a36651536eb1719d50c802d5067c4b723c9*",".{0,1000}e99d21c07b1b29361d6eb4895c350a36651536eb1719d50c802d5067c4b723c9.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42426"
"*e9b267aac8adfc7fd11d83c4e6a7efa9940c338207da988b2429d61764fa485d*",".{0,1000}e9b267aac8adfc7fd11d83c4e6a7efa9940c338207da988b2429d61764fa485d.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42429"
"*e9ca78d11b144352ca1d9ec83d7ec0f44fba238ae3ba46560ed01b45eaa1f232*",".{0,1000}e9ca78d11b144352ca1d9ec83d7ec0f44fba238ae3ba46560ed01b45eaa1f232.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42432"
"*e9cbf615487a666b2fe9c5b7c749fa91d4af0454bd368f4f3275148609f553bf*",".{0,1000}e9cbf615487a666b2fe9c5b7c749fa91d4af0454bd368f4f3275148609f553bf.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","42433"
"*e9e02d7d5ea5545ba4f14180a86fbf02c2f9a16eb0f24ca6932c8e173386773c*",".{0,1000}e9e02d7d5ea5545ba4f14180a86fbf02c2f9a16eb0f24ca6932c8e173386773c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42437"
"*e9f3756f811224b3500981a136dae2ddd79987a510c9f389b67168a7fa494fa8*",".{0,1000}e9f3756f811224b3500981a136dae2ddd79987a510c9f389b67168a7fa494fa8.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","42439"
"*e9fad6bcba22427d7efb3d9b341d11173659a06cc12670ba9d542aeb670284b8*",".{0,1000}e9fad6bcba22427d7efb3d9b341d11173659a06cc12670ba9d542aeb670284b8.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","42443"
"*e9ff51cca46583fe8f3ec4077fd863edb916e4d170d491100e4e35d8fa782a14*",".{0,1000}e9ff51cca46583fe8f3ec4077fd863edb916e4d170d491100e4e35d8fa782a14.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42444"
"*ea017c89015802214d1f831d464e018f629856a3a91ac6b350c731aa0e739315*",".{0,1000}ea017c89015802214d1f831d464e018f629856a3a91ac6b350c731aa0e739315.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42446"
"*ea03efacd106e0731b520860fd0b6babc8b9bd5300f25e53d66ac833cc867124*",".{0,1000}ea03efacd106e0731b520860fd0b6babc8b9bd5300f25e53d66ac833cc867124.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","42447"
"*ea07299128646dc2344032966061e0a4e4b0b31f86421ea73e44d7f25dcaab57*",".{0,1000}ea07299128646dc2344032966061e0a4e4b0b31f86421ea73e44d7f25dcaab57.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42448"
"*ea13014674aea3d336e3baa6b7cbb3513379c421ffa3f9fae5bfa24b156ed372*",".{0,1000}ea13014674aea3d336e3baa6b7cbb3513379c421ffa3f9fae5bfa24b156ed372.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42451"
"*ea178a3f4a3bf35c1998533cac58f1bf5fb90ddca42540d29d8efc1e93480bb9*",".{0,1000}ea178a3f4a3bf35c1998533cac58f1bf5fb90ddca42540d29d8efc1e93480bb9.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","42453"
"*ea1ea009b837dff8e5a71717537c28f388a5c99112d570ba43dd0e23b46d1a05*",".{0,1000}ea1ea009b837dff8e5a71717537c28f388a5c99112d570ba43dd0e23b46d1a05.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42455"
"*EA1FB2D4-B5A7-47A6-B097-2F4D29E23010*",".{0,1000}EA1FB2D4\-B5A7\-47A6\-B097\-2F4D29E23010.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#GUIDproject","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","42457"
"*ea28f7ac37342225a2a22e9a7f264af17f7de2ea1d418fb307d258cc27791b0a*",".{0,1000}ea28f7ac37342225a2a22e9a7f264af17f7de2ea1d418fb307d258cc27791b0a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42461"
"*ea30c0eec6a6a2395212dd91016e134bbde0bd99b3547598e1f71b626fe5c9ef*",".{0,1000}ea30c0eec6a6a2395212dd91016e134bbde0bd99b3547598e1f71b626fe5c9ef.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42465"
"*ea360ab921b4821b8a62f6195fadf9154d890e5119329e0cc44ad8176a92e33a*",".{0,1000}ea360ab921b4821b8a62f6195fadf9154d890e5119329e0cc44ad8176a92e33a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42466"
"*ea3907682992609adfc32f1ffb167494de4816e1d2d3dd8c5323c305105fb12a*",".{0,1000}ea3907682992609adfc32f1ffb167494de4816e1d2d3dd8c5323c305105fb12a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42469"
"*ea40a6037ecaaf48b26ef67834d9142e426b84bdb9d7bac5ed62528e0a27cc60*",".{0,1000}ea40a6037ecaaf48b26ef67834d9142e426b84bdb9d7bac5ed62528e0a27cc60.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","42470"
"*ea46f4c9b2aacf0628d9410efe46c2a625eaf7a1b9a1a017e5547a5361062985*",".{0,1000}ea46f4c9b2aacf0628d9410efe46c2a625eaf7a1b9a1a017e5547a5361062985.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","#filehash","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","42471"
"*ea54091eaee2f9a0a4e090d0ad6e3c73c60e2c3ba2d78d543163ec75cbfb94d0*",".{0,1000}ea54091eaee2f9a0a4e090d0ad6e3c73c60e2c3ba2d78d543163ec75cbfb94d0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42475"
"*ea675fe25c534b070ab01fcdd67accf393e83f0ad5ff2f17fb3d074cd018c7c8*",".{0,1000}ea675fe25c534b070ab01fcdd67accf393e83f0ad5ff2f17fb3d074cd018c7c8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42481"
"*ea76f081f370ef14155989db6aa6e8250a9f2f31883a9c14c128ad2e4929139d*",".{0,1000}ea76f081f370ef14155989db6aa6e8250a9f2f31883a9c14c128ad2e4929139d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42485"
"*ea78a37a389c32e94aafe2115a8d75948b21cee204a5a89b64febd9f18932609*",".{0,1000}ea78a37a389c32e94aafe2115a8d75948b21cee204a5a89b64febd9f18932609.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42486"
"*ea8792c7e11cad017c54c50f880e487f09581fd2d7f24ab453118ccf35716357*",".{0,1000}ea8792c7e11cad017c54c50f880e487f09581fd2d7f24ab453118ccf35716357.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42488"
"*ea92bdc7ebb7f0337690db66b44020aca6e1fccc36398b165847848a9f91c6c8*",".{0,1000}ea92bdc7ebb7f0337690db66b44020aca6e1fccc36398b165847848a9f91c6c8.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42492"
"*eaa4491c6db50183a57efd0ce0ae3ba06bd1a30f32321d705610c1286217fa27*",".{0,1000}eaa4491c6db50183a57efd0ce0ae3ba06bd1a30f32321d705610c1286217fa27.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42499"
"*eaaad7b12438c24759b68cd6b0652598125e8a34d1d83c581191418822b6f851*",".{0,1000}eaaad7b12438c24759b68cd6b0652598125e8a34d1d83c581191418822b6f851.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42502"
"*eab46bfb4e6567cd42bc14502cfd207582ed611746fa51a03542c8df619cf8f8*",".{0,1000}eab46bfb4e6567cd42bc14502cfd207582ed611746fa51a03542c8df619cf8f8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42505"
"*eac0df3ecfc829ba940a7323d21b688896758df43df086ed0e886c68d6003d22*",".{0,1000}eac0df3ecfc829ba940a7323d21b688896758df43df086ed0e886c68d6003d22.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","42507"
"*eac2d73415f7df203e8f868799bfb999687f8b80f57cad3542c0e90805d06020*",".{0,1000}eac2d73415f7df203e8f868799bfb999687f8b80f57cad3542c0e90805d06020.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42508"
"*ead10a59018c96967138f47da9484c577d80caa251a0769cee65910bdfd10fea*",".{0,1000}ead10a59018c96967138f47da9484c577d80caa251a0769cee65910bdfd10fea.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","42509"
"*easy_install rsocks*",".{0,1000}easy_install\srsocks.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","N/A","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","42526"
"*easy_install sshtunnel*",".{0,1000}easy_install\ssshtunnel.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","0","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","42527"
"*eb0a24b253754facae1fd56a8710fe987b9257c64d230bd2196865aa27563003*",".{0,1000}eb0a24b253754facae1fd56a8710fe987b9257c64d230bd2196865aa27563003.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42533"
"*eb0d8e4273608c13b5957ac047f911442b3d55527e20097cd038e120f01df5ae*",".{0,1000}eb0d8e4273608c13b5957ac047f911442b3d55527e20097cd038e120f01df5ae.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","0","#filehash","N/A","10","10","4203","325","2025-04-10T20:04:08Z","2019-02-15T15:36:23Z","42535"
"*eb1290f3e5914a7805f2767885b743705ac1526774f32f82ee14d899b0b43374*",".{0,1000}eb1290f3e5914a7805f2767885b743705ac1526774f32f82ee14d899b0b43374.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","42537"
"*eb1395952e6eb92d4f9a2babb56d29ef384d683387c6a990e79d5fe4ba86040f*",".{0,1000}eb1395952e6eb92d4f9a2babb56d29ef384d683387c6a990e79d5fe4ba86040f.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","0","#filehash","N/A","9","8","N/A","N/A","N/A","N/A","42538"
"*eb23b507e63729581b16b35de2db0cad23cce0afc1de1018198066c20e5c0c20*",".{0,1000}eb23b507e63729581b16b35de2db0cad23cce0afc1de1018198066c20e5c0c20.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","42541"
"*eb272642328677b4aef6922f2d845fb6d3e6ba3e0ce1f6b10867c9726f6076a4*",".{0,1000}eb272642328677b4aef6922f2d845fb6d3e6ba3e0ce1f6b10867c9726f6076a4.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42542"
"*eb459c0af8c8d7bb91f7c6acc4682f1b2a6add840925bc8a9321c5cc1e2a8137*",".{0,1000}eb459c0af8c8d7bb91f7c6acc4682f1b2a6add840925bc8a9321c5cc1e2a8137.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","42545"
"*eb547bd0ef2037118a01003bed6cf00a1d6e6975b6f0a73cb811f882a3c3de72*",".{0,1000}eb547bd0ef2037118a01003bed6cf00a1d6e6975b6f0a73cb811f882a3c3de72.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42546"
"*eb58f70f2f5fb48cab8eb1127276b9a52bed2ba60e56f168ba3dc69d71d5f736*",".{0,1000}eb58f70f2f5fb48cab8eb1127276b9a52bed2ba60e56f168ba3dc69d71d5f736.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","42548"
"*eb60b71cf30ee2975270b48a31c4e2d1812e61bbfb4f5c3bd512b578782e7b3f*",".{0,1000}eb60b71cf30ee2975270b48a31c4e2d1812e61bbfb4f5c3bd512b578782e7b3f.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","42550"
"*eb6aa78a64ba7c6ed9341855d3aef5742ab13948b6cd445e9c715260f8d10dcb*",".{0,1000}eb6aa78a64ba7c6ed9341855d3aef5742ab13948b6cd445e9c715260f8d10dcb.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42554"
"*eb7160c7aac0ecbceb67f8bea723511584ba789dda8e5e5725f877f7d375aacf*",".{0,1000}eb7160c7aac0ecbceb67f8bea723511584ba789dda8e5e5725f877f7d375aacf.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42555"
"*eb74e547aada07218492e1fd08cc0048ff2ab30cc4d5a947122ca6385435f54a*",".{0,1000}eb74e547aada07218492e1fd08cc0048ff2ab30cc4d5a947122ca6385435f54a.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42556"
"*eb8b75bf891ae654791aba1d7ac98f4f528d1f44cdf3f63604a4de92b309e5a1*",".{0,1000}eb8b75bf891ae654791aba1d7ac98f4f528d1f44cdf3f63604a4de92b309e5a1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42560"
"*eb8e44c7b95215c53b1bc78a95fa58fc7e8a47eb5d7c2538a5ac7a285857d79b*",".{0,1000}eb8e44c7b95215c53b1bc78a95fa58fc7e8a47eb5d7c2538a5ac7a285857d79b.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42561"
"*eb8ea449f14a20480c77d6501f8b682516fa4a9394dd15d2a49b6a957aa862a9*",".{0,1000}eb8ea449f14a20480c77d6501f8b682516fa4a9394dd15d2a49b6a957aa862a9.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42562"
"*eb912ff679743d91907286544c7326df785a3a6e6992fa182404e3fbae52958a*",".{0,1000}eb912ff679743d91907286544c7326df785a3a6e6992fa182404e3fbae52958a.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","#filehash","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","42564"
"*eb91b66cced883e4445f8e26fbf33689c82d04f5c736866d08d00847bb46b1f8*",".{0,1000}eb91b66cced883e4445f8e26fbf33689c82d04f5c736866d08d00847bb46b1f8.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42565"
"*eb941be4a478faf7f2c61a6d5fb5fca889c7908a0d882a06e61c2e1cefc91260*",".{0,1000}eb941be4a478faf7f2c61a6d5fb5fca889c7908a0d882a06e61c2e1cefc91260.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42567"
"*ebae9cb602d9475764d0abb184a85747dc86c0a2c683357f9bfafbadce743030*",".{0,1000}ebae9cb602d9475764d0abb184a85747dc86c0a2c683357f9bfafbadce743030.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","42578"
"*ebc18f1f5581d5c5da72bf1c847ec97c2a32156858de8fffb9e6d5b0bb96c195*",".{0,1000}ebc18f1f5581d5c5da72bf1c847ec97c2a32156858de8fffb9e6d5b0bb96c195.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","42582"
"*ebef509adaec909b3e11278a029d19db8aa70a6e4cace78c261c82203cff620b*",".{0,1000}ebef509adaec909b3e11278a029d19db8aa70a6e4cace78c261c82203cff620b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42593"
"*ebfdb029f616dcbd294b785874a77d5b62a08f92d562afb522309a07a36f472c*",".{0,1000}ebfdb029f616dcbd294b785874a77d5b62a08f92d562afb522309a07a36f472c.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42600"
"*ec0b2820e26edffdfbcb1e3e66a78dd1ba830fe37897a3a55bf4602a3e807cef*",".{0,1000}ec0b2820e26edffdfbcb1e3e66a78dd1ba830fe37897a3a55bf4602a3e807cef.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","42608"
"*ec2e688f44920bed00a0bb87ec28be0d40dc7ebdfd20efdd4734afcc7b132207*",".{0,1000}ec2e688f44920bed00a0bb87ec28be0d40dc7ebdfd20efdd4734afcc7b132207.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42619"
"*ec3af0d72abfdc79b417640ec6d170e079f6ebf4917f0a317aa441a64851d85c*",".{0,1000}ec3af0d72abfdc79b417640ec6d170e079f6ebf4917f0a317aa441a64851d85c.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","42624"
"*ec416ecb630f6b4f291f5997d5317218b8cce171d2add04ea69d7ff9f4d869c6*",".{0,1000}ec416ecb630f6b4f291f5997d5317218b8cce171d2add04ea69d7ff9f4d869c6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42626"
"*ec5dcf71ec36103aaae9227bfc4090d5ce3c9e07a184a2150674c7b70f0d63d6*",".{0,1000}ec5dcf71ec36103aaae9227bfc4090d5ce3c9e07a184a2150674c7b70f0d63d6.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42631"
"*ec616fea07e36749e5846b97eebe23138c7012699155f8a2cbd9c6c3e0b8bfca*",".{0,1000}ec616fea07e36749e5846b97eebe23138c7012699155f8a2cbd9c6c3e0b8bfca.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","42633"
"*ec72c50bdd6b49a4a045ee92e471c01596640426aa4f5cdfdce2c2a975a2913d*",".{0,1000}ec72c50bdd6b49a4a045ee92e471c01596640426aa4f5cdfdce2c2a975a2913d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42640"
"*ec79b650c290fdfc46a1c80359337ba7458eee334197d2aecac4a3b86db1a1ed*",".{0,1000}ec79b650c290fdfc46a1c80359337ba7458eee334197d2aecac4a3b86db1a1ed.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","42642"
"*ec7ce933860267a9fd6fb69a88ca01a8e5ec911910745fe8c2b6220cc0ab682f*",".{0,1000}ec7ce933860267a9fd6fb69a88ca01a8e5ec911910745fe8c2b6220cc0ab682f.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#filehash #linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","42645"
"*ec8938be2d1b535eeaf7ba803dae2b6fa1059c6106791d59d98600928dfcc057*",".{0,1000}ec8938be2d1b535eeaf7ba803dae2b6fa1059c6106791d59d98600928dfcc057.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42646"
"*eca2eda42fa2d4f71de8055f79066fce3866d22c8f38060ee98978341fd2a078*",".{0,1000}eca2eda42fa2d4f71de8055f79066fce3866d22c8f38060ee98978341fd2a078.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","42650"
"*eca853ac05aff10c633c1e2c7b8edf1e2caf493ddf54145e908049f2f532fe26*",".{0,1000}eca853ac05aff10c633c1e2c7b8edf1e2caf493ddf54145e908049f2f532fe26.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","42653"
"*ecb08caa2d126063e874bbdcb4de521a0c51de1746fb97fe2e3a384d7ebed51f*",".{0,1000}ecb08caa2d126063e874bbdcb4de521a0c51de1746fb97fe2e3a384d7ebed51f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42654"
"*ecbbcf4b40a507200f72493409d2a0fd22ba7958fca6121679a0b9c2441001a5*",".{0,1000}ecbbcf4b40a507200f72493409d2a0fd22ba7958fca6121679a0b9c2441001a5.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42656"
"*eccdc25289e45340e203e27ff93a8c0e24b5fb6ba6317ccf1e0ad64296f395ce*",".{0,1000}eccdc25289e45340e203e27ff93a8c0e24b5fb6ba6317ccf1e0ad64296f395ce.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","42657"
"*ecdf4ee43944adcc0aa55f707711a0be5a0ff539792175195aeed7e3a860e457*",".{0,1000}ecdf4ee43944adcc0aa55f707711a0be5a0ff539792175195aeed7e3a860e457.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","42659"
"*ece4f9a9ae3d7823ed86c3dcc5540b02c7504904bbe0878d17cd7bbf71ac61ee*",".{0,1000}ece4f9a9ae3d7823ed86c3dcc5540b02c7504904bbe0878d17cd7bbf71ac61ee.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","42661"
"*ece898dc29881a952b5e8cbaccc17dc1fa546d61910be9cb8be05049af64ed78*",".{0,1000}ece898dc29881a952b5e8cbaccc17dc1fa546d61910be9cb8be05049af64ed78.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42664"
"*ece9f171a6734ab8e720be888197c29336308d08335a58dd8e179837111f096f*",".{0,1000}ece9f171a6734ab8e720be888197c29336308d08335a58dd8e179837111f096f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42665"
"*ecf0123e2c1131eab2d4deb4ce43f9ffd7be2bf379fef19ed7730ee2ebb586be*",".{0,1000}ecf0123e2c1131eab2d4deb4ce43f9ffd7be2bf379fef19ed7730ee2ebb586be.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42670"
"*ecf4c181c6d24ca06a9bc352b3fb5a8faa393391d0884d7b20212c72febe66f4*",".{0,1000}ecf4c181c6d24ca06a9bc352b3fb5a8faa393391d0884d7b20212c72febe66f4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42675"
"*ecf5f36c4567104dff7f7fc83958a2d03fce1920ab7cd37fc109d10db75620c5*",".{0,1000}ecf5f36c4567104dff7f7fc83958a2d03fce1920ab7cd37fc109d10db75620c5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42676"
"*echo '''' -/.bash history*",".{0,1000}echo\s\'\'\'\'\s\-\/\.bash\shistory.{0,1000}","greyware_tool_keyword","echo","covering history tracks on linux system","T1070 - T1070.001 - T1070.004 - T1070.003 - T1070.002","TA0005 - TA0043","N/A","N/A","Defense Evasion","https://rosesecurity.gitbook.io/red-teaming-ttps/linux","1","0","#linux","risk of False positive","10","10","N/A","N/A","N/A","N/A","42679"
"*echo '' > ~/.bash_history*",".{0,1000}echo\s\'\'\s\>\s\~\/\.bash_history.{0,1000}","greyware_tool_keyword","echo","delete bash history","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","42680"
"*echo """" > /var/log/auth.log *",".{0,1000}echo\s\""\s\>\s\/var\/log\/auth\.log\s.{0,1000}","greyware_tool_keyword","echo","covering history tracks on linux system","T1070 - T1070.001 - T1070.004 - T1070.003 - T1070.002","TA0005 - TA0043","N/A","N/A","Defense Evasion","https://rosesecurity.gitbook.io/red-teaming-ttps/linux","1","0","#linux","risk of False positive","10","10","N/A","N/A","N/A","N/A","42681"
"*echo """" > /var/log/cron*",".{0,1000}echo\s\""\s\>\s\/var\/log\/cron.{0,1000}","greyware_tool_keyword","echo","clearing logs to cover traces","T1070","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","42682"
"*echo """" > /var/log/secure*",".{0,1000}echo\s\""\s\>\s\/var\/log\/secure.{0,1000}","greyware_tool_keyword","echo","clearing logs to cover traces","T1070","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","42683"
"*echo """" > /var/log/wtmp*",".{0,1000}echo\s\""\s\>\s\/var\/log\/wtmp.{0,1000}","greyware_tool_keyword","echo","clearing logs to cover traces","T1070","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","42684"
"*echo """" > /var/spool/mail/root*",".{0,1000}echo\s\""\s\>\s\/var\/spool\/mail\/root.{0,1000}","greyware_tool_keyword","echo","clearing logs to cover traces","T1070","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","42685"
"*echo * .bash_history*",".{0,1000}echo\s.{0,1000}\s\.bash_history.{0,1000}","greyware_tool_keyword","bash","Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml","1","0","#linux","greyware tool - risks of False positive !","10","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","42690"
"*echo * /home/*/.bash_history*",".{0,1000}echo\s.{0,1000}\s\/home\/.{0,1000}\/\.bash_history.{0,1000}","greyware_tool_keyword","bash","Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml","1","0","#linux","greyware tool - risks of False positive !","10","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","42691"
"*echo * /root/.bash_history*",".{0,1000}echo\s.{0,1000}\s\/root\/\.bash_history.{0,1000}","greyware_tool_keyword","bash","Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml","1","0","#linux","greyware tool - risks of False positive !","10","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","42692"
"*echo * ALL=(ALL) NOPASSWD: ALL* >>/etc/sudoers*",".{0,1000}echo\s.{0,1000}\sALL\=\(ALL\)\sNOPASSWD\:\sALL.{0,1000}\s\>\>\/etc\/sudoers.{0,1000}","greyware_tool_keyword","sudoers","use SUDO without password","T1548.002 - T1059.004 - T1078.004","TA0004 - TA0002 - TA0005","N/A","N/A","Persistence","N/A","1","0","#linux","N/A","8","10","N/A","N/A","N/A","N/A","42694"
"*echo * ALL=NOPASSWD: /bin/bash* >>/etc/sudoers*",".{0,1000}echo\s.{0,1000}\sALL\=NOPASSWD\:\s\/bin\/bash.{0,1000}\s\>\>\/etc\/sudoers.{0,1000}","greyware_tool_keyword","sudoers","use SUDO without password","T1548.002 - T1059.004 - T1078.004","TA0004 - TA0002 - TA0005","N/A","N/A","Persistence","N/A","1","0","#linux","N/A","8","10","N/A","N/A","N/A","N/A","42695"
"*echo *%sudo  ALL=(ALL) NOPASSWD: ALL* >> /etc/sudoers*",".{0,1000}echo\s.{0,1000}\%sudo\s\sALL\=\(ALL\)\sNOPASSWD\:\sALL.{0,1000}\s\>\>\s\/etc\/sudoers.{0,1000}","greyware_tool_keyword","sudo","Sudo Persistence via sudoers file","T1078 - T1166","TA0003","N/A","N/A","Persistence","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","42696"
"*echo *::0:0::/root:/bin/bash* >>/etc/passwd*",".{0,1000}echo\s.{0,1000}\:\:0\:0\:\:\/root\:\/bin\/bash.{0,1000}\s\>\>\/etc\/passwd.{0,1000}","greyware_tool_keyword","bash","add a passwordless user ","T1136.001 - T1059.004 - T1078.004","TA0005 - TA0002 - TA0004","N/A","N/A","Persistence","N/A","1","0","#linux","N/A","8","8","N/A","N/A","N/A","N/A","42698"
"*echo *APT::Update::Pre-Invoke *nohup ncat -lvp * -e /bin/bash * > /etc/apt/apt.conf.d/*",".{0,1000}echo\s.{0,1000}APT\:\:Update\:\:Pre\-Invoke\s.{0,1000}nohup\sncat\s\-lvp\s.{0,1000}\s\-e\s\/bin\/bash\s.{0,1000}\s\>\s\/etc\/apt\/apt\.conf\.d\/.{0,1000}","greyware_tool_keyword","bash","Backdooring APT","T1059.004 - T1574.001 - T1027","TA0002 - TA0005","N/A","N/A","Persistence","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","42699"
"*echo *bailing. try a different name\*",".{0,1000}echo\s.{0,1000}bailing\.\stry\sa\sdifferent\sname\\.{0,1000}","greyware_tool_keyword","tmpwatch","Equation Group hack tool set command exploitation- tmpwatch - removes files which haven't been accessed for a period of time","T1070.004 - T1059 - T1047","TA0007 - TA0002 - TA0040","N/A","N/A","Malware","https://linux.die.net/man/8/tmpwatch","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","42700"
"*echo *bash -c *bash -i >& /dev/tcp/*/* >> /etc/update-motd.d/00-header*",".{0,1000}echo\s.{0,1000}bash\s\-c\s.{0,1000}bash\s\-i\s\>\&\s\/dev\/tcp\/.{0,1000}\/.{0,1000}\s\>\>\s\/etc\/update\-motd\.d\/00\-header.{0,1000}","greyware_tool_keyword","bash","Backdooring Message of the Day","T1059.004 - T1574.001 - T1027","TA0002 - TA0005","N/A","N/A","Persistence","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","42701"
"*echo [.ShellClassInfo] > desktop.ini*",".{0,1000}echo\s\[\.ShellClassInfo\]\s\>\sdesktop\.ini.{0,1000}","greyware_tool_keyword","attrib","NTLM Leak via Desktop.ini","T1555.003 - T1081.001","TA0006 - TA0007","N/A","N/A","Credential Access","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Anti-Forensics.md","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","42702"
"*echo > C:\inetpub\wwwroot\*\*.aspx*",".{0,1000}echo\s\>\sC\:\\inetpub\\wwwroot\\.{0,1000}\\.{0,1000}\.aspx.{0,1000}","greyware_tool_keyword","echo","writing an ASPX file to C:\inetpub\wwwroot\ (potential Web shell deployment)","T1505.003","TA0001 - TA0003","N/A","N/A","Persistence","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","42703"
"*echo 0 > /sys/kernel/debug/kprobes/enabled*",".{0,1000}echo\s0\s\>\s\/sys\/kernel\/debug\/kprobes\/enabled.{0,1000}","greyware_tool_keyword","echo","This command disables kprobes by writing '0' to the enabled file. Kprobes are dynamic breakpoints in the Linux kernel that can be used to intercept functions and gather information for debugging or monitoring.","T1562.001 - T1055 - T1070.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","42704"
"*echo 0 > /sys/kernel/debug/tracing/instances/$*/tracing_on*",".{0,1000}echo\s0\s\>\s\/sys\/kernel\/debug\/tracing\/instances\/\$.{0,1000}\/tracing_on.{0,1000}","greyware_tool_keyword","echo","This command turns off tracing for a specific instance","T1562.001 - T1055 - T1070.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","42705"
"*echo 0 > /var/log/cron*",".{0,1000}echo\s0\s\>\s\/var\/log\/cron.{0,1000}","greyware_tool_keyword","echo","clearing logs to cover traces","T1070","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","42706"
"*echo 0 > /var/log/secure*",".{0,1000}echo\s0\s\>\s\/var\/log\/secure.{0,1000}","greyware_tool_keyword","echo","clearing logs to cover traces","T1070","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","42707"
"*echo 0 > /var/log/wtmp*",".{0,1000}echo\s0\s\>\s\/var\/log\/wtmp.{0,1000}","greyware_tool_keyword","echo","clearing logs to cover traces","T1070","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","42708"
"*echo 0 > /var/spool/mail/root*",".{0,1000}echo\s0\s\>\s\/var\/spool\/mail\/root.{0,1000}","greyware_tool_keyword","echo","clearing logs to cover traces","T1070","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","42709"
"*echo 'alias cat=/bin/bash -c 'bash -i >& /dev/tcp/*/* 0>&1'' >> */.bashrc* ",".{0,1000}echo\s\'alias\scat\=\/bin\/bash\s\-c\s\'bash\s\-i\s\>\&\s\/dev\/tcp\/.{0,1000}\/.{0,1000}\s0\>\&1\'\'\s\>\>\s.{0,1000}\/\.bashrc.{0,1000}\s","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#linux","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","42713"
"*echo 'alias find=/bin/bash -c 'bash -i >& /dev/tcp/*/*>> ""$user/.bashrc""*",".{0,1000}echo\s\'alias\sfind\=\/bin\/bash\s\-c\s\'bash\s\-i\s\>\&\s\/dev\/tcp\/.{0,1000}\/.{0,1000}\>\>\s\""\$user\/\.bashrc\"".{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#linux","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","42715"
"*echo CLSID={88C6C381-2E85-11D0-94DE-444553540000} >> desktop.ini*",".{0,1000}echo\sCLSID\=\{88C6C381\-2E85\-11D0\-94DE\-444553540000\}\s\>\>\sdesktop\.ini.{0,1000}","greyware_tool_keyword","attrib","instruments explorer to treat the folder as ActiveX cache","T1070 - T1222","TA0005","N/A","N/A","Defense Evasion","https://x.com/ValthekOn/status/1890160938407596168","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","42717"
"*echo IconResource=\\*\* >> desktop.ini*",".{0,1000}echo\sIconResource\=\\\\.{0,1000}\\.{0,1000}\s\>\>\sdesktop\.ini.{0,1000}","greyware_tool_keyword","attrib","NTLM Leak via Desktop.ini","T1555.003 - T1081.001","TA0006 - TA0007","N/A","N/A","Credential Access","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Anti-Forensics.md","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","42720"
"*echo Installing XEOX Agent*",".{0,1000}echo\sInstalling\sXEOX\sAgent.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","42722"
"*echo nc -l -p * > *.bat*",".{0,1000}echo\snc\s\-l\s\-p\s.{0,1000}\s\>\s.{0,1000}\.bat.{0,1000}","greyware_tool_keyword","nc","Netcat Realy on windows - create a relay that sends packets from the local port to a netcat client connecte to the target ip on the targeted port","T1090.001 - T1021.001","TA0011 - TA0040","N/A","Calypso - GALLIUM","Data Exfiltration","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/NetcatCheatSheet.pdf","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","42725"
"*echo 'set +o history' >> /etc/profile*",".{0,1000}echo\s\'set\s\+o\shistory\'\s\>\>\s\/etc\/profile.{0,1000}","greyware_tool_keyword","echo","linux command abused by attacker","T1146 - T1059.004 - T1556.003","TA0005 - TA0009 - TA0003","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","42736"
"*echo start > \\.\pipe\winreg*",".{0,1000}echo\sstart\s\>\s\\\\\.\\pipe\\winreg.{0,1000}","greyware_tool_keyword","sc","start the RemoteRegistry service without Admin privileges","T1569.002","TA0004 ","N/A","Snatch","Defense Evasion","https://twitter.com/splinter_code/status/1715876413474025704","1","0","N/A","N/A","8","8","N/A","N/A","N/A","N/A","42737"
"*ecnereferPpM-teS*",".{0,1000}ecnereferPpM\-teS.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","42744"
"*ed0375afd9b26b18fd9b72bbb416dbf8bec289bf135facf4b7ba5cd2b1d86208*",".{0,1000}ed0375afd9b26b18fd9b72bbb416dbf8bec289bf135facf4b7ba5cd2b1d86208.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","#filehash","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","42748"
"*ed0892438b4bb9a36ee05c360fed16c100bf56c93cf922769e88224b8288df8d*",".{0,1000}ed0892438b4bb9a36ee05c360fed16c100bf56c93cf922769e88224b8288df8d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42750"
"*ed19d0c0a65e0eaf321f86f95c1026fbae834876a8431d65609937e56e240ef8*",".{0,1000}ed19d0c0a65e0eaf321f86f95c1026fbae834876a8431d65609937e56e240ef8.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42758"
"*ed1f4ff9004e7065939247b9df3e4d51e08a0c990931e438b733fb4e64b4adf2*",".{0,1000}ed1f4ff9004e7065939247b9df3e4d51e08a0c990931e438b733fb4e64b4adf2.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#filehash","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","42759"
"*ed253174ca80a6c8acc3a0eba49c4a157d4c780a32161d84f387245b9fb41564*",".{0,1000}ed253174ca80a6c8acc3a0eba49c4a157d4c780a32161d84f387245b9fb41564.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42762"
"*ed25f0c61c45c7f013f2f5ef9194cb2854805db9c692f656e2b30a6ad1681436*",".{0,1000}ed25f0c61c45c7f013f2f5ef9194cb2854805db9c692f656e2b30a6ad1681436.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42763"
"*ed4f5607dbc3fec5d43fbc22fb12a79d8bca07aa60c8733db7f495b7210d631f*",".{0,1000}ed4f5607dbc3fec5d43fbc22fb12a79d8bca07aa60c8733db7f495b7210d631f.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","42771"
"*ed716e9d8a9382928e6a20bbac0f2245b7996125d9d86ace9c9a88fb9f8e4fde*",".{0,1000}ed716e9d8a9382928e6a20bbac0f2245b7996125d9d86ace9c9a88fb9f8e4fde.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42778"
"*ed8e23f58c3539380673c26d1ed265f703207cc2866f6c3e9e004859a0a559e5*",".{0,1000}ed8e23f58c3539380673c26d1ed265f703207cc2866f6c3e9e004859a0a559e5.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42786"
"*edb82e0716aa844b2d6d8ebfe4d4e08f41a0618fdd62b64623c8f590a39bc207*",".{0,1000}edb82e0716aa844b2d6d8ebfe4d4e08f41a0618fdd62b64623c8f590a39bc207.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42799"
"*edb84e2914bb1bd31a213b87aabd387999159093c5c00138cbc8f8f8fdc77fb1*",".{0,1000}edb84e2914bb1bd31a213b87aabd387999159093c5c00138cbc8f8f8fdc77fb1.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","42800"
"*edb87b5669e9a133f18328402a89242a7844ad244929133803439e95201958d8*",".{0,1000}edb87b5669e9a133f18328402a89242a7844ad244929133803439e95201958d8.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","42801"
"*ede5208316ef343dad39c0cc595815382526b1d47bcc1454b43cb8a1d1ff29f2*",".{0,1000}ede5208316ef343dad39c0cc595815382526b1d47bcc1454b43cb8a1d1ff29f2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42811"
"*edknjdjielmpdlnllkdmaghlbpnmjmgb*",".{0,1000}edknjdjielmpdlnllkdmaghlbpnmjmgb.{0,1000}","greyware_tool_keyword","Muscle VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","42822"
"*ee067f36a977b3620149fb7a1bd8bce6576b2be781c0870544ec391c80a6d785*",".{0,1000}ee067f36a977b3620149fb7a1bd8bce6576b2be781c0870544ec391c80a6d785.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42852"
"*ee0917c3db2e6a92e681f9b3b7837165924df74e5ca5bb9c3f7de7f411c9512b*",".{0,1000}ee0917c3db2e6a92e681f9b3b7837165924df74e5ca5bb9c3f7de7f411c9512b.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","42854"
"*ee2d0d800b14ac26b8aeae4365df031e0186d23be150308735a0be753ec2d3f9*",".{0,1000}ee2d0d800b14ac26b8aeae4365df031e0186d23be150308735a0be753ec2d3f9.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42865"
"*ee35e912fdc0dbc8ce07822ab1899f7f4b85e8113e3e1b743b0a303924cd6b22*",".{0,1000}ee35e912fdc0dbc8ce07822ab1899f7f4b85e8113e3e1b743b0a303924cd6b22.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42868"
"*ee3774da4187f5e28db39a04a4fd6a4c11f0be46387a7375e5863ef9c558a39e*",".{0,1000}ee3774da4187f5e28db39a04a4fd6a4c11f0be46387a7375e5863ef9c558a39e.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42869"
"*ee3caa7a4881716651aa159df73e817c7a7d3fcf82a234d83d3f78d4070975e9*",".{0,1000}ee3caa7a4881716651aa159df73e817c7a7d3fcf82a234d83d3f78d4070975e9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42870"
"*ee3e0370955bb5c44e5a5370bdd268e5e948e18dbe86ae89e9f243f4a1668850*",".{0,1000}ee3e0370955bb5c44e5a5370bdd268e5e948e18dbe86ae89e9f243f4a1668850.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42871"
"*ee4026fe96e047558bedd20cf870d1f8348beb91a2c88fbf4cedd6357e316f1d*",".{0,1000}ee4026fe96e047558bedd20cf870d1f8348beb91a2c88fbf4cedd6357e316f1d.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","#filehash","N/A","7","10","N/A","N/A","N/A","N/A","42872"
"*ee4252ab2dab84bb6a1860649d504452c866007570aaedb91cbe7f734718baab*",".{0,1000}ee4252ab2dab84bb6a1860649d504452c866007570aaedb91cbe7f734718baab.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42874"
"*EE54577067550559C4711C9E5E10435807F9DEEE9A5ADB4409CB60A6B0108700*",".{0,1000}EE54577067550559C4711C9E5E10435807F9DEEE9A5ADB4409CB60A6B0108700.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","42875"
"*ee5974d52512f1d5e55fafef9e04969656c1dd2fa5919376f81bf62b1a6a04e9*",".{0,1000}ee5974d52512f1d5e55fafef9e04969656c1dd2fa5919376f81bf62b1a6a04e9.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42877"
"*ee5a09ea800c9dd9353a08a8b78e51cb781e211476b793cb6684cd95a18ed096*",".{0,1000}ee5a09ea800c9dd9353a08a8b78e51cb781e211476b793cb6684cd95a18ed096.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","42878"
"*ee5d276260040e43272cdf7c70c51e4a03a959e0bd4f3f4752edb02569c7736a*",".{0,1000}ee5d276260040e43272cdf7c70c51e4a03a959e0bd4f3f4752edb02569c7736a.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","42879"
"*ee64735aef9a98eff32fa75e2bf8df53b3c8312d85ca1d02e37c01d06fa6c47e*",".{0,1000}ee64735aef9a98eff32fa75e2bf8df53b3c8312d85ca1d02e37c01d06fa6c47e.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","42881"
"*ee73359be8239759b7dba6019f25de89aba70224615f5a9c343725c3e32be7a2*",".{0,1000}ee73359be8239759b7dba6019f25de89aba70224615f5a9c343725c3e32be7a2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42888"
"*ee81cbfdbb043dc706d64de7119e92a43002fb454a045ab6674536b2c9539721*",".{0,1000}ee81cbfdbb043dc706d64de7119e92a43002fb454a045ab6674536b2c9539721.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42891"
"*ee89364096c5e44a71f4a5b9a939026ae0184f350707e6e42d177ab8b8d7490b*",".{0,1000}ee89364096c5e44a71f4a5b9a939026ae0184f350707e6e42d177ab8b8d7490b.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","42893"
"*ee8cdc63c2993ce8ab2bf918a56169a815254cd5f5a9a57567a904ec5dbf0145*",".{0,1000}ee8cdc63c2993ce8ab2bf918a56169a815254cd5f5a9a57567a904ec5dbf0145.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42894"
"*ee95cc2e9d7a6b048cc0637fab30cee273ee5b0fb144759b25dfc55f5f5434f4*",".{0,1000}ee95cc2e9d7a6b048cc0637fab30cee273ee5b0fb144759b25dfc55f5f5434f4.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42895"
"*eeb1f0b925539af3482eea902d44fe06b1540ddb1794903fe61aef77c0f22fd1*",".{0,1000}eeb1f0b925539af3482eea902d44fe06b1540ddb1794903fe61aef77c0f22fd1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42899"
"*eeb4247038f58d6b89bd5608782489eeaa7bcfb83d61b5475284ab612978b328*",".{0,1000}eeb4247038f58d6b89bd5608782489eeaa7bcfb83d61b5475284ab612978b328.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42900"
"*eed8b56841e75df2c0cbe5131dc21e564c59850a28275fb0362e03d8d932aafe*",".{0,1000}eed8b56841e75df2c0cbe5131dc21e564c59850a28275fb0362e03d8d932aafe.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42909"
"*eed97f810223bcf85f69b84040fd3e44e4a4569b4fab06da412c93fed71aef02*",".{0,1000}eed97f810223bcf85f69b84040fd3e44e4a4569b4fab06da412c93fed71aef02.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42910"
"*eedf9170ab629a168f92f914dd1e633516ff6b7f8df56b1f459a08d906a29e73*",".{0,1000}eedf9170ab629a168f92f914dd1e633516ff6b7f8df56b1f459a08d906a29e73.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","42912"
"*eee0125ce7d147791c5b6df258e849476727218f04d1ebbd1a305e64b8e9e777*",".{0,1000}eee0125ce7d147791c5b6df258e849476727218f04d1ebbd1a305e64b8e9e777.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","42913"
"*eee20962a1056f525bbe1c99c656794511697e510221522e7d62efd943457190*",".{0,1000}eee20962a1056f525bbe1c99c656794511697e510221522e7d62efd943457190.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","#filehash","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","42914"
"*eeee2b0a6ad1c7e4614fed4dfbe58b63776f6a3a6758267b5a976b4dc4315f48*",".{0,1000}eeee2b0a6ad1c7e4614fed4dfbe58b63776f6a3a6758267b5a976b4dc4315f48.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","42918"
"*eefd30efe33687408541ad00fead452f4f341c32fad1a77e84006ae7aa4fbe9a*",".{0,1000}eefd30efe33687408541ad00fead452f4f341c32fad1a77e84006ae7aa4fbe9a.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","42920"
"*ef0a33964a27c286631d9386230da9953b35733c601f70fe3bc961674822ba5c*",".{0,1000}ef0a33964a27c286631d9386230da9953b35733c601f70fe3bc961674822ba5c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42926"
"*ef0f36cdf1d04e191e26c6d744fedcdbd29951dd599f1414e4efc85fe0c86846*",".{0,1000}ef0f36cdf1d04e191e26c6d744fedcdbd29951dd599f1414e4efc85fe0c86846.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42927"
"*ef13e3756e1108a1dc018ff356f1b50c418f2ddd25b701aeaf52f959c883c53d*",".{0,1000}ef13e3756e1108a1dc018ff356f1b50c418f2ddd25b701aeaf52f959c883c53d.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","42929"
"*ef13e3756e1108a1dc018ff356f1b50c418f2ddd25b701aeaf52f959c883c53d*",".{0,1000}ef13e3756e1108a1dc018ff356f1b50c418f2ddd25b701aeaf52f959c883c53d.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","42930"
"*ef1d847561dc29afa96b2e827e7c9a94facb9b6aae2b09ddb33c3c50ab581ae2*",".{0,1000}ef1d847561dc29afa96b2e827e7c9a94facb9b6aae2b09ddb33c3c50ab581ae2.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42934"
"*ef1dd208731a0adf0207f096af478b1be9465d375c60d229be616fd59a2a2dda*",".{0,1000}ef1dd208731a0adf0207f096af478b1be9465d375c60d229be616fd59a2a2dda.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","42935"
"*ef1e36b27583da0b2e5b24c79c961e9c43b09d7ea5ec65326213088f27a371b0*",".{0,1000}ef1e36b27583da0b2e5b24c79c961e9c43b09d7ea5ec65326213088f27a371b0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42936"
"*ef378aa93a1ecf584572d815f5f643d1ef6b78764e093ca65db7a27512aefd80*",".{0,1000}ef378aa93a1ecf584572d815f5f643d1ef6b78764e093ca65db7a27512aefd80.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42939"
"*ef37c5075ad3ac56cc95adace9e3686da6448cfcbe8430e997affb263e1cbdd9*",".{0,1000}ef37c5075ad3ac56cc95adace9e3686da6448cfcbe8430e997affb263e1cbdd9.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","42940"
"*ef3c8c0571a752f2d400f4c94592a791c6db2dab93b85b4d161384a3a76e42f4*",".{0,1000}ef3c8c0571a752f2d400f4c94592a791c6db2dab93b85b4d161384a3a76e42f4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42943"
"*ef3cc05f5d86042c926a3243c081957445717960268743953793980df144b145*",".{0,1000}ef3cc05f5d86042c926a3243c081957445717960268743953793980df144b145.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42944"
"*ef44189d246b4a95e0eabbf1d6d86ba94002e6f2bb5eefca8e3e8b8292abc085*",".{0,1000}ef44189d246b4a95e0eabbf1d6d86ba94002e6f2bb5eefca8e3e8b8292abc085.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42947"
"*ef460741f5ce36bf8c5e99edc67cb1a88ecba4a25550a136bf9cc3160b58e2fe*",".{0,1000}ef460741f5ce36bf8c5e99edc67cb1a88ecba4a25550a136bf9cc3160b58e2fe.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42948"
"*ef67236f50b717490ba2d02669aac749eab81b805285e5780cb691006f26f742*",".{0,1000}ef67236f50b717490ba2d02669aac749eab81b805285e5780cb691006f26f742.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42953"
"*ef77dea20926b6f460844b5a51fd0d238976a1dba89f20f0fccff96712ad9df8*",".{0,1000}ef77dea20926b6f460844b5a51fd0d238976a1dba89f20f0fccff96712ad9df8.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","42955"
"*ef7bd67653ef87e73212d92560a12c430fda7f73b86d9eb9865123c44f2dfbfe*",".{0,1000}ef7bd67653ef87e73212d92560a12c430fda7f73b86d9eb9865123c44f2dfbfe.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42956"
"*ef9ccb9743205b6cd63e965ded0ad5b6836d9c4f4d8b3bec5264bdfbf1c71651*",".{0,1000}ef9ccb9743205b6cd63e965ded0ad5b6836d9c4f4d8b3bec5264bdfbf1c71651.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","42963"
"*efa152281662334f2a353cd4819a9eba3b9fae144e50758487df31ab1974876f*",".{0,1000}efa152281662334f2a353cd4819a9eba3b9fae144e50758487df31ab1974876f.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","42965"
"*efa3e8453d29c9a5c581f0ff42a6aab237ccda2ba1b545d013ba1a2adaa4348e*",".{0,1000}efa3e8453d29c9a5c581f0ff42a6aab237ccda2ba1b545d013ba1a2adaa4348e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42966"
"*efa4485dbd9d5813411e35144b17f676459fb681dc67c5a84d61da68f77099f8*",".{0,1000}efa4485dbd9d5813411e35144b17f676459fb681dc67c5a84d61da68f77099f8.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","#filehash","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","42967"
"*efacb962d9276a13cc733354f5f42124a0cdf4b8eb5c2c6e65bda9f90945b930*",".{0,1000}efacb962d9276a13cc733354f5f42124a0cdf4b8eb5c2c6e65bda9f90945b930.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42970"
"*efb17668ff5bc7cb632ddc85ad0d38b020bed85ca6a2b798a31a61abb32b0516*",".{0,1000}efb17668ff5bc7cb632ddc85ad0d38b020bed85ca6a2b798a31a61abb32b0516.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42971"
"*efb4c1b4ea3b74fcab1947c248122f03cf95df33b17b8d635d3a50c3a91726d1*",".{0,1000}efb4c1b4ea3b74fcab1947c248122f03cf95df33b17b8d635d3a50c3a91726d1.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","42972"
"*efc69509f9ba588131f6e9f9dcc38ef159a8881cf336d9f2812c01bf6f4e0737*",".{0,1000}efc69509f9ba588131f6e9f9dcc38ef159a8881cf336d9f2812c01bf6f4e0737.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42976"
"*efd2156b1477d88b8ce1d9428cdeb1689bd12cefb4b31ca81b70eb7d65e22e59*",".{0,1000}efd2156b1477d88b8ce1d9428cdeb1689bd12cefb4b31ca81b70eb7d65e22e59.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","42979"
"*efdd75eb5c12af6fec4189aa57dc777035a87dd57204daa52293901199569157*",".{0,1000}efdd75eb5c12af6fec4189aa57dc777035a87dd57204daa52293901199569157.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42982"
"*efed00b9707b548838bb7010f9d42b41d8e2e4eedc6a2c3c3487f4e96d7439a1*",".{0,1000}efed00b9707b548838bb7010f9d42b41d8e2e4eedc6a2c3c3487f4e96d7439a1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","42987"
"*eff639cb05e0947c68eecd6f388f3887d2fef6df0ad94cb5459b74a382989ded*",".{0,1000}eff639cb05e0947c68eecd6f388f3887d2fef6df0ad94cb5459b74a382989ded.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","42990"
"*egblhcjfjmbjajhjhpmnlekffgaemgfh*",".{0,1000}egblhcjfjmbjajhjhpmnlekffgaemgfh.{0,1000}","greyware_tool_keyword","Fornex VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","43013"
"*ehbhfpfdkmhcpaehaooegfdflljcnfec*",".{0,1000}ehbhfpfdkmhcpaehaooegfdflljcnfec.{0,1000}","greyware_tool_keyword","WeVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","43029"
"*ehorus_agent -f /etc/ehorus/*",".{0,1000}ehorus_agent\s\-f\s\/etc\/ehorus\/.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","43030"
"*eidnihaadmmancegllknfbliaijfmkgo*",".{0,1000}eidnihaadmmancegllknfbliaijfmkgo.{0,1000}","greyware_tool_keyword","Push VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","43033"
"*ejkaocphofnobjdedneohbbiilggdlbi*",".{0,1000}ejkaocphofnobjdedneohbbiilggdlbi.{0,1000}","greyware_tool_keyword","Hotspot Shield Elite VPN Proxy","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","43038"
"*ekzhang/bore*",".{0,1000}ekzhang\/bore.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","1","N/A","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","43040"
"*ekzhang/sshx*",".{0,1000}ekzhang\/sshx.{0,1000}","greyware_tool_keyword","sshx","Fast collaborative live terminal sharing over the web","T1021.004 - T1041 - T1059 - T1071.001","TA0002 - TA0009 - TA0011 - TA0010","N/A","N/A","C2","https://github.com/ekzhang/sshx","1","1","N/A","N/A","10","10","6379","220","2025-02-12T20:40:30Z","2022-02-12T23:29:33Z","43041"
"*elastic-agent.exe uninstall*",".{0,1000}elastic\-agent\.exe\suninstall.{0,1000}","greyware_tool_keyword","elastic-agent","uninstall elast-agent from the system","T1562.004 - T1070.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","43045"
"*elddy/NimScan*",".{0,1000}elddy\/NimScan.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","1","N/A","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","43046"
"*Elevate*\elev_win.exe*",".{0,1000}Elevate.{0,1000}\\elev_win\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43053"
"*eliforPllaweriFteN-teS*",".{0,1000}eliforPllaweriFteN\-teS.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43067"
"*emacs -Q -nw --eval '(term \""/bin/sh -p\"")*",".{0,1000}emacs\s\-Q\s\-nw\s\-\-eval\s\'\(term\s\\\""\/bin\/sh\s\-p\\\""\).{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","43076"
"*emerge -a app-misc/tmate",".{0,1000}emerge\s\-a\sapp\-misc\/tmate","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","43086"
"*Enable-AADIntTenantMsolAccess*",".{0,1000}Enable\-AADIntTenantMsolAccess.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43120"
"*enable-psremoting -force*",".{0,1000}enable\-psremoting\s\-force.{0,1000}","greyware_tool_keyword","powershell","enables WinRM","T1077 - T1021","TA0008 - TA0005","N/A","N/A","Lateral Movement","https://github.com/alperenugurlu/AD_Enumeration_Hunt/blob/alperen_ugurlu_hack/AD_Enumeration_Hunt.ps1","1","0","N/A","N/A","10","1","93","18","2023-08-05T06:10:26Z","2023-08-05T05:16:57Z","43126"
"*EnableTailscaleDNSSettings*",".{0,1000}EnableTailscaleDNSSettings.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","43131"
"*EnableTailscaleSubnets*",".{0,1000}EnableTailscaleSubnets.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","43132"
"*Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All*",".{0,1000}Enable\-WindowsOptionalFeature\s\-Online\s\-FeatureName\sMicrosoft\-Hyper\-V\s\-All.{0,1000}","greyware_tool_keyword","powershell","enabling hyperV - virtualization could be abused by attacker to maintain persistence in a virtual machine","T1560.003 - T1547 - T1059","TA0003 - TA0002","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","43133"
"*Enable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -All*",".{0,1000}Enable\-WindowsOptionalFeature\s\-Online\s\-FeatureName\sMicrosoftWindowsPowerShellV2Root\s\-All.{0,1000}","greyware_tool_keyword","powershell","Enabling PowerShell 2.0 Engine - downgrading to powershell version 2","T1059.001 - T1546.015 - T1086","TA0002 - TA0003 - TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43134"
"*Enable-WindowsOptionalFeature -Online:$true -FeatureName Microsoft-Hyper-V -All:$true*",".{0,1000}Enable\-WindowsOptionalFeature\s\-Online\:\$true\s\-FeatureName\sMicrosoft\-Hyper\-V\s\-All\:\$true.{0,1000}","greyware_tool_keyword","powershell","enabling hyperV - virtualization could be abused by attacker to maintain persistence in a virtual machine","T1560.003 - T1547 - T1059","TA0003 - TA0002","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","43135"
"*eppiocemhmnlbhjplcgkofciiegomcon*",".{0,1000}eppiocemhmnlbhjplcgkofciiegomcon.{0,1000}","greyware_tool_keyword","Urban Free VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","43233"
"*Eraser.exe addtask *",".{0,1000}Eraser\.exe\saddtask\s.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","43235"
"*Error converting offlinesam path*",".{0,1000}Error\sconverting\sofflinesam\spath.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43239"
"*Esentutl*/p /o *.dit*",".{0,1000}Esentutl.{0,1000}\/p\s\/o\s.{0,1000}\.dit.{0,1000}","greyware_tool_keyword","esentutl","extract the AD Database","T1005 - T1006 - T1564.004 - T1105 - T1570 - T1003.003","TA0006 - TA0005 - TA0003 - TA0010","N/A","Chimera - menuPass","Credential Access","https://lolbas-project.github.io/lolbas/Binaries/Esentutl/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43249"
"*esentutl.exe /y /vss *:\windows\ntds\ntds.dit*",".{0,1000}esentutl\.exe\s\/y\s\/vss\s.{0,1000}\:\\windows\\ntds\\ntds\.dit.{0,1000}","greyware_tool_keyword","esentutl","extract the AD Database","T1005 - T1006 - T1564.004 - T1105 - T1570 - T1003.003","TA0006 - TA0005 - TA0003 - TA0010","N/A","Chimera - menuPass","Credential Access","https://lolbas-project.github.io/lolbas/Binaries/Esentutl/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43250"
"*esxcli network firewall set -enabled f*",".{0,1000}esxcli\snetwork\sfirewall\sset\s\-enabled\sf.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1562.004 - T1070.003","TA0005 ","N/A","Black Basta","Defense Evasion","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","43252"
"*esxcli network firewall set --enabled f*",".{0,1000}esxcli\snetwork\sfirewall\sset\s\-\-enabled\sf.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1562.004 - T1070.003","TA0005 ","N/A","Black Basta","Defense Evasion","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","43253"
"*esxcli system account add*",".{0,1000}esxcli\ssystem\saccount\sadd.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1098 - T1078 - T1078.003","TA0003 - TA0004","N/A","Black Basta","Persistence","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","43254"
"*esxcli system account remove*",".{0,1000}esxcli\ssystem\saccount\sremove.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1489 - T1569.002","TA0040 - TA0005","N/A","Black Basta","Defense Evasion","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","43255"
"*esxcli system account set -i * -s t*",".{0,1000}esxcli\ssystem\saccount\sset\s\-i\s.{0,1000}\s\-s\st.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1098 - T1078 - T1078.003","TA0003 - TA0004","N/A","Black Basta","Persistence","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","43256"
"*esxcli system auditrecords local disable*",".{0,1000}esxcli\ssystem\sauditrecords\slocal\sdisable.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1542.003 - T1562.001 - T1553.002 - T1542 - T1600","TA0040 - TA0005","N/A","Black Basta","Defense Evasion","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","43257"
"*esxcli system coredump file set --unconfigure*",".{0,1000}esxcli\ssystem\scoredump\sfile\sset\s\-\-unconfigure.{0,1000}","greyware_tool_keyword","esxcli","disable the Core Dump file using ESXCLI ","T1070.002 - T1489","TA0005 - TA0040","N/A","Akira - Black Basta","Defense Evasion","https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43258"
"*esxcli system permission list*",".{0,1000}esxcli\ssystem\spermission\slist.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1069.002 ","TA0007","N/A","Black Basta","Discovery","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","43259"
"*esxcli system settings encryption set - require-exec-installed-only=F*",".{0,1000}esxcli\ssystem\ssettings\sencryption\sset\s\-\srequire\-exec\-installed\-only\=F.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1542.003 - T1562.001 - T1553.002 - T1542 - T1600","TA0040 - TA0005","N/A","Black Basta","Defense Evasion","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","43260"
"*esxcli system settings encryption set - require-secure-boot=F*",".{0,1000}esxcli\ssystem\ssettings\sencryption\sset\s\-\srequire\-secure\-boot\=F.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1542.003 - T1562.001 - T1553.002 - T1542 - T1600","TA0040 - TA0005","N/A","Black Basta","Defense Evasion","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","43261"
"*esxcli system settings kernel set -s execInstalledOnly -v F*",".{0,1000}esxcli\ssystem\ssettings\skernel\sset\s\-s\sexecInstalledOnly\s\-v\sF.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1542.003 - T1562.001 - T1553.002 - T1542 - T1600","TA0040 - TA0005","N/A","Black Basta","Defense Evasion","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","43262"
"*esxcli system syslog config set --logdir=/tmp*",".{0,1000}esxcli\ssystem\ssyslog\sconfig\sset\s\-\-logdir\=\/tmp.{0,1000}","greyware_tool_keyword","esxcli","disable logging with ESXCLI ","T1070.002 - T1489","TA0005 - TA0040","N/A","Akira - Black Basta","Defense Evasion","https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43263"
"*esxcli vm process kill *",".{0,1000}esxcli\svm\sprocess\skill\s.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1489 - T1569.002","TA0040 - TA0005","N/A","Black Basta","Defense Evasion","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","43264"
"*esxcli vm process list*",".{0,1000}esxcli\svm\sprocess\slist.{0,1000}","greyware_tool_keyword","esxcli","commands used by ransomware targeting ESXi hosts","T1057 - T1082","TA0007","N/A","Black Basta","Discovery","https://medium.com/detect-fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","43265"
"*eun1.rel.tunnels.api.visualstudio.com*",".{0,1000}eun1\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","43295"
"*euw.rel.tunnels.api.visualstudio.com*",".{0,1000}euw\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","43297"
"*eval-*.beyondtrustcloud.com*",".{0,1000}eval\-.{0,1000}\.beyondtrustcloud\.com.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43299"
"*EvanMcBroom/lsa-whisperer*",".{0,1000}EvanMcBroom\/lsa\-whisperer.{0,1000}","greyware_tool_keyword","lsa-whisperer","Tools for interacting with authentication packages using their individual message protocols","T1556.002 - T1003.001","TA0006 - TA0005","N/A","N/A","Credential Access","https://github.com/EvanMcBroom/lsa-whisperer","1","1","N/A","N/A","6","4","316","29","2025-04-01T13:54:17Z","2022-08-04T14:35:45Z","43301"
"*exe.23lldnur*",".{0,1000}exe\.23lldnur.{0,1000}","greyware_tool_keyword","_","reversed string rundll32.exe obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43417"
"*exe.erolpxei*",".{0,1000}exe\.erolpxei.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43418"
"*exe.rerolpxe*",".{0,1000}exe\.rerolpxe.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43419"
"*exe.ssasl*",".{0,1000}exe\.ssasl.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43420"
"*exe.tsohcvs*",".{0,1000}exe\.tsohcvs.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43421"
"*exec /bin/sh 0</dev/tcp/*/*1>&0 2>&0*",".{0,1000}exec\s\/bin\/sh\s0\<\/dev\/tcp\/.{0,1000}\/.{0,1000}1\>\&0\s2\>\&0.{0,1000}","greyware_tool_keyword","bash","bash reverse shell ","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","1","0","#linux","greyware tool - risks of False positive !","10","10","64862","15261","2025-04-09T09:16:20Z","2016-10-18T07:29:07Z","43436"
"*'exec /bin/sh -p 0<&1' >> \$TF*",".{0,1000}\'exec\s\/bin\/sh\s\-p\s0\<\&1\'\s\>\>\s\\\$TF.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","43437"
"*exec 5<>/dev/tcp/*/**cat <&5 | while read line* do $line 2>&5 >&5* done*",".{0,1000}exec\s5\<\>\/dev\/tcp\/.{0,1000}\/.{0,1000}.{0,1000}cat\s\<\&5\s\|\swhile\sread\sline.{0,1000}\sdo\s\$line\s2\>\&5\s\>\&5.{0,1000}\sdone.{0,1000}","greyware_tool_keyword","bash","bash reverse shell ","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","1","0","#linux","greyware tool - risks of False positive !","10","10","64862","15261","2025-04-09T09:16:20Z","2016-10-18T07:29:07Z","43438"
"*exec dropbear *",".{0,1000}exec\sdropbear\s.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","N/A","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","43441"
"*export CHROME_REMOTE_DESKTOP_DEFAULT_DESKTOP_SIZES*",".{0,1000}export\sCHROME_REMOTE_DESKTOP_DEFAULT_DESKTOP_SIZES.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","43596"
"*export HISTFILE=/dev/null*",".{0,1000}export\sHISTFILE\=\/dev\/null.{0,1000}","greyware_tool_keyword","bash","Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml","1","0","#linux","greyware tool - risks of False positive !","10","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","43597"
"*export HISTFILE=/dev/null*",".{0,1000}export\sHISTFILE\=\/dev\/null.{0,1000}","greyware_tool_keyword","export","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","43598"
"*export HISTFILESIZE=0*",".{0,1000}export\sHISTFILESIZE\=0.{0,1000}","greyware_tool_keyword","bash","Clear command history in linux which is used for defense evasion. ","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml","1","0","#linux","greyware tool - risks of False positive !","10","10","10466","2904","2025-04-21T13:09:54Z","2017-10-11T17:23:32Z","43599"
"*export HISTFILESIZE=0*",".{0,1000}export\sHISTFILESIZE\=0.{0,1000}","greyware_tool_keyword","bash","Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml","1","0","#linux","greyware tool - risks of False positive !","10","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","43600"
"*export HISTFILESIZE=0*",".{0,1000}export\sHISTFILESIZE\=0.{0,1000}","greyware_tool_keyword","export","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","43601"
"*export HISTSIZE=0*",".{0,1000}export\sHISTSIZE\=0.{0,1000}","greyware_tool_keyword","export","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","43602"
"*Export-AADIntADFSCertificates*",".{0,1000}Export\-AADIntADFSCertificates.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43609"
"*Export-AADIntADFSConfiguration*",".{0,1000}Export\-AADIntADFSConfiguration.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43610"
"*Export-AADIntADFSEncryptionKey*",".{0,1000}Export\-AADIntADFSEncryptionKey.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43611"
"*Export-AADIntAzureCliTokens*",".{0,1000}Export\-AADIntAzureCliTokens.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43612"
"*Export-AADIntLocalDeviceCertificate*",".{0,1000}Export\-AADIntLocalDeviceCertificate.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43613"
"*Export-AADIntLocalDeviceTransportKey*",".{0,1000}Export\-AADIntLocalDeviceTransportKey.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43614"
"*Export-AADIntProxyAgentBootstraps*",".{0,1000}Export\-AADIntProxyAgentBootstraps.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43615"
"*Export-AADIntProxyAgentCertificates*",".{0,1000}Export\-AADIntProxyAgentCertificates.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43616"
"*Export-AADIntProxyAgentCertificates.*",".{0,1000}Export\-AADIntProxyAgentCertificates\..{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43617"
"*Export-AADIntSPOSiteFile*",".{0,1000}Export\-AADIntSPOSiteFile.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43618"
"*Export-AADIntTeamsTokens*",".{0,1000}Export\-AADIntTeamsTokens.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43619"
"*Export-AADIntTokenBrokerTokens*",".{0,1000}Export\-AADIntTokenBrokerTokens.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43620"
"*Export-ADFSEncryptionKeyUsingService*",".{0,1000}Export\-ADFSEncryptionKeyUsingService.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","43621"
"*expose share http://*",".{0,1000}expose\sshare\shttp\:\/\/.{0,1000}","greyware_tool_keyword","expose","tunneling service - written in pure PHP","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/beyondcode/expose","1","0","N/A","N/A","10","10","4367","280","2025-04-04T13:57:03Z","2020-04-14T19:18:38Z","43626"
"*exposeConfigPath=/src/config/expose.php*",".{0,1000}exposeConfigPath\=\/src\/config\/expose\.php.{0,1000}","greyware_tool_keyword","expose","tunneling service - written in pure PHP","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/beyondcode/expose","1","0","N/A","N/A","10","10","4367","280","2025-04-04T13:57:03Z","2020-04-14T19:18:38Z","43627"
"*external-nse-script-library*",".{0,1000}external\-nse\-script\-library.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","0","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","43648"
"*f004ede766d83d38ded3358bef66fd56b564fcea19cde01f79dee4a426916448*",".{0,1000}f004ede766d83d38ded3358bef66fd56b564fcea19cde01f79dee4a426916448.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","43674"
"*f0078e7c09aa38b301ec1b1679ec97bc711a178da3ca48c9354c08b33933165c*",".{0,1000}f0078e7c09aa38b301ec1b1679ec97bc711a178da3ca48c9354c08b33933165c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","43675"
"*f00e2511ae291bed3ad7e08cfb4cb960ea10e14ef51ba15c928d5d3d14fdb09d*",".{0,1000}f00e2511ae291bed3ad7e08cfb4cb960ea10e14ef51ba15c928d5d3d14fdb09d.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","43677"
"*f02191ca0c8ae1b43bf43bcd075713f1728d96dcfb238b44d812a1864389bf5d*",".{0,1000}f02191ca0c8ae1b43bf43bcd075713f1728d96dcfb238b44d812a1864389bf5d.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","43679"
"*f0433048a374b655d98396d4cf60f28a9286962d40ba03c791d64d6608911210*",".{0,1000}f0433048a374b655d98396d4cf60f28a9286962d40ba03c791d64d6608911210.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43685"
"*f0439788bbeda72664259defbc0edb12825cbf2928c922e06103b7b715bae88a*",".{0,1000}f0439788bbeda72664259defbc0edb12825cbf2928c922e06103b7b715bae88a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","43686"
"*f0474b15500edb41cb2eb6c7091bf96c0fe3ec455b8c0559974fcf1a3b1668e2*",".{0,1000}f0474b15500edb41cb2eb6c7091bf96c0fe3ec455b8c0559974fcf1a3b1668e2.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","43687"
"*f052586d3c8b6cecbafff4773c2a67a130c00ecdece4ea43f101923c53c28f58*",".{0,1000}f052586d3c8b6cecbafff4773c2a67a130c00ecdece4ea43f101923c53c28f58.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","43692"
"*f0585309751d285f47ef51783422235b20248a430dc6daca9d13e4755fd02721*",".{0,1000}f0585309751d285f47ef51783422235b20248a430dc6daca9d13e4755fd02721.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","43693"
"*f05d3115ca5636a3a30f454f62c51746473121d40b9624dd28d84589b8e2eaf2*",".{0,1000}f05d3115ca5636a3a30f454f62c51746473121d40b9624dd28d84589b8e2eaf2.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","43695"
"*f062d1f8866ffa374149c6c672e92947654876e80faa847b5fba3eb098b22d46*",".{0,1000}f062d1f8866ffa374149c6c672e92947654876e80faa847b5fba3eb098b22d46.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","43698"
"*f06b4c511c466dc0bc6ce1897b42551565965f7964ca33acd19829e0c271f6a7*",".{0,1000}f06b4c511c466dc0bc6ce1897b42551565965f7964ca33acd19829e0c271f6a7.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43699"
"*f0716ffcfd48207b8de4f82ccf9ba87e876f0700f6699fc1140d08b7a8f741b4*",".{0,1000}f0716ffcfd48207b8de4f82ccf9ba87e876f0700f6699fc1140d08b7a8f741b4.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","43702"
"*f0955bc39c7983518875318d843859180f5cd47922a62852d75746dacada84b9*",".{0,1000}f0955bc39c7983518875318d843859180f5cd47922a62852d75746dacada84b9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43708"
"*f0a4507fc58b3c37a70bfd12bc2164fd323e9dcc06cafbc0b048f4b4891b9a49*",".{0,1000}f0a4507fc58b3c37a70bfd12bc2164fd323e9dcc06cafbc0b048f4b4891b9a49.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","43712"
"*f0b3b07c44622aeae797eb9938fa2e1e38736894e4ed99a527c84a1ce0b74475*",".{0,1000}f0b3b07c44622aeae797eb9938fa2e1e38736894e4ed99a527c84a1ce0b74475.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","43716"
"*f0cb2b2a4eeef825671b32a3ad2c1f0f01daa3a8f301b35d6a068ce7ddb351ec*",".{0,1000}f0cb2b2a4eeef825671b32a3ad2c1f0f01daa3a8f301b35d6a068ce7ddb351ec.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43718"
"*f0d19d73955298f2766e55ff49347e31b2482a3bcba107ccbe38630b1aac355a*",".{0,1000}f0d19d73955298f2766e55ff49347e31b2482a3bcba107ccbe38630b1aac355a.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","43719"
"*f0d3f6d841b1d8e4478f25771fa6f58717fed13de6c28dec36bf497c7b035853*",".{0,1000}f0d3f6d841b1d8e4478f25771fa6f58717fed13de6c28dec36bf497c7b035853.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","43720"
"*f0ded25a361ea53de7518a357c03d733d8caf206f7a90a8e3b4d6a29563c9277*",".{0,1000}f0ded25a361ea53de7518a357c03d733d8caf206f7a90a8e3b4d6a29563c9277.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","43723"
"*f0df0ff18deffb04707e1f14bf546d18cdad566798fdae16329dc320113f6a0f*",".{0,1000}f0df0ff18deffb04707e1f14bf546d18cdad566798fdae16329dc320113f6a0f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43724"
"*f11f0d5b7f14d4751f40b9c2c92928dfdbe0d055981e140ba0a5d75ecfe72e10*",".{0,1000}f11f0d5b7f14d4751f40b9c2c92928dfdbe0d055981e140ba0a5d75ecfe72e10.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","43740"
"*f12d47279fdb2f896b6f0f315734ffd2d8b1d3db79cf377c55c772a9cc158177*",".{0,1000}f12d47279fdb2f896b6f0f315734ffd2d8b1d3db79cf377c55c772a9cc158177.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43743"
"*f138639350d3735df86d6628a223f31111772a8a3e4d5648ddbd5d2af52a19c9*",".{0,1000}f138639350d3735df86d6628a223f31111772a8a3e4d5648ddbd5d2af52a19c9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43745"
"*f13912099e2f929c310e70ea6079b5cd7f1956b39408e975efe698d500cb4ef8*",".{0,1000}f13912099e2f929c310e70ea6079b5cd7f1956b39408e975efe698d500cb4ef8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43746"
"*f139f24cb99599d9f666d925cf0371aff4eaf5fbf531634ee3a2740d5b646da3*",".{0,1000}f139f24cb99599d9f666d925cf0371aff4eaf5fbf531634ee3a2740d5b646da3.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","43747"
"*f14052ce01a373effaf1c74eeed9ccda8ac4f6cf3407727d4a5871df9f195f57*",".{0,1000}f14052ce01a373effaf1c74eeed9ccda8ac4f6cf3407727d4a5871df9f195f57.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","43748"
"*f14655042086ef4653c0351a6464fb7d73473baf26e15a5f59c298bd3df23d1c*",".{0,1000}f14655042086ef4653c0351a6464fb7d73473baf26e15a5f59c298bd3df23d1c.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","43756"
"*f1519ce7537ded97e28b44ef9f612bef963161887dd010fc4e73271e4a9a8fad*",".{0,1000}f1519ce7537ded97e28b44ef9f612bef963161887dd010fc4e73271e4a9a8fad.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43758"
"*f154878288857410353e4cabc498941869ffbbd1783f6a1923c6ed92c03dfab6*",".{0,1000}f154878288857410353e4cabc498941869ffbbd1783f6a1923c6ed92c03dfab6.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","43761"
"*f160f0e2319e8ead547548ccecdff561aea5b77a3bb00b387e1ddf3f1c3298db*",".{0,1000}f160f0e2319e8ead547548ccecdff561aea5b77a3bb00b387e1ddf3f1c3298db.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","43767"
"*f16d1b7d69bf4c2a9a7e737809dd930012f419e7b7977887226f0f6859367cc4*",".{0,1000}f16d1b7d69bf4c2a9a7e737809dd930012f419e7b7977887226f0f6859367cc4.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#filehash","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","43771"
"*f175e055b67f3cbaf4588a9decdb4ed6bf441ea28da502451ddd3da8ca87d390*",".{0,1000}f175e055b67f3cbaf4588a9decdb4ed6bf441ea28da502451ddd3da8ca87d390.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","43772"
"*f185996846f3e71d20cb79336e76f73d2b2fb7250fea1e9b98f77547fdd3bd06*",".{0,1000}f185996846f3e71d20cb79336e76f73d2b2fb7250fea1e9b98f77547fdd3bd06.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43777"
"*f18f551bbe47c5078c3e49718dea7287979b203fbd01149e9def64bbae723e4c*",".{0,1000}f18f551bbe47c5078c3e49718dea7287979b203fbd01149e9def64bbae723e4c.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","43780"
"*f191225491a0fd4f9c1e2f0f89d7458aa06d9493e683d374a820e38b49e50e82*",".{0,1000}f191225491a0fd4f9c1e2f0f89d7458aa06d9493e683d374a820e38b49e50e82.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","43781"
"*f193e6dd7595ee4163e6299c5196dcee429046f0f99175f5058ddce9348057bf*",".{0,1000}f193e6dd7595ee4163e6299c5196dcee429046f0f99175f5058ddce9348057bf.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","43782"
"*f1985ce963979371360df27054ba07df4d4ee35338880bed83ef609a4648c420*",".{0,1000}f1985ce963979371360df27054ba07df4d4ee35338880bed83ef609a4648c420.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","43783"
"*f1a9c39d396d1217c05584284352f4a3bef008be5d06ce1b81a6cf88f6f3a7b1*",".{0,1000}f1a9c39d396d1217c05584284352f4a3bef008be5d06ce1b81a6cf88f6f3a7b1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","43788"
"*f1aa7c960a64c65548d23d2a77b3aa04844695174e44c7e04e0094190a1b8b46*",".{0,1000}f1aa7c960a64c65548d23d2a77b3aa04844695174e44c7e04e0094190a1b8b46.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","43789"
"*f1b1b2b181d6148660067534534e7c85f49241068fca8b3c1f6099216b67fb39*",".{0,1000}f1b1b2b181d6148660067534534e7c85f49241068fca8b3c1f6099216b67fb39.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","43790"
"*f1c1f6e3dd1697be115ea8567fbed5f993832bc5e2400e69dbac6ccd95d02c61*",".{0,1000}f1c1f6e3dd1697be115ea8567fbed5f993832bc5e2400e69dbac6ccd95d02c61.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","43793"
"*f1dc0436b7f9f3f5c5d404cf5fb4a7319ff1cc22a06a687672020af620693f70*",".{0,1000}f1dc0436b7f9f3f5c5d404cf5fb4a7319ff1cc22a06a687672020af620693f70.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","43796"
"*f1f11c0e9dc81dbb5d52bfd190ad7487c124c20c248ee224d8163ec9d703a096*",".{0,1000}f1f11c0e9dc81dbb5d52bfd190ad7487c124c20c248ee224d8163ec9d703a096.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","43801"
"*f1fd018de5da0ba61e095a731ec6e142c9cde50f6231eabb475a889fe5f323d4*",".{0,1000}f1fd018de5da0ba61e095a731ec6e142c9cde50f6231eabb475a889fe5f323d4.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","43803"
"*f1ff71f1b4751329a9957412758931f8b13a9477dcff3435ee3b9ba98a6ace73*",".{0,1000}f1ff71f1b4751329a9957412758931f8b13a9477dcff3435ee3b9ba98a6ace73.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","43804"
"*f2173450c0170fe8cbb61ebc77d8fc81fba08641e78a636e3cb0b943bca45eb1*",".{0,1000}f2173450c0170fe8cbb61ebc77d8fc81fba08641e78a636e3cb0b943bca45eb1.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","43811"
"*f23d82762095f7fd72ef625aad0d41b0e70d9e29619f72e91c2c140464d71fe0*",".{0,1000}f23d82762095f7fd72ef625aad0d41b0e70d9e29619f72e91c2c140464d71fe0.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","43820"
"*f263d762ee5788d2773d167ed15e6fc41e874f8682b6df9c8f8215c07c836275*",".{0,1000}f263d762ee5788d2773d167ed15e6fc41e874f8682b6df9c8f8215c07c836275.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","43824"
"*f27c3b271ad36896e22e411dea4c1c14d5ec75a232538c62099771ab7472765a*",".{0,1000}f27c3b271ad36896e22e411dea4c1c14d5ec75a232538c62099771ab7472765a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","43830"
"*f2915f5a3885391738923ecd18faf840074c65cd2e390e1474a4d84ce315b9ff*",".{0,1000}f2915f5a3885391738923ecd18faf840074c65cd2e390e1474a4d84ce315b9ff.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#filehash","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","43837"
"*f2b2bb7385ee56d98659c4a0dbf42eca46227e10f92183a92934f4d96d523501*",".{0,1000}f2b2bb7385ee56d98659c4a0dbf42eca46227e10f92183a92934f4d96d523501.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","43840"
"*f2c9afa59d436b3f4bb9b9f63eaeebc4cd42c4013a8282a9a016b5d946eacd86*",".{0,1000}f2c9afa59d436b3f4bb9b9f63eaeebc4cd42c4013a8282a9a016b5d946eacd86.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43846"
"*f2f4b7576e0e51425fa90f94f272d0163571f90a0ecb8549f8b97dbf89c5255f*",".{0,1000}f2f4b7576e0e51425fa90f94f272d0163571f90a0ecb8549f8b97dbf89c5255f.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","43858"
"*f2f60fc62c1507491273e15d901ebec40a1c45423308074adc5fdb0ef4494724*",".{0,1000}f2f60fc62c1507491273e15d901ebec40a1c45423308074adc5fdb0ef4494724.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43859"
"*f2f97e523f7f39ab24b30b0a046e59f5b5577452563fc615588dd53bd8c5097e*",".{0,1000}f2f97e523f7f39ab24b30b0a046e59f5b5577452563fc615588dd53bd8c5097e.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","43860"
"*f2f9c488451676a58566f6daf2a8a1c85aea193abdc7d7241ef0e12675238bc9*",".{0,1000}f2f9c488451676a58566f6daf2a8a1c85aea193abdc7d7241ef0e12675238bc9.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","43861"
"*f2fd6676dba233df558278e6be42cd4c50a78a9c3f879db87acfc96607f41331*",".{0,1000}f2fd6676dba233df558278e6be42cd4c50a78a9c3f879db87acfc96607f41331.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","#filehash","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","43862"
"*f300f69fe05b47e3b3e571a1fd83c7c0f7d69667d50a78ccbaa551bda3078169*",".{0,1000}f300f69fe05b47e3b3e571a1fd83c7c0f7d69667d50a78ccbaa551bda3078169.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","43863"
"*f30186ec0fef95b090c2771c3ccd2c2ea2c825e7e84219ec3d9c35fa0a513e4d*",".{0,1000}f30186ec0fef95b090c2771c3ccd2c2ea2c825e7e84219ec3d9c35fa0a513e4d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43864"
"*f309dc9fddef92be50048234dab7ef0fbb0af6aae0567ae60459a8a35e8d36f6*",".{0,1000}f309dc9fddef92be50048234dab7ef0fbb0af6aae0567ae60459a8a35e8d36f6.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","43871"
"*f3224bea461878342b1b6556e181dfe2010520f543d4059258e9ea9833f3b84f*",".{0,1000}f3224bea461878342b1b6556e181dfe2010520f543d4059258e9ea9833f3b84f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43872"
"*f33781a369e97243d817cf060cb90accaa821a0c5b07c8bfd519977169d7607f*",".{0,1000}f33781a369e97243d817cf060cb90accaa821a0c5b07c8bfd519977169d7607f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43877"
"*f33996eaa68e8a7a5f5a6156b44af666049769bd021979a6ffb9abb29b45ea2b*",".{0,1000}f33996eaa68e8a7a5f5a6156b44af666049769bd021979a6ffb9abb29b45ea2b.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","43878"
"*f36b371ac6f48895384d78dc53d83daaf59d6f7086d5cb9ce7c74ba60ab81a0b*",".{0,1000}f36b371ac6f48895384d78dc53d83daaf59d6f7086d5cb9ce7c74ba60ab81a0b.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","43889"
"*f3863ef3fcbcc0aa0ca00c6bf1c099be9470df360751912db5c9021d3e549d10*",".{0,1000}f3863ef3fcbcc0aa0ca00c6bf1c099be9470df360751912db5c9021d3e549d10.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43893"
"*f38fg.tunnelmole.net*",".{0,1000}f38fg\.tunnelmole\.net.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","1","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","43896"
"*f39f10c0867a52eb9e4d2adf0bfa821993c950feca35437e84d274fba00bc595*",".{0,1000}f39f10c0867a52eb9e4d2adf0bfa821993c950feca35437e84d274fba00bc595.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","43899"
"*f3c09c7cc731000a762f816214dcbe8936eb470992d8c04c1439d436c09f26ac*",".{0,1000}f3c09c7cc731000a762f816214dcbe8936eb470992d8c04c1439d436c09f26ac.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","43913"
"*f3c40d7fc7a91a57e7689ada1c1b6b7167f4a740bb2124ea1c3a75d0bde8030b*",".{0,1000}f3c40d7fc7a91a57e7689ada1c1b6b7167f4a740bb2124ea1c3a75d0bde8030b.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","43914"
"*f3cb648c848b10ea67fe776ed08f1de7258d3e3e4f1b9a5779ecd500de9e9dd0*",".{0,1000}f3cb648c848b10ea67fe776ed08f1de7258d3e3e4f1b9a5779ecd500de9e9dd0.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","43918"
"*f3d5d5dfe286aab5d5c0a7911ddc14ef414c26869f47197a8a3a15b4e6e716ad*",".{0,1000}f3d5d5dfe286aab5d5c0a7911ddc14ef414c26869f47197a8a3a15b4e6e716ad.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43919"
"*f3e721ec6af65f742acb17dee34eb3685a83880269eb6552351427346b4027f9*",".{0,1000}f3e721ec6af65f742acb17dee34eb3685a83880269eb6552351427346b4027f9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43922"
"*f3f224ecc4dc019bc4c93de49c408db2be3b73fb62eb9aebbe1fe2715ee98547*",".{0,1000}f3f224ecc4dc019bc4c93de49c408db2be3b73fb62eb9aebbe1fe2715ee98547.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","43925"
"*f3f3cc358d84f4adca20bf1ba7a0a08d733d54cfd6a62276b7b465a58902bf99*",".{0,1000}f3f3cc358d84f4adca20bf1ba7a0a08d733d54cfd6a62276b7b465a58902bf99.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","43926"
"*f402294bb18473a6dc22baec0c86e635cd2bc0423cb10026b5cbf9d6efcc698d*",".{0,1000}f402294bb18473a6dc22baec0c86e635cd2bc0423cb10026b5cbf9d6efcc698d.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","43931"
"*f406a3f05847268c14ec391457680b2fc6372d5e506c153de5dabe8268751480*",".{0,1000}f406a3f05847268c14ec391457680b2fc6372d5e506c153de5dabe8268751480.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","43933"
"*f410d7494e1e07669dcd4bb02b08f5b79720f7b11522e7dac064d2336800fb00*",".{0,1000}f410d7494e1e07669dcd4bb02b08f5b79720f7b11522e7dac064d2336800fb00.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","43936"
"*f415f14b5c1f88971cfd80555ba1a0c77a437401a7bd623a616261b7985ac5c2*",".{0,1000}f415f14b5c1f88971cfd80555ba1a0c77a437401a7bd623a616261b7985ac5c2.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","43937"
"*f42dc28b48ba4a85f8127ccf118136aae48407eeee8c22a640d2d3ae755184d9*",".{0,1000}f42dc28b48ba4a85f8127ccf118136aae48407eeee8c22a640d2d3ae755184d9.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","43944"
"*f430a8069d7fac26e93994f8d89419e5285acbc0fb4514c89f427a070614af2e*",".{0,1000}f430a8069d7fac26e93994f8d89419e5285acbc0fb4514c89f427a070614af2e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","43946"
"*f43398d585caae28761b340c083216b2dda0898667161c5a43f587cea8b7f799*",".{0,1000}f43398d585caae28761b340c083216b2dda0898667161c5a43f587cea8b7f799.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","43947"
"*f44a9e93bc06742004f0b5c74b00cf0689b4890b903803c338ef80b9fd69c173*",".{0,1000}f44a9e93bc06742004f0b5c74b00cf0689b4890b903803c338ef80b9fd69c173.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","43953"
"*f453fb377dc017d4c2a83a223cf61ede4953bf89d6296fd245908a9957972dcb*",".{0,1000}f453fb377dc017d4c2a83a223cf61ede4953bf89d6296fd245908a9957972dcb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43958"
"*f465bc43be0dc450fe44f103d45ca3720918aec4925440eea06e7607c1937f24*",".{0,1000}f465bc43be0dc450fe44f103d45ca3720918aec4925440eea06e7607c1937f24.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43963"
"*f467c57b696a4f23fb1655091ee0af941318960d53fb94bacc4e9162585f4a0e*",".{0,1000}f467c57b696a4f23fb1655091ee0af941318960d53fb94bacc4e9162585f4a0e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","43964"
"*f47d36b9cf879546d44f0efd0fe2e4c1fcd75a13f4d7eb3fb8e40296a1f333b2*",".{0,1000}f47d36b9cf879546d44f0efd0fe2e4c1fcd75a13f4d7eb3fb8e40296a1f333b2.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","43967"
"*f48343180d92f8780323d45addd6ddfae8d496fa31b1c9abebd8e543db544443*",".{0,1000}f48343180d92f8780323d45addd6ddfae8d496fa31b1c9abebd8e543db544443.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","43970"
"*f491b3d7eb2aff7cf06a5bd139c21a12896274ddbc44ff3a4559fcb145509b2d*",".{0,1000}f491b3d7eb2aff7cf06a5bd139c21a12896274ddbc44ff3a4559fcb145509b2d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43976"
"*f49cb11065c2dec1020f64d0399e65f03b75ae1cea405bfaff4ae7d045d60bdb*",".{0,1000}f49cb11065c2dec1020f64d0399e65f03b75ae1cea405bfaff4ae7d045d60bdb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43978"
"*f4a0d07aa0dd0cb020a0d3273a615107ddb15ca8264577ac4c22e41cad47a2c2*",".{0,1000}f4a0d07aa0dd0cb020a0d3273a615107ddb15ca8264577ac4c22e41cad47a2c2.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","43979"
"*f4b8d0559597ff7ae16378dc947c137a855d7198fb2357f19d2fe78c1fc7eb03*",".{0,1000}f4b8d0559597ff7ae16378dc947c137a855d7198fb2357f19d2fe78c1fc7eb03.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","43982"
"*f4be7647922d6d458692d149c3aec12c3ecd84ed97761dd5478b1e10cbb94d7e*",".{0,1000}f4be7647922d6d458692d149c3aec12c3ecd84ed97761dd5478b1e10cbb94d7e.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","43983"
"*f4c231ebe0140f82fe4b1528171c9fe0cb754ed803729681e2187adc68d9accb*",".{0,1000}f4c231ebe0140f82fe4b1528171c9fe0cb754ed803729681e2187adc68d9accb.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","43984"
"*f4cb27fb222cdd87a30674270614adfd0aa8350034a8bdbc50fc1967c0f0cb66*",".{0,1000}f4cb27fb222cdd87a30674270614adfd0aa8350034a8bdbc50fc1967c0f0cb66.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","43987"
"*f4e95340caf77ecf01f0b73c8d2941ff56fcbd908722a827db9bc8931ead693c*",".{0,1000}f4e95340caf77ecf01f0b73c8d2941ff56fcbd908722a827db9bc8931ead693c.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","43993"
"*f4f31a262a9a63438734a81d89462898a082278a49a41bed2f39792a6b3dbcc5*",".{0,1000}f4f31a262a9a63438734a81d89462898a082278a49a41bed2f39792a6b3dbcc5.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","43998"
"*f4fc57d8f4a00945dda67548d12bb77bc69bf24c45b8a724a63e83274d0eca2c*",".{0,1000}f4fc57d8f4a00945dda67548d12bb77bc69bf24c45b8a724a63e83274d0eca2c.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","44000"
"*f5031cd5e3b444296ef19016555560b69b8f9b54defbbd7e8202b9ef86510d4b*",".{0,1000}f5031cd5e3b444296ef19016555560b69b8f9b54defbbd7e8202b9ef86510d4b.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44003"
"*f50558fb674a98d8604fde66d6a8103e533dc480efa6b12234ed4e5ce76adaf5*",".{0,1000}f50558fb674a98d8604fde66d6a8103e533dc480efa6b12234ed4e5ce76adaf5.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44005"
"*f52084516dff0a54b9cb0d8c8ab961db1154ceb43261257e7ea4e57cef4c1991*",".{0,1000}f52084516dff0a54b9cb0d8c8ab961db1154ceb43261257e7ea4e57cef4c1991.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44008"
"*f522b356e994e001db129e2dc3f813d23b09327c623a567593cbe9dd4e130ac1*",".{0,1000}f522b356e994e001db129e2dc3f813d23b09327c623a567593cbe9dd4e130ac1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44010"
"*f53253575b70dfd206586899b6de357f5288ddfae0e4bbc54f7804f01719cb76*",".{0,1000}f53253575b70dfd206586899b6de357f5288ddfae0e4bbc54f7804f01719cb76.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44011"
"*f532a0fdd90fd1747a13717096109301033812119f9c17415ac4ac531804a021*",".{0,1000}f532a0fdd90fd1747a13717096109301033812119f9c17415ac4ac531804a021.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44012"
"*f53753cf2f3d9f2200ae3b959299cbe1153851c534ce19f54daf281fc9238f69*",".{0,1000}f53753cf2f3d9f2200ae3b959299cbe1153851c534ce19f54daf281fc9238f69.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44013"
"*f539a912a343577e71d35d86545f573acf3050ab197de9d73bb789ca7634aeee*",".{0,1000}f539a912a343577e71d35d86545f573acf3050ab197de9d73bb789ca7634aeee.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44014"
"*f559e774c91f1201ffddba74d5758dec8342ad2b50a3bcd735ccb0c88839045c*",".{0,1000}f559e774c91f1201ffddba74d5758dec8342ad2b50a3bcd735ccb0c88839045c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44023"
"*f56461c7a75839fa5ab3f8be2988f9f5d57c8121c4d7c31e17d2d3a7447d2a7d*",".{0,1000}f56461c7a75839fa5ab3f8be2988f9f5d57c8121c4d7c31e17d2d3a7447d2a7d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44026"
"*f57034e42cba38366cfc0a304f16b1c1412419e322560d589d6b896312acde7f*",".{0,1000}f57034e42cba38366cfc0a304f16b1c1412419e322560d589d6b896312acde7f.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","44030"
"*f5793c201602a3619cac14d31d0356d058d8128b13027b1e64073dd029193614*",".{0,1000}f5793c201602a3619cac14d31d0356d058d8128b13027b1e64073dd029193614.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","44035"
"*f5acd6dd3812f30ed6a2a2a864231563a962d4ff09c64d21be106db6f8806af8*",".{0,1000}f5acd6dd3812f30ed6a2a2a864231563a962d4ff09c64d21be106db6f8806af8.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44049"
"*f5b42d933cea4d53aa975039de0cb1053287fac5ce4377d2afb663e26a5d22dd*",".{0,1000}f5b42d933cea4d53aa975039de0cb1053287fac5ce4377d2afb663e26a5d22dd.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","#filehash","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","44050"
"*f5bb1c3947c4cdf7ed4e4afd4f0a8eeffbc522cde8af5ed15a979b3f58ea2446*",".{0,1000}f5bb1c3947c4cdf7ed4e4afd4f0a8eeffbc522cde8af5ed15a979b3f58ea2446.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44057"
"*f5c9543b4b7731b40ea5cb0ebbc655d631adc7f2eedcea1f913e3d4d96b51b44*",".{0,1000}f5c9543b4b7731b40ea5cb0ebbc655d631adc7f2eedcea1f913e3d4d96b51b44.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44060"
"*f5cc9ce16100354271c7b385377053076c486cba84f21151a65721d24caecf09*",".{0,1000}f5cc9ce16100354271c7b385377053076c486cba84f21151a65721d24caecf09.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","44062"
"*f5d2887adeaa87f28d30174552b1ec976d302e7c804faa3e8ce74ddb0dda6c78*",".{0,1000}f5d2887adeaa87f28d30174552b1ec976d302e7c804faa3e8ce74ddb0dda6c78.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","44066"
"*f5e53a8f6aa666cbbe9c0a0bebd9e0f1315e7e9f9348cb4a341602c14b2943f9*",".{0,1000}f5e53a8f6aa666cbbe9c0a0bebd9e0f1315e7e9f9348cb4a341602c14b2943f9.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44068"
"*f5ebf3d481f604a7f5d301034f7868eb02bf07545dc2a3eccd755ca49356684f*",".{0,1000}f5ebf3d481f604a7f5d301034f7868eb02bf07545dc2a3eccd755ca49356684f.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","44071"
"*f5f1aeff01f602aca4aa2da893395b2ae6552325e46ffe31c267ae5494558c8e*",".{0,1000}f5f1aeff01f602aca4aa2da893395b2ae6552325e46ffe31c267ae5494558c8e.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#filehash","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","44074"
"*f606f2a59706479d9cab36d16b9c241e204edb46540c92333521872dfcda025f*",".{0,1000}f606f2a59706479d9cab36d16b9c241e204edb46540c92333521872dfcda025f.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","0","#filehash","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","44079"
"*F60CD6D5-4B1C-4293-829E-9C10D21AE8A3*",".{0,1000}F60CD6D5\-4B1C\-4293\-829E\-9C10D21AE8A3.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","#GUIDproject","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","44081"
"*f634ab00dba3e7f2b6928ca0a689800856cd93c325d64610bcbcb31f4f8579ac*",".{0,1000}f634ab00dba3e7f2b6928ca0a689800856cd93c325d64610bcbcb31f4f8579ac.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44091"
"*f6363909101b64b4aeea40fcd365e4d71e70a5f01bf980670309a5650bbd9254*",".{0,1000}f6363909101b64b4aeea40fcd365e4d71e70a5f01bf980670309a5650bbd9254.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44093"
"*f63a9a1bff8841613c2f8c0ba7582631b89f4ee7cb0d03b59daa806a8a79ccd5*",".{0,1000}f63a9a1bff8841613c2f8c0ba7582631b89f4ee7cb0d03b59daa806a8a79ccd5.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44095"
"*f64064f35b2c464cb20fdcb70a8aa73856b6a8af65acd5be8d58b79df9889c1c*",".{0,1000}f64064f35b2c464cb20fdcb70a8aa73856b6a8af65acd5be8d58b79df9889c1c.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","44098"
"*f644cc4d5e23d896721d1eb59057a5b42d57676ffd7c81bd67b9c33d7db3e4f2*",".{0,1000}f644cc4d5e23d896721d1eb59057a5b42d57676ffd7c81bd67b9c33d7db3e4f2.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44099"
"*f64a03af886034ad8380631ef1d65728175f5af79674af39c29978a86c181c7a*",".{0,1000}f64a03af886034ad8380631ef1d65728175f5af79674af39c29978a86c181c7a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44100"
"*f650e73547f22ce8b7503d31f62d2f8426c5734e5b25074d08527e50f74b0bdb*",".{0,1000}f650e73547f22ce8b7503d31f62d2f8426c5734e5b25074d08527e50f74b0bdb.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","44101"
"*f651da5ff95943ad8da00b2d48b88c607c1df47f2ba80b68e7dc76a9537c2e5d*",".{0,1000}f651da5ff95943ad8da00b2d48b88c607c1df47f2ba80b68e7dc76a9537c2e5d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44102"
"*f6698805a88849bb42be528ad3ac4bbae0841172c67ec49e041b421ddf5261fc*",".{0,1000}f6698805a88849bb42be528ad3ac4bbae0841172c67ec49e041b421ddf5261fc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44106"
"*f669e3b5a2053c74212d0c6f932651dd02fb5c4f5483061999855180b8257fa8*",".{0,1000}f669e3b5a2053c74212d0c6f932651dd02fb5c4f5483061999855180b8257fa8.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44107"
"*f66e099b3dfc1bfa8fbbcbc04eaae20961e1b27fbb3994305d3dc7251a88da69*",".{0,1000}f66e099b3dfc1bfa8fbbcbc04eaae20961e1b27fbb3994305d3dc7251a88da69.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44108"
"*f681c61359c401aaad1cfd8b0e884a91f59499cb1347a42d9f4d4285e722dc29*",".{0,1000}f681c61359c401aaad1cfd8b0e884a91f59499cb1347a42d9f4d4285e722dc29.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","44115"
"*f6b2697a2c40fee8c1aeac7133b205797cf4d877500e96951199c06422a66e33*",".{0,1000}f6b2697a2c40fee8c1aeac7133b205797cf4d877500e96951199c06422a66e33.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","44122"
"*f6b7b1c1dcdd6609fdee89557038818bae31850094b18614529e080383b8c5f4*",".{0,1000}f6b7b1c1dcdd6609fdee89557038818bae31850094b18614529e080383b8c5f4.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44123"
"*f6b96c46d8395d08ae91d5a19d55f8c9f19d512207612a89ca4c79df0c2f3c5d*",".{0,1000}f6b96c46d8395d08ae91d5a19d55f8c9f19d512207612a89ca4c79df0c2f3c5d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44124"
"*f6c0fbaa3c9181db206d10a474c7c977ce274cf8ff7f7b170e5651a00d283c68*",".{0,1000}f6c0fbaa3c9181db206d10a474c7c977ce274cf8ff7f7b170e5651a00d283c68.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44128"
"*f6c2a3ad0c251e7a5c109c6a60127c8e90506d8b71e78598c6a449c7f5c24659*",".{0,1000}f6c2a3ad0c251e7a5c109c6a60127c8e90506d8b71e78598c6a449c7f5c24659.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","44129"
"*f6d1b2d7477475ce681bdce8cb56f7870f174cb6b2a9ac5d7b3764296ea4a113*",".{0,1000}f6d1b2d7477475ce681bdce8cb56f7870f174cb6b2a9ac5d7b3764296ea4a113.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44130"
"*f6d9c3345d2a1b88d31fd25eeedcf6947ac3e1ca5a693439894ef3c2bb2669f2*",".{0,1000}f6d9c3345d2a1b88d31fd25eeedcf6947ac3e1ca5a693439894ef3c2bb2669f2.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44131"
"*f6e06ec835c02ff1f08cc12c77b067bce8eddd96b9015cefef250353c89e1fbd*",".{0,1000}f6e06ec835c02ff1f08cc12c77b067bce8eddd96b9015cefef250353c89e1fbd.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","#filehash","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","44133"
"*f6e25c33ec23c5d6864468e4839076fa3f6613f67763f054df545a2fbf58828e*",".{0,1000}f6e25c33ec23c5d6864468e4839076fa3f6613f67763f054df545a2fbf58828e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44137"
"*f6eec625f705a1e3715769770854ee3a7a746daf7c74f642fca3e5ac56cad624*",".{0,1000}f6eec625f705a1e3715769770854ee3a7a746daf7c74f642fca3e5ac56cad624.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44140"
"*f71e8c4887a42cff058f46f270cc2c142ba2fdb4b714fd6c65e44a0ed09e2433*",".{0,1000}f71e8c4887a42cff058f46f270cc2c142ba2fdb4b714fd6c65e44a0ed09e2433.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#filehash","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","44149"
"*f72512b574d5155acb3a654dabc9344738151586950367fb1153e8f0ba699d6f*",".{0,1000}f72512b574d5155acb3a654dabc9344738151586950367fb1153e8f0ba699d6f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44151"
"*f73c23848da2b41e6fc17bb89bddfe8910a61356ab677f8abc2c77bce44960bb*",".{0,1000}f73c23848da2b41e6fc17bb89bddfe8910a61356ab677f8abc2c77bce44960bb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44158"
"*f77af8dc5c2df9249cf89a4feaa8ac210051c22ec74e0eb89a947c049b53c494*",".{0,1000}f77af8dc5c2df9249cf89a4feaa8ac210051c22ec74e0eb89a947c049b53c494.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44171"
"*f79ba243876f4949ebc917025c9c97c71297aefb3fb0ebad1aa1d0a9b1f54e58*",".{0,1000}f79ba243876f4949ebc917025c9c97c71297aefb3fb0ebad1aa1d0a9b1f54e58.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44178"
"*f79bf7ee90db6c16f7032a289e49ec0ba08d50f77d35ce78432daeb62a2ffd74*",".{0,1000}f79bf7ee90db6c16f7032a289e49ec0ba08d50f77d35ce78432daeb62a2ffd74.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","44179"
"*f7a9240b781a22fc573a4780da8dadaa761853d1247f21b9306083962e0197d0*",".{0,1000}f7a9240b781a22fc573a4780da8dadaa761853d1247f21b9306083962e0197d0.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","44181"
"*f7b6475de06cdecd9b187a735bb3f960fa56bc12c7205225e0550dd7a7814a34*",".{0,1000}f7b6475de06cdecd9b187a735bb3f960fa56bc12c7205225e0550dd7a7814a34.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","44184"
"*f7bb32eb31cc17a691592f1944f8293b247833f39703e7521f92ca230bb6c220*",".{0,1000}f7bb32eb31cc17a691592f1944f8293b247833f39703e7521f92ca230bb6c220.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44185"
"*f7c1d9613d4f4a7d5cc193f7a52c83aa3be1abf466de9ef0a9e2b2faaa846a69*",".{0,1000}f7c1d9613d4f4a7d5cc193f7a52c83aa3be1abf466de9ef0a9e2b2faaa846a69.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","44186"
"*f7f52607771ce2dddde694ebeced6e2dc438a29c8b87cfb93f125db4e968107c*",".{0,1000}f7f52607771ce2dddde694ebeced6e2dc438a29c8b87cfb93f125db4e968107c.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44190"
"*f7f76812fa26ca390029216d1378e5504f18ba5dde790878dfaa84afef29bda7*",".{0,1000}f7f76812fa26ca390029216d1378e5504f18ba5dde790878dfaa84afef29bda7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44191"
"*f7fcde269f7db9393f6e548fa4c0507f7a76b8a9a44caf34a69f7901463be977*",".{0,1000}f7fcde269f7db9393f6e548fa4c0507f7a76b8a9a44caf34a69f7901463be977.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","44194"
"*f800aa3832f7f6026d8bcb866ffd08a791ff0fee061520a9759549a0ea63d0e0*",".{0,1000}f800aa3832f7f6026d8bcb866ffd08a791ff0fee061520a9759549a0ea63d0e0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44197"
"*f813c9c83c7dabb18c93222073f548d1b7bb39d5ed580011cebc9fb34ea3060c*",".{0,1000}f813c9c83c7dabb18c93222073f548d1b7bb39d5ed580011cebc9fb34ea3060c.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","44206"
"*f815e34b79e1357b7defc86d467077293f56b4cac373394c01a66adabacf3350*",".{0,1000}f815e34b79e1357b7defc86d467077293f56b4cac373394c01a66adabacf3350.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","44207"
"*f818778b135d3b0ca9710992e13b7e06458fcde3aa914b60907aeca7ac84bb5e*",".{0,1000}f818778b135d3b0ca9710992e13b7e06458fcde3aa914b60907aeca7ac84bb5e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44209"
"*f830d20d4677677a10833cee5fbfa7717d8b2d90a5ddc1fc0153426aa7267ec0*",".{0,1000}f830d20d4677677a10833cee5fbfa7717d8b2d90a5ddc1fc0153426aa7267ec0.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","44216"
"*f839c9b6fcec3e97ee042604a00edddda9262985a6768a4e16f4dac8eb8d8238*",".{0,1000}f839c9b6fcec3e97ee042604a00edddda9262985a6768a4e16f4dac8eb8d8238.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44220"
"*f84ef28bd00757a3e609bddd4e1267d8d0adbc25d3014bf291f3924139900c65*",".{0,1000}f84ef28bd00757a3e609bddd4e1267d8d0adbc25d3014bf291f3924139900c65.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44225"
"*f865ac0b99a90f54ce67bbabb2e57226a5c61f58e7a867598a3d54fdfee895ee*",".{0,1000}f865ac0b99a90f54ce67bbabb2e57226a5c61f58e7a867598a3d54fdfee895ee.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","44230"
"*f88594bcfa2a01e4a0fe763fed3bf2908181bc16898a001a3d77614fbe727e4a*",".{0,1000}f88594bcfa2a01e4a0fe763fed3bf2908181bc16898a001a3d77614fbe727e4a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44236"
"*f889e16f7550565628be5da507bbf33ab1fca61ab3541015fbb7a120a3a9cc29*",".{0,1000}f889e16f7550565628be5da507bbf33ab1fca61ab3541015fbb7a120a3a9cc29.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","44239"
"*f891dc701c6d272cbc51bc2975a80e42f80d814f23cda2e9d9c1c005ec216529*",".{0,1000}f891dc701c6d272cbc51bc2975a80e42f80d814f23cda2e9d9c1c005ec216529.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44242"
"*f89767fcf6419e6fc43d055cee054aeac776cbe6b71260d63fd1329e77351dea*",".{0,1000}f89767fcf6419e6fc43d055cee054aeac776cbe6b71260d63fd1329e77351dea.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44244"
"*f8a6470914148f0fc254ea773d4dfc870b1324953165fb619b2cac985418ab06*",".{0,1000}f8a6470914148f0fc254ea773d4dfc870b1324953165fb619b2cac985418ab06.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44248"
"*f8b07aca7e3ee0d4b39c779d9846224921f1f95afbf8e753cd90b9908a463ae4*",".{0,1000}f8b07aca7e3ee0d4b39c779d9846224921f1f95afbf8e753cd90b9908a463ae4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44252"
"*f8b3dcc1c49da62b5302c64901e03eb6f15f0904fdf24e795bd8545e32d31604*",".{0,1000}f8b3dcc1c49da62b5302c64901e03eb6f15f0904fdf24e795bd8545e32d31604.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","44253"
"*f8b9c30d3cef82aebdf5dfce8ba7d6a4943a4b51ef64223b59c5241e3023d8e5*",".{0,1000}f8b9c30d3cef82aebdf5dfce8ba7d6a4943a4b51ef64223b59c5241e3023d8e5.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44254"
"*f8c6eec28f90ec093e1b22cebe727abd2d408015f19944c9f2fea68d79a85673*",".{0,1000}f8c6eec28f90ec093e1b22cebe727abd2d408015f19944c9f2fea68d79a85673.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","44258"
"*f8d92121ac270672a940549d33b12b35414ddc844de5a56874b567bccd607b94*",".{0,1000}f8d92121ac270672a940549d33b12b35414ddc844de5a56874b567bccd607b94.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44262"
"*f8da6811a00fd70fbd31ba8532cab47c95d53e675582364cf5d6fb9d484977bc*",".{0,1000}f8da6811a00fd70fbd31ba8532cab47c95d53e675582364cf5d6fb9d484977bc.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44263"
"*f8def6c6c62783ce0b607d4bb55089b8083f052e1b2da4db1708dd494964b123*",".{0,1000}f8def6c6c62783ce0b607d4bb55089b8083f052e1b2da4db1708dd494964b123.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44265"
"*f8f06d08c202c37b3d6ba70e0ad208e64d8673fbf6031e850dfc6d673cce6e44*",".{0,1000}f8f06d08c202c37b3d6ba70e0ad208e64d8673fbf6031e850dfc6d673cce6e44.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44268"
"*f8fab0f7fdafeea49e8d33a69185144d1116fe95ec89ce8b0ae7ad7cab21c70e*",".{0,1000}f8fab0f7fdafeea49e8d33a69185144d1116fe95ec89ce8b0ae7ad7cab21c70e.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44271"
"*f90226225d8c33b99efb6901942b695ca8e75d68a0ccf6000c1f0857b1b39251*",".{0,1000}f90226225d8c33b99efb6901942b695ca8e75d68a0ccf6000c1f0857b1b39251.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","0","#filehash","N/A","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","44274"
"*f905a60a79e8e34f9a747703c5a34aacd35ef8fe07cef2dd4caf2f2f332f419e*",".{0,1000}f905a60a79e8e34f9a747703c5a34aacd35ef8fe07cef2dd4caf2f2f332f419e.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44275"
"*f9432ce52449b2bf1d0b92046f1ea0dde1f306740533888c2ff3f190f10be1c2*",".{0,1000}f9432ce52449b2bf1d0b92046f1ea0dde1f306740533888c2ff3f190f10be1c2.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44290"
"*f94f319c486b649d30eb85b15790e83661e6d06f66e7cbf13a73c4d365e8b5c9*",".{0,1000}f94f319c486b649d30eb85b15790e83661e6d06f66e7cbf13a73c4d365e8b5c9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44294"
"*f955157646e94bed38b8e4d6ce6df58489eeb89ebf0d44ffe03b3c4902dc5d4e*",".{0,1000}f955157646e94bed38b8e4d6ce6df58489eeb89ebf0d44ffe03b3c4902dc5d4e.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","#filehash","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","44296"
"*f97e0834c7389f6b8a911b82617e0b4f0f054764f34661b3cb2be89b8719bedb*",".{0,1000}f97e0834c7389f6b8a911b82617e0b4f0f054764f34661b3cb2be89b8719bedb.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44304"
"*f99653446a9eb4dbc8bb2bcbef659f8fe2af69d5ad9319eaba68c394cb1c2b06*",".{0,1000}f99653446a9eb4dbc8bb2bcbef659f8fe2af69d5ad9319eaba68c394cb1c2b06.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","44309"
"*f99a0080be86f97331ea300f2a4f448097c5ae39100b15202c89fc91024b215e*",".{0,1000}f99a0080be86f97331ea300f2a4f448097c5ae39100b15202c89fc91024b215e.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","#filehash","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","44310"
"*f9a82873a1e55bb1b5b8b8781b06799ff665464cff8ce77e07474c089123b643*",".{0,1000}f9a82873a1e55bb1b5b8b8781b06799ff665464cff8ce77e07474c089123b643.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","#filehash","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","44313"
"*f9ac9d3510fb8c2a50b03605454263af27cf68ef4f27458c03b12607a0f8ebd3*",".{0,1000}f9ac9d3510fb8c2a50b03605454263af27cf68ef4f27458c03b12607a0f8ebd3.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#filehash","N/A","10","10","N/A","N/A","N/A","N/A","44314"
"*f9ad4d91c181da2968ccdecb5238bf872f824fe1e40253f3347c4025192f19c9*",".{0,1000}f9ad4d91c181da2968ccdecb5238bf872f824fe1e40253f3347c4025192f19c9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44315"
"*f9b0e8b9bdc130652b4ec4c86a9c2d03dc85bd2057401970ff34cb5284581b90*",".{0,1000}f9b0e8b9bdc130652b4ec4c86a9c2d03dc85bd2057401970ff34cb5284581b90.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","44316"
"*f9c6ad68a9e3903d1689cd85e84f00aa892a9e98b368a9f062599da9d2cb4967*",".{0,1000}f9c6ad68a9e3903d1689cd85e84f00aa892a9e98b368a9f062599da9d2cb4967.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44323"
"*f9c6e9fef6d2fd03cb701bd047dcb58c0949f13af975b081346cb14afad8c2aa*",".{0,1000}f9c6e9fef6d2fd03cb701bd047dcb58c0949f13af975b081346cb14afad8c2aa.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#filehash","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","44324"
"*f9d54726a0c5ad3cfb56945dd52fd50252afce25700d0156ab37c3cfa05a25a2*",".{0,1000}f9d54726a0c5ad3cfb56945dd52fd50252afce25700d0156ab37c3cfa05a25a2.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","44325"
"*f9ddbf1047c9a2e24310e5dc68508504c69e037e47c624f32b4d25ff8b30ed87*",".{0,1000}f9ddbf1047c9a2e24310e5dc68508504c69e037e47c624f32b4d25ff8b30ed87.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","44328"
"*f9ec1153b825b2a9bdb5bc59df82bfb08b7b85fe371c591f37c6748957378591*",".{0,1000}f9ec1153b825b2a9bdb5bc59df82bfb08b7b85fe371c591f37c6748957378591.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","#filehash","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","44332"
"*f9f02edbb1ce8805f22db9c97cf582d93bffe67fd4fbdddd67ebef132a8f46e8*",".{0,1000}f9f02edbb1ce8805f22db9c97cf582d93bffe67fd4fbdddd67ebef132a8f46e8.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44336"
"*fa038acf7cd53cad4e1e6aef7d73a7a2c4eafff9fd344db05ff725884166e58c*",".{0,1000}fa038acf7cd53cad4e1e6aef7d73a7a2c4eafff9fd344db05ff725884166e58c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44340"
"*fa1883bb377e2154c9dc766235f92612b8187ce2121f5ba3c3da28f1ebe6de63*",".{0,1000}fa1883bb377e2154c9dc766235f92612b8187ce2121f5ba3c3da28f1ebe6de63.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","44345"
"*fa18e2f164d48c4f7cb6fe138e8a4fae1cc0e02274d81f8647d0b7bf41c12dfc*",".{0,1000}fa18e2f164d48c4f7cb6fe138e8a4fae1cc0e02274d81f8647d0b7bf41c12dfc.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44346"
"*fa2f44b31d65e2b907ad9a3e1ddf95d9aac53905b53ff2bfeb178a7746b0cafe*",".{0,1000}fa2f44b31d65e2b907ad9a3e1ddf95d9aac53905b53ff2bfeb178a7746b0cafe.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","44354"
"*fa4a6fc63d86f8f1faa7c103a845e4715ce79a048455c0eec897b27237576564*",".{0,1000}fa4a6fc63d86f8f1faa7c103a845e4715ce79a048455c0eec897b27237576564.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","44360"
"*fa4cdff048c350043700888dcb50a6a5fa1e1dcfd24a86b1942b0d378912e0a4*",".{0,1000}fa4cdff048c350043700888dcb50a6a5fa1e1dcfd24a86b1942b0d378912e0a4.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44361"
"*fa6fe18df0631bb7bd24068d6da47b6e4154ff339c3ae6b3c49ff1894c47f3f3*",".{0,1000}fa6fe18df0631bb7bd24068d6da47b6e4154ff339c3ae6b3c49ff1894c47f3f3.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","44365"
"*fa869b8bf026b209ea57d4f49769e3f49daa3e04b8e1ebcda7d9b281850d5eb8*",".{0,1000}fa869b8bf026b209ea57d4f49769e3f49daa3e04b8e1ebcda7d9b281850d5eb8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44371"
"*fa97d200632ae98bce658b921c12db494ad1619223831849665a160d98ed541f*",".{0,1000}fa97d200632ae98bce658b921c12db494ad1619223831849665a160d98ed541f.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","44377"
"*faa846645677d0e4da5812851326f4f18b7310d53edd380ed93165099395e4c7*",".{0,1000}faa846645677d0e4da5812851326f4f18b7310d53edd380ed93165099395e4c7.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44382"
"*fab5259a197e5b76e1180ac973b7374e8e1e6bd4eaab3cc33ff03efbb3665b30*",".{0,1000}fab5259a197e5b76e1180ac973b7374e8e1e6bd4eaab3cc33ff03efbb3665b30.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44386"
"*fad3cc619183bbb7d6dce8589518a61f9f869a174d8b98da06a767374c2abffd*",".{0,1000}fad3cc619183bbb7d6dce8589518a61f9f869a174d8b98da06a767374c2abffd.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44390"
"*fad409fc082d2967d1871ea683c569c17fede1264abf8c9548b389725ca93ad8*",".{0,1000}fad409fc082d2967d1871ea683c569c17fede1264abf8c9548b389725ca93ad8.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","44391"
"*fad42d5e34aab145ea9f1a1f6ecf034a0b40a1a7ad7b31be6f005d0c07e13657*",".{0,1000}fad42d5e34aab145ea9f1a1f6ecf034a0b40a1a7ad7b31be6f005d0c07e13657.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44392"
"*fad80718fa8c22e80365bf7d50ea9008f8afbf26b6c6d18d8d4a217eedf5b5ff*",".{0,1000}fad80718fa8c22e80365bf7d50ea9008f8afbf26b6c6d18d8d4a217eedf5b5ff.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44395"
"*fae6c0677a8dedaff4687729151773fb6ce36a738eb1e18957b4236830b8d3e1*",".{0,1000}fae6c0677a8dedaff4687729151773fb6ce36a738eb1e18957b4236830b8d3e1.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44400"
"*FAECC814-3F3F-4CA0-8C2B-72D5E4670B92*",".{0,1000}FAECC814\-3F3F\-4CA0\-8C2B\-72D5E4670B92.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#GUIDproject","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","44402"
"*faf0cd20f1e4b41c20282c9dff56846dad7825496ec0405ba0295d084ae591e0*",".{0,1000}faf0cd20f1e4b41c20282c9dff56846dad7825496ec0405ba0295d084ae591e0.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44403"
"*faf8cbecf71ca34708fbd7cfdbda9ca81476a29f7dd8f58e1e35bc64b58e8528*",".{0,1000}faf8cbecf71ca34708fbd7cfdbda9ca81476a29f7dd8f58e1e35bc64b58e8528.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44406"
"*Failed to run the pingpong server for testing: *",".{0,1000}Failed\sto\srun\sthe\spingpong\sserver\sfor\stesting\:\s.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","44420"
"*fasmide/remotemoe*",".{0,1000}fasmide\/remotemoe.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","1","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","44459"
"*fatal: buffer_get_string: bad string*",".{0,1000}fatal\:\sbuffer_get_string\:\sbad\sstring.{0,1000}","greyware_tool_keyword","ssh","Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts","T1071.004 - T1078.004","TA0011 - TA0006","N/A","N/A","Exploitation tool","https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","4692","1051","2025-01-22T01:58:36Z","2013-09-17T17:07:58Z","44464"
"*fatedier/frp*",".{0,1000}fatedier\/frp.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44465"
"*fb08b2b7c991ade4019a561f9bb75683b8d0daa45226efbc9937639775977203*",".{0,1000}fb08b2b7c991ade4019a561f9bb75683b8d0daa45226efbc9937639775977203.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44467"
"*fb10885853b0c5f6a0cb0bc0e5998c430d99ffcb9a5bda1fd03cefe9f3028f7a*",".{0,1000}fb10885853b0c5f6a0cb0bc0e5998c430d99ffcb9a5bda1fd03cefe9f3028f7a.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","44470"
"*fb247979bf026b6bd237c5db68af0de9269fcd921d8f2c2bc8920273a5a4a930*",".{0,1000}fb247979bf026b6bd237c5db68af0de9269fcd921d8f2c2bc8920273a5a4a930.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44474"
"*fb2ea158fa75ca32d03110407cf7ef8f35e2191cff9f23464e783513d1561902*",".{0,1000}fb2ea158fa75ca32d03110407cf7ef8f35e2191cff9f23464e783513d1561902.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","44475"
"*fb39edddedbacd66c0d7a4ebad767bf2a7c5a995c465c66eb32f1c64b25e20c4*",".{0,1000}fb39edddedbacd66c0d7a4ebad767bf2a7c5a995c465c66eb32f1c64b25e20c4.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44480"
"*fb45b07601cd1845509b61be66e2cb65ba43a915d2089c3a21351134b66a76de*",".{0,1000}fb45b07601cd1845509b61be66e2cb65ba43a915d2089c3a21351134b66a76de.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","44484"
"*fb4d282f8d202006d682eef84a83757376c20929f62626e288a159d730fde3c9*",".{0,1000}fb4d282f8d202006d682eef84a83757376c20929f62626e288a159d730fde3c9.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","#filehash","N/A","9","10","N/A","N/A","N/A","N/A","44487"
"*fb540480308fe9d575f799632c7a655ac05f19d6cdb58f5e6ff62a11c7f2ef84*",".{0,1000}fb540480308fe9d575f799632c7a655ac05f19d6cdb58f5e6ff62a11c7f2ef84.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44488"
"*fb5f40bd41ffd98ff11efcc9afe2f431699c372b8806df096d7270cd5eae06a5*",".{0,1000}fb5f40bd41ffd98ff11efcc9afe2f431699c372b8806df096d7270cd5eae06a5.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44491"
"*fb616a4e84d740782560e7ab7ff8f05157a2302a5c273345a5cd83d5f5fead6a*",".{0,1000}fb616a4e84d740782560e7ab7ff8f05157a2302a5c273345a5cd83d5f5fead6a.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44492"
"*fb75480462e81fe6c0d821641057d0534989a45452feb66851bf781e42e82ef5*",".{0,1000}fb75480462e81fe6c0d821641057d0534989a45452feb66851bf781e42e82ef5.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","44495"
"*fb7b8c3ce12ad16da65ad3f284d80ce4b80e2e7456da23b30b59266a9ed19e71*",".{0,1000}fb7b8c3ce12ad16da65ad3f284d80ce4b80e2e7456da23b30b59266a9ed19e71.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44497"
"*fb87c3973cc69caad85bb39d56bcb5abfa11b3bb4772fe1edfd1ccef9c01d515*",".{0,1000}fb87c3973cc69caad85bb39d56bcb5abfa11b3bb4772fe1edfd1ccef9c01d515.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","44501"
"*fb998e66174bc1cee14dff001bec28d4a43ad753885a95f25015d71db8ff39fb*",".{0,1000}fb998e66174bc1cee14dff001bec28d4a43ad753885a95f25015d71db8ff39fb.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","44508"
"*fba4a73655b53fa1c5e219689b6173d9b4044d5205308b2cd8a18c9a03356ad9*",".{0,1000}fba4a73655b53fa1c5e219689b6173d9b4044d5205308b2cd8a18c9a03356ad9.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","44511"
"*fba5a24a43675925ac6a9ed3ce61aa854e843753daf54b160ed72350a7c2509f*",".{0,1000}fba5a24a43675925ac6a9ed3ce61aa854e843753daf54b160ed72350a7c2509f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44512"
"*fbaf3740b294ecd0cebcae3e5c7005b6fc9897357b8ee050a30c01cccd3b2019*",".{0,1000}fbaf3740b294ecd0cebcae3e5c7005b6fc9897357b8ee050a30c01cccd3b2019.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44515"
"*fbb5435d1881e4a8df856378bbfa5b83bcb21ec9163a0690c63b88a83274729a*",".{0,1000}fbb5435d1881e4a8df856378bbfa5b83bcb21ec9163a0690c63b88a83274729a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44517"
"*fbb81f40c843fc33e57a23db01ee0f206c99c6ed75520a5594e0b3d525725215*",".{0,1000}fbb81f40c843fc33e57a23db01ee0f206c99c6ed75520a5594e0b3d525725215.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","44518"
"*fbde6de8ad4a5d7d939d7e93f915832fbf5721abe180fba6b000def37c717fa9*",".{0,1000}fbde6de8ad4a5d7d939d7e93f915832fbf5721abe180fba6b000def37c717fa9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44528"
"*fbef59f9d936742c9ec326dc55e9f1f2495771312efd7022f7d6ba84607cc74b*",".{0,1000}fbef59f9d936742c9ec326dc55e9f1f2495771312efd7022f7d6ba84607cc74b.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44534"
"*fc208016c808df328b5dfdecbb8b40883e1d10b3c064ea6a1126fcf3b8927531*",".{0,1000}fc208016c808df328b5dfdecbb8b40883e1d10b3c064ea6a1126fcf3b8927531.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#filehash #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","44544"
"*fc258ceabaf70cc28b8519a46a8045cac406d275707942f88e952621c6c382ec*",".{0,1000}fc258ceabaf70cc28b8519a46a8045cac406d275707942f88e952621c6c382ec.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44546"
"*fc2f1acb031b9d16788c04a7a2feb3fa220a05feecbe087cb97f92cd31a25955*",".{0,1000}fc2f1acb031b9d16788c04a7a2feb3fa220a05feecbe087cb97f92cd31a25955.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44547"
"*fc3b41639946509efb1f6835bc2da2233482f71859031aeb73006967ef5d7b66*",".{0,1000}fc3b41639946509efb1f6835bc2da2233482f71859031aeb73006967ef5d7b66.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","44550"
"*fc465df713f8c9d63c9380aa9da72b6ef639fb44917aed390d9c4d08c475a20d*",".{0,1000}fc465df713f8c9d63c9380aa9da72b6ef639fb44917aed390d9c4d08c475a20d.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44551"
"*fc4ae0ea29ccdbfb58ac8ee898beae752e1a3e8528e94c02630c9bf34637dadd*",".{0,1000}fc4ae0ea29ccdbfb58ac8ee898beae752e1a3e8528e94c02630c9bf34637dadd.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44552"
"*fc5c5c5ff93300cea3141ff55fbccccb07cd0017d4e9cd4bcd324563f88f53fd*",".{0,1000}fc5c5c5ff93300cea3141ff55fbccccb07cd0017d4e9cd4bcd324563f88f53fd.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44560"
"*fc5f6cc320156278ec6b2f26d97fb4d56a429cb4365b893ce0c9c602ade37b9a*",".{0,1000}fc5f6cc320156278ec6b2f26d97fb4d56a429cb4365b893ce0c9c602ade37b9a.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44562"
"*fc621d5952a8fb61bfc73e197db64d87f35d1c12550b7bf6160bc78f6d61e44f*",".{0,1000}fc621d5952a8fb61bfc73e197db64d87f35d1c12550b7bf6160bc78f6d61e44f.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","#filehash","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","44563"
"*fc6b0a57727383a1491591f8e9ee76b1e0e25ecf7c2736b803d8f4411f651a15*",".{0,1000}fc6b0a57727383a1491591f8e9ee76b1e0e25ecf7c2736b803d8f4411f651a15.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","44565"
"*fc6b300edf4c44463e17b8ea10303ee642e4114235fdb0096384f8f3b5f44ce6*",".{0,1000}fc6b300edf4c44463e17b8ea10303ee642e4114235fdb0096384f8f3b5f44ce6.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44566"
"*fc6bf98a11ffa69b91775c7613db1230803948949e4933892cb1d2fbd05cfcb8*",".{0,1000}fc6bf98a11ffa69b91775c7613db1230803948949e4933892cb1d2fbd05cfcb8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44567"
"*fc80434203f482e80c4dd8f509a5ad4dae149a62399366b45b285ba4577e7cb7*",".{0,1000}fc80434203f482e80c4dd8f509a5ad4dae149a62399366b45b285ba4577e7cb7.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44571"
"*fc81435479e432562efbbb8ed75a397b565d70593af843bb1ac89628132c7ef7*",".{0,1000}fc81435479e432562efbbb8ed75a397b565d70593af843bb1ac89628132c7ef7.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","#filehash","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","44572"
"*fc82c701b9cc15cd6c9a34a65820138a3ae363f6e80580fa7331e6bb91f21e03*",".{0,1000}fc82c701b9cc15cd6c9a34a65820138a3ae363f6e80580fa7331e6bb91f21e03.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","0","#filehash","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","44574"
"*fc901b9f783876c3cb057dbed28b5612fd376963f148d1375bb0c8cf86bb2e10*",".{0,1000}fc901b9f783876c3cb057dbed28b5612fd376963f148d1375bb0c8cf86bb2e10.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","#filehash","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","44579"
"*fc97d73cd3ae1d0e0cc492a7b67ef928a59296fd2bebb99e753672b964813895*",".{0,1000}fc97d73cd3ae1d0e0cc492a7b67ef928a59296fd2bebb99e753672b964813895.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44583"
"*fc9a33902b9f6efc6ade3bd7cff30f476d6e7fcfa68d57d063c3ec03f8ac2bf8*",".{0,1000}fc9a33902b9f6efc6ade3bd7cff30f476d6e7fcfa68d57d063c3ec03f8ac2bf8.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","44584"
"*fca1c44409a39abbd36c9326a96a8470022e5e48d436b6c57fa4b2735d69405c*",".{0,1000}fca1c44409a39abbd36c9326a96a8470022e5e48d436b6c57fa4b2735d69405c.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44588"
"*fca3229e1f47db94e4707350c7b8fff9cb0e27d61d130477ad0ea3dd3808da67*",".{0,1000}fca3229e1f47db94e4707350c7b8fff9cb0e27d61d130477ad0ea3dd3808da67.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44589"
"*fca8b047b25fa5005da1c58c490d936e4744a25f54e9275efd2e3d084f779951*",".{0,1000}fca8b047b25fa5005da1c58c490d936e4744a25f54e9275efd2e3d084f779951.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","44590"
"*fcad4fac0cb1a82960c4228ab28725755b6241914469b7b34393c07bb86d1c2f*",".{0,1000}fcad4fac0cb1a82960c4228ab28725755b6241914469b7b34393c07bb86d1c2f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44591"
"*fcb302a952c8b928788cabbefc0e8393eed884ec306f9d0ea9b3c109b8f31f40*",".{0,1000}fcb302a952c8b928788cabbefc0e8393eed884ec306f9d0ea9b3c109b8f31f40.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44593"
"*fcb77da2f09a0fef3c5c97c9aeec535a92977beab31fe315cdc5fd855f964fcd*",".{0,1000}fcb77da2f09a0fef3c5c97c9aeec535a92977beab31fe315cdc5fd855f964fcd.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","#filehash","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","44595"
"*fcb8c6993403e3d29d3bd980eadc0e40984252d0d777236f9d80f4d1e9de9d35*",".{0,1000}fcb8c6993403e3d29d3bd980eadc0e40984252d0d777236f9d80f4d1e9de9d35.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","44596"
"*fcb8cfece92e787dc07616f7942b8632e74c24bafe6de1d0245543b9c7010a76*",".{0,1000}fcb8cfece92e787dc07616f7942b8632e74c24bafe6de1d0245543b9c7010a76.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44597"
"*fcc37e68c723df92d2c17ce16d8c703a90a0c2f160eeb84c4559457406bfdf57*",".{0,1000}fcc37e68c723df92d2c17ce16d8c703a90a0c2f160eeb84c4559457406bfdf57.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","44602"
"*fcd13c6633ef3fc3702f56ba46c9ee515a166dfd0161ccd5c4cfd14856892bab*",".{0,1000}fcd13c6633ef3fc3702f56ba46c9ee515a166dfd0161ccd5c4cfd14856892bab.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44603"
"*fce382fdcdac0158a35daa640766d5e8a6e7b342ae2b0b84f2aacdff13990c52*",".{0,1000}fce382fdcdac0158a35daa640766d5e8a6e7b342ae2b0b84f2aacdff13990c52.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44607"
"*fce455e607e33bce8fc0f29bb1bbf34e7a886c39bb48995ee3af25a91f2a57f9*",".{0,1000}fce455e607e33bce8fc0f29bb1bbf34e7a886c39bb48995ee3af25a91f2a57f9.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44608"
"*fce6c490393cd886beb5859fe7cecfab805098c1f2db88c290209681ee53bf50*",".{0,1000}fce6c490393cd886beb5859fe7cecfab805098c1f2db88c290209681ee53bf50.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44611"
"*fcfhplploccackoneaefokcmbjfbkenj*",".{0,1000}fcfhplploccackoneaefokcmbjfbkenj.{0,1000}","greyware_tool_keyword","1clickVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","44617"
"*fd075f9c84e91c2f7c0937e730df44f3e9fe9b74c41bdf62645a9798cd1a45c5*",".{0,1000}fd075f9c84e91c2f7c0937e730df44f3e9fe9b74c41bdf62645a9798cd1a45c5.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","44625"
"*fd0df9fb27d39a7990ecb66d872798148d6954207d653510035e087e1b6218a9*",".{0,1000}fd0df9fb27d39a7990ecb66d872798148d6954207d653510035e087e1b6218a9.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44629"
"*fd194cf2b6edb6157d0033df52d5c5add9abd1b02683fac6edc74f6829812491*",".{0,1000}fd194cf2b6edb6157d0033df52d5c5add9abd1b02683fac6edc74f6829812491.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44631"
"*fd243d10718135287eb1a555427abf58fdf9cabad14d08d31815763479b877dd*",".{0,1000}fd243d10718135287eb1a555427abf58fdf9cabad14d08d31815763479b877dd.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","44635"
"*fd2cb4581c2bd501355f938b46e14514aebb8053e5e10f99ff8782086634cc4d*",".{0,1000}fd2cb4581c2bd501355f938b46e14514aebb8053e5e10f99ff8782086634cc4d.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44636"
"*fd2d74fdf5e1fb90939c7b1902c0871aab404541f613978cfe3bb67e5da2b7f9*",".{0,1000}fd2d74fdf5e1fb90939c7b1902c0871aab404541f613978cfe3bb67e5da2b7f9.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44637"
"*fd36ecab09eb04dab2aadae09347fcb19ba8d020d1684d4a096402e0aed15655*",".{0,1000}fd36ecab09eb04dab2aadae09347fcb19ba8d020d1684d4a096402e0aed15655.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44639"
"*fd4a2bc256f098cde43e556226d86a211c5504ca3768366d40486677c7f2ad2f*",".{0,1000}fd4a2bc256f098cde43e556226d86a211c5504ca3768366d40486677c7f2ad2f.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","44644"
"*fd4b050e4400d57c5f222ce3647debb140ef6fd3176c576fbbe63f856926aa2e*",".{0,1000}fd4b050e4400d57c5f222ce3647debb140ef6fd3176c576fbbe63f856926aa2e.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#filehash","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","44645"
"*fd56c2b76845cce8098053bddc58974e61d72c17841b66e7b39e0d1e6bdfaad2*",".{0,1000}fd56c2b76845cce8098053bddc58974e61d72c17841b66e7b39e0d1e6bdfaad2.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44647"
"*fd68dceff58851ac4a8ba8ad476cd72f3fc0b3e62ada8ee355157f677ea67b07*",".{0,1000}fd68dceff58851ac4a8ba8ad476cd72f3fc0b3e62ada8ee355157f677ea67b07.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44650"
"*fd6bc19cc7fadb13538cc109128bf92ef47762a83a3eaf2ab699b03bb2a1fe32*",".{0,1000}fd6bc19cc7fadb13538cc109128bf92ef47762a83a3eaf2ab699b03bb2a1fe32.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44652"
"*fd7daf7c06d1ddd7dac1b11235096d203b22f34f05c470b5737269767af289ab*",".{0,1000}fd7daf7c06d1ddd7dac1b11235096d203b22f34f05c470b5737269767af289ab.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44659"
"*fd900c4347ee081a5dcd7bd1d33cb748621f72793fdc63becb9b0410a14df494*",".{0,1000}fd900c4347ee081a5dcd7bd1d33cb748621f72793fdc63becb9b0410a14df494.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44664"
"*fda286756bd8b976139dfd1dc8e80532af74d8b628d69850d29335dd6d1a44dd*",".{0,1000}fda286756bd8b976139dfd1dc8e80532af74d8b628d69850d29335dd6d1a44dd.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44670"
"*fda4d4aa167c0baa4ef5159613f090dcc61b265108cc93c98c9bfdcbd6a486a0*",".{0,1000}fda4d4aa167c0baa4ef5159613f090dcc61b265108cc93c98c9bfdcbd6a486a0.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44671"
"*fdaaa6bd9cbb9875b35f339dbd7b7481bc3aef2e2eb59caa2b77ffbd34ed079b*",".{0,1000}fdaaa6bd9cbb9875b35f339dbd7b7481bc3aef2e2eb59caa2b77ffbd34ed079b.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","#filehash","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","44674"
"*fdbcc2a7d73552e690bc9ca7fccb69b9efdf10fc4d78f0f7c63b14a9129bb116*",".{0,1000}fdbcc2a7d73552e690bc9ca7fccb69b9efdf10fc4d78f0f7c63b14a9129bb116.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44679"
"*fdc0bca8460360346991a0f13e25233c87805bdc0f055f221f9c57c33b3b60fa*",".{0,1000}fdc0bca8460360346991a0f13e25233c87805bdc0f055f221f9c57c33b3b60fa.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44681"
"*fdc0f0e9a4cdb1f3533ea2bc643907365556bbb7386645bb143942e60beefab4*",".{0,1000}fdc0f0e9a4cdb1f3533ea2bc643907365556bbb7386645bb143942e60beefab4.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44683"
"*fdcgdnkidjaadafnichfpabhfomcebme*",".{0,1000}fdcgdnkidjaadafnichfpabhfomcebme.{0,1000}","greyware_tool_keyword","ZenMate VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","44687"
"*fdde0e3af2596af6e1952bf4fc050dc4a5bd73c2826775b758fcdca93f91c134*",".{0,1000}fdde0e3af2596af6e1952bf4fc050dc4a5bd73c2826775b758fcdca93f91c134.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44691"
"*fdde1a3e82d043cdca44b13c45e7593b61707385b30e919c38615d02d53e4b36*",".{0,1000}fdde1a3e82d043cdca44b13c45e7593b61707385b30e919c38615d02d53e4b36.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44692"
"*fde10089445a9891714b268d69ec4de5b5457ed084fe091cdadb23c9b432c271*",".{0,1000}fde10089445a9891714b268d69ec4de5b5457ed084fe091cdadb23c9b432c271.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44693"
"*fdeb3ef3bb907499be9d8fda107426d15ea9535e0f7818a206ded082f31fcbbf*",".{0,1000}fdeb3ef3bb907499be9d8fda107426d15ea9535e0f7818a206ded082f31fcbbf.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44699"
"*fdee8d4b32f8da73f39a0ee525a90343b663edc671c520d97e1540b41531be32*",".{0,1000}fdee8d4b32f8da73f39a0ee525a90343b663edc671c520d97e1540b41531be32.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44701"
"*fdfb4bf86d0f42baf4723b168ef1c768dbe9504003718418610c12bb12b43989*",".{0,1000}fdfb4bf86d0f42baf4723b168ef1c768dbe9504003718418610c12bb12b43989.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44703"
"*fe0c598004e2f3453bcd75e0d3ea77372289cf17302f162089b3c544a54d2216*",".{0,1000}fe0c598004e2f3453bcd75e0d3ea77372289cf17302f162089b3c544a54d2216.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44709"
"*fe1eaa0c7066ad45a8a13838d15a6a6535e69250ecc3ed8c48bfb480c8b87e5a*",".{0,1000}fe1eaa0c7066ad45a8a13838d15a6a6535e69250ecc3ed8c48bfb480c8b87e5a.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44716"
"*fe24df06821a78f1ccc81a8459ed13a14558b632908b266864257636e4fa8812*",".{0,1000}fe24df06821a78f1ccc81a8459ed13a14558b632908b266864257636e4fa8812.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","44718"
"*fe3115fada63d6efd85cb0e3f7a9c52e688004334eef6c0d7349c39b64e9470d*",".{0,1000}fe3115fada63d6efd85cb0e3f7a9c52e688004334eef6c0d7349c39b64e9470d.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44721"
"*fe38147743b83a8d6de300d7fc5d7eeb6478cb6de6587de05e6db2ba9e4d5af7*",".{0,1000}fe38147743b83a8d6de300d7fc5d7eeb6478cb6de6587de05e6db2ba9e4d5af7.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#filehash","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","44723"
"*fe3ff2cfe15f89b3357a4fa4648417f6b324ec1d27391b2e6c36e441e19340df*",".{0,1000}fe3ff2cfe15f89b3357a4fa4648417f6b324ec1d27391b2e6c36e441e19340df.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","44724"
"*fe4a85694ea1405552e8bd6fabbff0a676ff428a529fb72e23ca48ca0d2f9ba7*",".{0,1000}fe4a85694ea1405552e8bd6fabbff0a676ff428a529fb72e23ca48ca0d2f9ba7.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","44728"
"*fe57ef744c2f42fa72573f27e8dffefded238722eaeaeecfcbaaab239c4a07c4*",".{0,1000}fe57ef744c2f42fa72573f27e8dffefded238722eaeaeecfcbaaab239c4a07c4.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44730"
"*fe77ec34521fe3747717123a4504214f1bea87fb4772efbdb1b827094ae0cd03*",".{0,1000}fe77ec34521fe3747717123a4504214f1bea87fb4772efbdb1b827094ae0cd03.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","0","#filehash","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","44737"
"*fe7e882c3398640429e9d56be1b45fabfea6829cc44609272411d07b0de24527*",".{0,1000}fe7e882c3398640429e9d56be1b45fabfea6829cc44609272411d07b0de24527.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44740"
"*fe7fb6e885955c83dfa6c9797f277b30971ec4f0261cec7ebbb864408fa02aaa*",".{0,1000}fe7fb6e885955c83dfa6c9797f277b30971ec4f0261cec7ebbb864408fa02aaa.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44741"
"*fe84402f814f28cbdcf92696b5e28d738121e16fae5ca9b5fc43d7045311028c*",".{0,1000}fe84402f814f28cbdcf92696b5e28d738121e16fae5ca9b5fc43d7045311028c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44743"
"*fe8c6970ccddf7c7d1ee465118e07b9d42bc08d1a7888fd840baa2ee2e0cffe8*",".{0,1000}fe8c6970ccddf7c7d1ee465118e07b9d42bc08d1a7888fd840baa2ee2e0cffe8.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44747"
"*fe9dd722a085bce94fe2403f8d02e20becf0f0faa019d0789fadf35b66611a46*",".{0,1000}fe9dd722a085bce94fe2403f8d02e20becf0f0faa019d0789fadf35b66611a46.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","0","#filehash","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","44751"
"*fec7ade9f12c30bd6323568dbb0f81a3f98a3c86acc8161590235c0f18194022*",".{0,1000}fec7ade9f12c30bd6323568dbb0f81a3f98a3c86acc8161590235c0f18194022.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44760"
"*fed08bd733b8e60b5805007bd01a7bf0d0b1993059bbe319d1179facc6b73361*",".{0,1000}fed08bd733b8e60b5805007bd01a7bf0d0b1993059bbe319d1179facc6b73361.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","#filehash","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","44763"
"*fee.xmrig.com*",".{0,1000}fee\.xmrig\.com.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","44773"
"*fee0ecda586f1dfec39d0de21239642953ce228082a118e030fd76b4f827ae7c*",".{0,1000}fee0ecda586f1dfec39d0de21239642953ce228082a118e030fd76b4f827ae7c.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","44774"
"*fee22f170cba77a8a17614c87621393e45ca2d703c049ca5e352083f0c9dd313*",".{0,1000}fee22f170cba77a8a17614c87621393e45ca2d703c049ca5e352083f0c9dd313.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","44775"
"*feedback.cyberghostvpn.com*",".{0,1000}feedback\.cyberghostvpn\.com.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","1","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","44778"
"*fef39ed9d25e944711e2a27d5a9c812163ab184bf3f703827fca6bbf54504fbf*",".{0,1000}fef39ed9d25e944711e2a27d5a9c812163ab184bf3f703827fca6bbf54504fbf.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","#filehash","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","44781"
"*fefb2b5bc41354345598c2f69090bf16f7f1add348fa6a4bad60dd8fb0e73d40*",".{0,1000}fefb2b5bc41354345598c2f69090bf16f7f1add348fa6a4bad60dd8fb0e73d40.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","#filehash","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","44783"
"*ff00ffad183c58baa5252cbdd086257a9ae7b4539a02950eeb3347049e606c5a*",".{0,1000}ff00ffad183c58baa5252cbdd086257a9ae7b4539a02950eeb3347049e606c5a.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44792"
"*ff03813f317942ddaa673985b0b84069cd74734ca4725f6ad89be3d2f95ffaf3*",".{0,1000}ff03813f317942ddaa673985b0b84069cd74734ca4725f6ad89be3d2f95ffaf3.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#filehash","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","44793"
"*ff1a32145246a5c3e38142aa015cfbcd5dc046674d0a3f16979ff6c4eb1cfe6a*",".{0,1000}ff1a32145246a5c3e38142aa015cfbcd5dc046674d0a3f16979ff6c4eb1cfe6a.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44799"
"*ff3ae7ab29ef7a21094e07650e8cd4a4291363c2819e2dfbae34520ec762efd7*",".{0,1000}ff3ae7ab29ef7a21094e07650e8cd4a4291363c2819e2dfbae34520ec762efd7.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","#filehash","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","44803"
"*ff3e998c3fbe9b0409706084db0627094e8bd971fcfc304d93a3105cc5a51426*",".{0,1000}ff3e998c3fbe9b0409706084db0627094e8bd971fcfc304d93a3105cc5a51426.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44804"
"*ff4dc01b1bd4ab8682316280bd90cbc15f8cf14eca91e6a5180129b1fd39f2df*",".{0,1000}ff4dc01b1bd4ab8682316280bd90cbc15f8cf14eca91e6a5180129b1fd39f2df.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44805"
"*ff5892909fbe28600444bce96bb710aa2d1eaeb69231997ebfa76d40d87fe3ea*",".{0,1000}ff5892909fbe28600444bce96bb710aa2d1eaeb69231997ebfa76d40d87fe3ea.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44809"
"*ff63fca9ccb4a827d0b62fc9bdcce683ef8ede7b11f2a0054393e0d061d8d241*",".{0,1000}ff63fca9ccb4a827d0b62fc9bdcce683ef8ede7b11f2a0054393e0d061d8d241.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","#filehash","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","44813"
"*ff6ae27dadc4084ee2632a2ec29ac0662d19acba889943442d2a2cc578926fa6*",".{0,1000}ff6ae27dadc4084ee2632a2ec29ac0662d19acba889943442d2a2cc578926fa6.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44814"
"*ff6e67d725ee64b4607dc6490a706dc9234c708cff814477de52d3beb781c6a1*",".{0,1000}ff6e67d725ee64b4607dc6490a706dc9234c708cff814477de52d3beb781c6a1.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","#filehash","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","44815"
"*ff71979ea17d481194beba325a55f5d2a319175ebc6a80df535a202a43614f24*",".{0,1000}ff71979ea17d481194beba325a55f5d2a319175ebc6a80df535a202a43614f24.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44816"
"*ff82293d001f120a624d0b71dc57432f4cbbd813078d4092685f62246b12a918*",".{0,1000}ff82293d001f120a624d0b71dc57432f4cbbd813078d4092685f62246b12a918.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","#filehash","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","44822"
"*ff91f0d3a6ffcf273c455b50cd84d306e03e1ec0b650175bee3dde1480d1d113*",".{0,1000}ff91f0d3a6ffcf273c455b50cd84d306e03e1ec0b650175bee3dde1480d1d113.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","#filehash","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","44825"
"*ff94ad03ba7f695b06de1179867e2883d9fab083620e55cbe647b79c093492cb*",".{0,1000}ff94ad03ba7f695b06de1179867e2883d9fab083620e55cbe647b79c093492cb.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","0","#filehash","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","44826"
"*ff955edce7641fd51844726398cedcd9a27d45f74731ca3c79a0abab5bf5ebc1*",".{0,1000}ff955edce7641fd51844726398cedcd9a27d45f74731ca3c79a0abab5bf5ebc1.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44827"
"*ff98ae3248a0c2d93b00ec2d426578a3b90aec301883662b8da0fb2a213d60ca*",".{0,1000}ff98ae3248a0c2d93b00ec2d426578a3b90aec301883662b8da0fb2a213d60ca.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#filehash","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","44828"
"*ff9d4086614006d6372ab2ac9d750701157e40285452aba802460da8f91c404f*",".{0,1000}ff9d4086614006d6372ab2ac9d750701157e40285452aba802460da8f91c404f.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#filehash","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","44829"
"*ffa8edd59c275f6c592835b11b1f00e7c83c7d1e91aa8d9f6d666d286e902017*",".{0,1000}ffa8edd59c275f6c592835b11b1f00e7c83c7d1e91aa8d9f6d666d286e902017.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44835"
"*ffab140a79d06d88ec543509c59850b4b042d8730a6b5ea0c3f592cb20ac242f*",".{0,1000}ffab140a79d06d88ec543509c59850b4b042d8730a6b5ea0c3f592cb20ac242f.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44837"
"*ffb178076c942e678405a4d77eefcfcb96b63802b240f2e4e92cde746cbf6d07*",".{0,1000}ffb178076c942e678405a4d77eefcfcb96b63802b240f2e4e92cde746cbf6d07.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44838"
"*ffb2e75e9f58cb082f6cabb6e0a4794b0e22b037dc82abc3bc7ee8f376f44e23*",".{0,1000}ffb2e75e9f58cb082f6cabb6e0a4794b0e22b037dc82abc3bc7ee8f376f44e23.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#filehash #linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","44839"
"*ffba5315499b161375d0a2e0f54789e93d32383be19ec2b7b1a8fe050dd9af6e*",".{0,1000}ffba5315499b161375d0a2e0f54789e93d32383be19ec2b7b1a8fe050dd9af6e.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","#filehash","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","44842"
"*ffbfdc45658000d2b762e5b8b0bc0418a4afffeda9a1f9bbcf7438a213ba5326*",".{0,1000}ffbfdc45658000d2b762e5b8b0bc0418a4afffeda9a1f9bbcf7438a213ba5326.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44844"
"*ffbkglfijbcbgblgflchnbphjdllaogb*",".{0,1000}ffbkglfijbcbgblgflchnbphjdllaogb.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","44845"
"*fff35786bf9ee9320037db69e239df83768b8f756bae2343253ba6512e70d86c*",".{0,1000}fff35786bf9ee9320037db69e239df83768b8f756bae2343253ba6512e70d86c.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#filehash","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","44857"
"*fff687bfe2b84105d847369852022a26a6101d839cfdb1ecc88a45d1683a8709*",".{0,1000}fff687bfe2b84105d847369852022a26a6101d839cfdb1ecc88a45d1683a8709.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#filehash","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","44859"
"*fffec1382a3f65ecb8f1ebb2c74e3d7aa57485fb4cff4014aadc10b8e9f3abc8*",".{0,1000}fffec1382a3f65ecb8f1ebb2c74e3d7aa57485fb4cff4014aadc10b8e9f3abc8.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#filehash","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","44861"
"*ffhhkmlgedgcliajaedapkdfigdobcif*",".{0,1000}ffhhkmlgedgcliajaedapkdfigdobcif.{0,1000}","greyware_tool_keyword","Nucleus VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","44862"
"*fgddmllnllkalaagkghckoinaemmogpe*",".{0,1000}fgddmllnllkalaagkghckoinaemmogpe.{0,1000}","greyware_tool_keyword","ExpressVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","44877"
"*ficajfeojakddincjafebjmfiefcmanc*",".{0,1000}ficajfeojakddincjafebjmfiefcmanc.{0,1000}","greyware_tool_keyword","Best VPN USA","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","44883"
"*File Shredder setup.exe*",".{0,1000}File\sShredder\ssetup\.exe.{0,1000}","greyware_tool_keyword","Shredder","File Shredder is FREE and powerfull aplication to shred and permanently remove unwanted files from your computer beyond recovery","T1070 - T1485 - T1565.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://www.fileshredder.org/","1","1","N/A","N/A","7","8","N/A","N/A","N/A","N/A","44891"
"*File Shredder.exe*",".{0,1000}File\sShredder\.exe.{0,1000}","greyware_tool_keyword","Shredder","File Shredder is FREE and powerfull aplication to shred and permanently remove unwanted files from your computer beyond recovery","T1070 - T1485 - T1565.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://www.fileshredder.org/","1","1","N/A","N/A","7","8","N/A","N/A","N/A","N/A","44892"
"*file_shredder_setup.exe*",".{0,1000}file_shredder_setup\.exe.{0,1000}","greyware_tool_keyword","Shredder","File Shredder is FREE and powerfull aplication to shred and permanently remove unwanted files from your computer beyond recovery","T1070 - T1485 - T1565.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://www.fileshredder.org/","1","1","N/A","N/A","7","8","N/A","N/A","N/A","N/A","44895"
"*filetransfer.io/upload/*",".{0,1000}filetransfer\.io\/upload\/.{0,1000}","greyware_tool_keyword","filetransfer.io","uploading to filetransfer.io","T1105 - T1021 - T1560.003 - T1071.001 - T1071.002","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://filetransfer.io","1","1","#filehostingservice","N/A","10","10","N/A","N/A","N/A","N/A","44920"
"*-filter *(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32*",".{0,1000}\-filter\s.{0,1000}\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=32.{0,1000}","greyware_tool_keyword","dsquery","Finding users Not Required to Have a Password","T1021.004 - T1087.002 - T1018","TA0007 - TA0008 - TA0011","N/A","APT41 - FIN8","Discovery","https://www.politoinc.com/post/ldap-queries-for-offensive-and-defensive-operations","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","44927"
"*-filter *(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304*",".{0,1000}\-filter\s.{0,1000}\(\&\(objectCategory\=person\)\(objectClass\=user\)\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=4194304.{0,1000}","greyware_tool_keyword","dsquery","Finding accounts with Kerberos Pre-Authentication Disabled","T1021.004 - T1087.002 - T1018","TA0007 - TA0008 - TA0011","N/A","APT41 - FIN8","Discovery","https://www.politoinc.com/post/ldap-queries-for-offensive-and-defensive-operations","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","44928"
"*-filter *(&(objectClass=User)(msDS-AllowedToDelegateTo=*",".{0,1000}\-filter\s.{0,1000}\(\&\(objectClass\=User\)\(msDS\-AllowedToDelegateTo\=.{0,1000}","greyware_tool_keyword","dsquery","Finding accounts with constrained delegation","T1021.004 - T1087.002 - T1018","TA0007 - TA0008 - TA0011","N/A","APT41 - FIN8","Discovery","https://www.politoinc.com/post/ldap-queries-for-offensive-and-defensive-operations","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","44929"
"*-filter *(&(objectClass=user)(servicePrincipalName=*)(!(cn=krbtgt))(!(samaccounttype=805306369*",".{0,1000}\-filter\s.{0,1000}\(\&\(objectClass\=user\)\(servicePrincipalName\=.{0,1000}\)\(!\(cn\=krbtgt\)\)\(!\(samaccounttype\=805306369.{0,1000}","greyware_tool_keyword","dsquery","Finding Kerberoastable Users","T1021.004 - T1087.002 - T1018","TA0007 - TA0008 - TA0011","N/A","APT41 - FIN8","Discovery","https://www.politoinc.com/post/ldap-queries-for-offensive-and-defensive-operations","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","44930"
"*-filter *(&(objectClass=User)(serviceprincipalname=*)(samaccountname=* -limit 0 -attr samaccountname serviceprincipalname*",".{0,1000}\-filter\s.{0,1000}\(\&\(objectClass\=User\)\(serviceprincipalname\=.{0,1000}\)\(samaccountname\=.{0,1000}\s\-limit\s0\s\-attr\ssamaccountname\sserviceprincipalname.{0,1000}","greyware_tool_keyword","dsquery","Finding accounts with SPNs","T1087.002 - T1018 - T1069.002","TA0007 - TA0009","N/A","APT41 - FIN8","Discovery","https://www.politoinc.com/post/ldap-queries-for-offensive-and-defensive-operations","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","44931"
"*-filter *(userAccountControl:1.2.840.113556.1.4.803:=524288)*",".{0,1000}\-filter\s.{0,1000}\(userAccountControl\:1\.2\.840\.113556\.1\.4\.803\:\=524288\).{0,1000}","greyware_tool_keyword","dsquery","Finding accounts with unconstrained delegation","T1021.004 - T1087.002 - T1018","TA0007 - TA0008 - TA0011","N/A","APT41 - FIN8","Discovery","https://www.politoinc.com/post/ldap-queries-for-offensive-and-defensive-operations","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","44932"
"*find . -exec /bin/sh \; -quit*",".{0,1000}find\s\.\s\-exec\s\/bin\/sh\s\\\;\s\-quit.{0,1000}","greyware_tool_keyword","find","It can be used to break out from restricted environments by spawning an interactive system shell.","T1059.004 - T1219 - T1027","TA0002 - TA0004 - TA0005","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","44937"
"*find . -exec /bin/sh -p \; -quit*",".{0,1000}find\s\.\s\-exec\s\/bin\/sh\s\-p\s\\\;\s\-quit.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","44938"
"*find . -perm -2 -ls*",".{0,1000}find\s\.\s\-perm\s\-2\s\-ls.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","10","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","44940"
"*find . -type f -name .bash_history*",".{0,1000}find\s\.\s\-type\sf\s\-name\s\.bash_history.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","44942"
"*find . -type f -name .fetchmailrc*",".{0,1000}find\s\.\s\-type\sf\s\-name\s\.fetchmailrc.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","44945"
"*find . -type f -name .htpasswd*",".{0,1000}find\s\.\s\-type\sf\s\-name\s\.htpasswd.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","44948"
"*find . -type f -name service.pwd*",".{0,1000}find\s\.\s\-type\sf\s\-name\sservice\.pwd.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","44951"
"*find . -type f -perm -02000 -ls*",".{0,1000}find\s\.\s\-type\sf\s\-perm\s\-02000\s\-ls.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","44954"
"*find . -type f -perm -04000 -ls*",".{0,1000}find\s\.\s\-type\sf\s\-perm\s\-04000\s\-ls.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","44957"
"*find / -name authorized_keys *> /dev/null*",".{0,1000}find\s\/\s\-name\sauthorized_keys\s.{0,1000}\>\s\/dev\/null.{0,1000}","greyware_tool_keyword","find","Find sensitive files","T1083 - T1213.002 - T1005","TA0007 - TA0010","N/A","N/A","discovery","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","44964"
"*find / -name ftp*",".{0,1000}find\s\/\s\-name\sftp.{0,1000}","greyware_tool_keyword","find","Look for files with the SGID (Set Group ID) bit set","T1083 - T1018 - T1202","TA0007 - TA0010 ","N/A","N/A","Discovery","N/A","1","0","#linux","N/A","7","10","N/A","N/A","N/A","N/A","44965"
"*find / -name id_dsa 2>*",".{0,1000}find\s\/\s\-name\sid_dsa\s2\>.{0,1000}","greyware_tool_keyword","find","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","44966"
"*find / -name id_rsa *> /dev/null*",".{0,1000}find\s\/\s\-name\sid_rsa\s.{0,1000}\>\s\/dev\/null.{0,1000}","greyware_tool_keyword","find","Find sensitive files","T1083 - T1213.002 - T1005","TA0007 - TA0010","N/A","N/A","discovery","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","44967"
"*find / -name id_rsa 2>*",".{0,1000}find\s\/\s\-name\sid_rsa\s2\>.{0,1000}","greyware_tool_keyword","find","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","44968"
"*find / -name netcat*",".{0,1000}find\s\/\s\-name\snetcat.{0,1000}","greyware_tool_keyword","find","Look for files with the SGID (Set Group ID) bit set","T1083 - T1018 - T1202","TA0007 - TA0010 ","N/A","N/A","Discovery","N/A","1","0","#linux","N/A","7","10","N/A","N/A","N/A","N/A","44969"
"*find / -name tftp* ",".{0,1000}find\s\/\s\-name\stftp.{0,1000}\s","greyware_tool_keyword","find","Look for files with the SGID (Set Group ID) bit set","T1083 - T1018 - T1202","TA0007 - TA0010 ","N/A","N/A","Discovery","N/A","1","0","#linux","N/A","7","10","N/A","N/A","N/A","N/A","44970"
"*find / -perm /2000 -ls 2>/dev/null*",".{0,1000}find\s\/\s\-perm\s\/2000\s\-ls\s2\>\/dev\/null.{0,1000}","greyware_tool_keyword","find","Find SGID enabled files","T1044 - T1083","TA0007 - TA0009","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","N/A","8","10","N/A","N/A","N/A","N/A","44971"
"*find / -perm +4000 -type f 2>/dev/null*",".{0,1000}find\s\/\s\-perm\s\+4000\s\-type\sf\s2\>\/dev\/null.{0,1000}","greyware_tool_keyword","find","Find SUID enabled files","T1044 - T1083","TA0007 - TA0009","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","N/A","9","10","N/A","N/A","N/A","N/A","44972"
"*find / -perm +8000 -ls 2>/dev/null*",".{0,1000}find\s\/\s\-perm\s\+8000\s\-ls\s2\>\/dev\/null.{0,1000}","greyware_tool_keyword","find","Find SGID enabled files","T1044 - T1083","TA0007 - TA0009","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","N/A","8","10","N/A","N/A","N/A","N/A","44973"
"*find / -perm -1000 -type d 2>/dev/null*",".{0,1000}find\s\/\s\-perm\s\-1000\s\-type\sd\s2\>\/dev\/null.{0,1000}","greyware_tool_keyword","find","searches for directories that have the sticky bit set","T1083 - T1069 - T1202","TA0004 - TA0007","N/A","N/A","Discovery","N/A","1","0","#linux","N/A","7","10","N/A","N/A","N/A","N/A","44974"
"*find / -perm -2 -ls*",".{0,1000}find\s\/\s\-perm\s\-2\s\-ls.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","44975"
"*find / -perm -2000",".{0,1000}find\s\/\s\-perm\s\-2000","greyware_tool_keyword","find","Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.# sticky bits","T1059 - T1046 - T1087.002 - T1078.004","TA0002 - TA0007 - TA0004 - TA0006","N/A","N/A","Privilege Escalation","https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","44977"
"*find / -perm -4000",".{0,1000}find\s\/\s\-perm\s\-4000","greyware_tool_keyword","find","Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.# sticky bits","T1059 - T1046 - T1087.002 - T1078.004","TA0002 - TA0007 - TA0004 - TA0006","N/A","N/A","Privilege Escalation","https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","44978"
"*find / -perm -4000 -type f *",".{0,1000}find\s\/\s\-perm\s\-4000\s\-type\sf\s.{0,1000}","greyware_tool_keyword","find","Find SUID enabled files","T1044 - T1083","TA0007 - TA0009","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","N/A","9","10","N/A","N/A","N/A","N/A","44979"
"*find / -perm -g=s",".{0,1000}find\s\/\s\-perm\s\-g\=s","greyware_tool_keyword","find","Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. # sticky bits","T1059 - T1046 - T1087.002 - T1078.004","TA0002 - TA0007 - TA0004 - TA0006","N/A","N/A","Privilege Escalation","https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","44980"
"*find / -perm -g=s -o -perm -u=s -type f 2>/dev/null*",".{0,1000}find\s\/\s\-perm\s\-g\=s\s\-o\s\-perm\s\-u\=s\s\-type\sf\s2\>\/dev\/null.{0,1000}","greyware_tool_keyword","find","Look for files with the SGID (Set Group ID) bit set","T1083 - T1069 - T1202","TA0004 - TA0007","N/A","N/A","Discovery","N/A","1","0","#linux","N/A","7","10","N/A","N/A","N/A","N/A","44981"
"*find / -perm -g=s -type f 2>/dev/null*",".{0,1000}find\s\/\s\-perm\s\-g\=s\s\-type\sf\s2\>\/dev\/null.{0,1000}","greyware_tool_keyword","find","Look for files with the SGID (Set Group ID) bit set","T1083 - T1069 - T1202","TA0004 - TA0007","N/A","N/A","Discovery","N/A","1","0","#linux","N/A","7","10","N/A","N/A","N/A","N/A","44982"
"*find / -perm -u=s",".{0,1000}find\s\/\s\-perm\s\-u\=s","greyware_tool_keyword","find","Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. sticky bits","T1059 - T1046 - T1087.002 - T1078.004","TA0002 - TA0007 - TA0004 - TA0006","N/A","N/A","Privilege Escalation","https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","44983"
"*find / -perm -u=s -type f 2>/dev/null*",".{0,1000}find\s\/\s\-perm\s\-u\=s\s\-type\sf\s2\>\/dev\/null.{0,1000}","greyware_tool_keyword","find","Find SUID enabled files","T1044 - T1083","TA0007 - TA0009","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","N/A","9","10","N/A","N/A","N/A","N/A","44984"
"*find / -perm -u=s -type f 2>/dev/null*",".{0,1000}find\s\/\s\-perm\s\-u\=s\s\-type\sf\s2\>\/dev\/null.{0,1000}","greyware_tool_keyword","find","Look for files with the SGID (Set Group ID) bit set","T1083 - T1069 - T1202","TA0004 - TA0007","N/A","N/A","Discovery","N/A","1","0","#linux","N/A","7","10","N/A","N/A","N/A","N/A","44985"
"*find / -perm -u=s -type f -group */dev/null*",".{0,1000}find\s\/\s\-perm\s\-u\=s\s\-type\sf\s\-group\s.{0,1000}\/dev\/null.{0,1000}","greyware_tool_keyword","find","Find SUID enabled files","T1044 - T1083","TA0007 - TA0009","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","N/A","9","10","N/A","N/A","N/A","N/A","44986"
"*find / -type f -name .bash_history*",".{0,1000}find\s\/\s\-type\sf\s\-name\s\.bash_history.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","44987"
"*find / -type f -name .fetchmailrc*",".{0,1000}find\s\/\s\-type\sf\s\-name\s\.fetchmailrc.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","44990"
"*find / -type f -name .htpasswd*",".{0,1000}find\s\/\s\-type\sf\s\-name\s\.htpasswd.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","44993"
"*find / -type f -name config.inc.php*",".{0,1000}find\s\/\s\-type\sf\s\-name\sconfig\.inc\.php.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","44996"
"*find / -type f -name service.pwd*",".{0,1000}find\s\/\s\-type\sf\s\-name\sservice\.pwd.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","44999"
"*find / -type f -perm -02000 -ls*",".{0,1000}find\s\/\s\-type\sf\s\-perm\s\-02000\s\-ls.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","45002"
"*find / -type f -perm -04000 -ls*",".{0,1000}find\s\/\s\-type\sf\s\-perm\s\-04000\s\-ls.{0,1000}","greyware_tool_keyword","find","find commands used by the wso php webshell","T1100 - T1027 - T1059","TA0007","N/A","EMBER BEAR - Sandworm","Discovery","https://github.com/mIcHyAmRaNe/wso-webshell","1","0","#linux","find commands used by the webshell","5","4","376","211","2024-07-08T04:54:36Z","2017-05-04T23:34:02Z","45005"
"*find / -uid 0 -perm -4000 -type f *",".{0,1000}find\s\/\s\-uid\s0\s\-perm\s\-4000\s\-type\sf\s.{0,1000}","greyware_tool_keyword","find","Find SUID enabled files","T1044 - T1083","TA0007 - TA0009","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","N/A","9","10","N/A","N/A","N/A","N/A","45008"
"*find / -user root -perm -6000 -type f 2>*",".{0,1000}find\s\/\s\-user\sroot\s\-perm\s\-6000\s\-type\sf\s2\>.{0,1000}","greyware_tool_keyword","find","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","45009"
"*find / -xdev -user root \( -perm -4000 -o -perm -2000 -o -perm -6000 \) 2>/dev/null*",".{0,1000}find\s\/\s\-xdev\s\-user\sroot\s\\\(\s\-perm\s\-4000\s\-o\s\-perm\s\-2000\s\-o\s\-perm\s\-6000\s\\\)\s2\>\/dev\/null.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","45010"
"*find /* -perm -04000 -o -perm -02000*",".{0,1000}find\s\/.{0,1000}\s\-perm\s\-04000\s\-o\s\-perm\s\-02000.{0,1000}","greyware_tool_keyword","find","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","45011"
"*find /* -perm -u=s -type f 2>*",".{0,1000}find\s\/.{0,1000}\s\-perm\s\-u\=s\s\-type\sf\s2\>.{0,1000}","greyware_tool_keyword","find","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","45012"
"*find /var/log -type f -exec truncate -s 0 {} \*",".{0,1000}find\s\/var\/log\s\-type\sf\s\-exec\struncate\s\-s\s0\s\{\}\s\\.{0,1000}","greyware_tool_keyword","find","truncate every file under /var/log to size 0 - no log content = no forensic.","T1486 - T1553 - T1592.002 - T1081","TA0005 - TA0007 - TA0009","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","45014"
"*Find-DangerousACLPermissions*",".{0,1000}Find\-DangerousACLPermissions.{0,1000}","greyware_tool_keyword","adaudit","Powershell script to do domain auditing automation","T1482 - T1087","TA0007","N/A","N/A","Discovery","https://github.com/phillips321/adaudit","1","0","N/A","N/A","8","4","389","106","2025-04-08T06:17:54Z","2018-04-20T11:29:06Z","45039"
"*Find-LocalAdminAccess -Verbose*",".{0,1000}Find\-LocalAdminAccess\s\-Verbose.{0,1000}","greyware_tool_keyword","powershell","Find machine where the user has admin privs","T1069.002 - T1087.002 - T1018","TA0007 - TA0009","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","45076"
"*findstr *cpassword *\sysvol\*.xml*",".{0,1000}findstr\s.{0,1000}cpassword\s.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers - gpp finder","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A","45111"
"*findstr *vnc.ini*",".{0,1000}findstr\s.{0,1000}vnc\.ini.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A","45114"
"*findstr /S cpassword $env:*\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\$env\:.{0,1000}\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45116"
"*findstr /S cpassword %*%\sysvol\*.xml*",".{0,1000}findstr\s\/S\scpassword\s\%.{0,1000}\%\\sysvol\\.{0,1000}\.xml.{0,1000}","greyware_tool_keyword","findstr","Find GPP Passwords in SYSVOL - search for occurrences of the term ""cpassword"" in all XML files within the SYSVOL directory of the domain controller - The ""cpassword"" string refers to a weakly encrypted password stored in some Group Policy Preferences (GPP) files","T1003.008 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45117"
"*findstr /si secret *.docx*",".{0,1000}findstr\s\/si\ssecret\s.{0,1000}\.docx.{0,1000}","greyware_tool_keyword","findstr","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","greyware_tools high risks of false positives","6","10","N/A","N/A","N/A","N/A","45118"
"*firewall add allowedprogram *vncviewer.exe* ENABLE ALL*",".{0,1000}firewall\sadd\sallowedprogram\s.{0,1000}vncviewer\.exe.{0,1000}\sENABLE\sALL.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45150"
"*firewall add allowedprogram *winvnc.exe* ENABLE ALL*",".{0,1000}firewall\sadd\sallowedprogram\s.{0,1000}winvnc\.exe.{0,1000}\sENABLE\sALL.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45151"
"*firewall add portopening TCP 5800 vnc5800*",".{0,1000}firewall\sadd\sportopening\sTCP\s5800\svnc5800.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45152"
"*firewall add portopening TCP 5900 vnc5900*",".{0,1000}firewall\sadd\sportopening\sTCP\s5900\svnc5900.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45153"
"*firewall add rule ""name=SH Remote Access Service Launcher""*",".{0,1000}firewall\sadd\srule\s\""name\=SH\sRemote\sAccess\sService\sLauncher\"".{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45154"
"*firewall add rule ""name=SH Remote Access Service Updater""*",".{0,1000}firewall\sadd\srule\s\""name\=SH\sRemote\sAccess\sService\sUpdater\"".{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45155"
"*firewall add rule ""name=SH Remote Access Service""*",".{0,1000}firewall\sadd\srule\s\""name\=SH\sRemote\sAccess\sService\"".{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45156"
"*fjoaledfpmneenckfbpdfhkmimnjocfa*",".{0,1000}fjoaledfpmneenckfbpdfhkmimnjocfa.{0,1000}","greyware_tool_keyword","NordVPN","External VPN browser extension usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","45160"
"*fleetctl updates init*",".{0,1000}fleetctl\supdates\sinit.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","45169"
"*fleetdeck.io/prototype3/commander_svc*",".{0,1000}fleetdeck\.io\/prototype3\/commander_svc.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","45170"
"*fleetdeck_agent.exe*",".{0,1000}fleetdeck_agent\.exe.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","45171"
"*fleetdeck_agent_svc.exe*",".{0,1000}fleetdeck_agent_svc\.exe.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","45172"
"*fleetdeck_commander_launcher.exe*",".{0,1000}fleetdeck_commander_launcher\.exe.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","45173"
"*fleetdeck_commander_svc.exe*",".{0,1000}fleetdeck_commander_svc\.exe.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","45174"
"*fleetdeck_installer.exe*",".{0,1000}fleetdeck_installer\.exe.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","45175"
"*fleetdeckfork/execfuncargs(*",".{0,1000}fleetdeckfork\/execfuncargs\(.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","45176"
"*foiopecknacmiihiocgdjgbjokkpkohc*",".{0,1000}foiopecknacmiihiocgdjgbjokkpkohc.{0,1000}","greyware_tool_keyword","VPN Professional","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","45188"
"*for /F ""tokens=*"" %%G in ('wevtutil.exe el') DO (call :do_clear ""%%G"")*",".{0,1000}for\s\/F\s\""tokens\=.{0,1000}\""\s\%\%G\sin\s\(\'wevtutil\.exe\sel\'\)\sDO\s\(call\s\:do_clear\s\""\%\%G\""\).{0,1000}","greyware_tool_keyword","wevtutil","loops through event logs using wevtutil.exe to prepare to clear them","T1070.001","TA0005","N/A","N/A","Defense Evasion","https://github.com/CCob/Shwmae","1","0","N/A","N/A","10","2","149","12","2025-01-27T14:36:07Z","2024-03-21T15:05:03Z","45197"
"*FOR /F ""tokens=1,2*"" %%V IN ('bcdedit') DO SET adminTest=%%V*",".{0,1000}FOR\s\/F\s\""tokens\=1,2.{0,1000}\""\s\%\%V\sIN\s\(\'bcdedit\'\)\sDO\sSET\sadminTest\=\%\%V.{0,1000}","greyware_tool_keyword","bcedit","This checks whether the script has administrative access before continuing","T1070.003","TA0005","N/A","LockBit - Snatch - Hive - Zola - BlackCat - Cicada3301 - Embargo","Defense Evasion","https://github.com/Lifka/hacking-resources/blob/7885f95676c3ba4b2ee79fbaf0f6797add892322/system-hacking-cheat-sheet.md?plain=1#L114","1","0","N/A","N/A","6","10","2057","182","2024-06-25T18:58:59Z","2021-02-27T10:17:42Z","45198"
"*for /L %i in (2,1,254) do (netsh interface ip set address local static*",".{0,1000}for\s\/L\s\%i\sin\s\(2,1,254\)\sdo\s\(netsh\sinterface\sip\sset\saddress\slocal\sstatic.{0,1000}","greyware_tool_keyword","netsh","the loop exhausts available IP addresses on the network by assigning static IP addresses, which depletes the pool of IPs that the DHCP server can assign to legitimate devices","T1499.001 - T1090","TA0043 - TA0005","N/A","N/A","Sniffing & Spoofing","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45200"
"*for i in {1..65535}*",".{0,1000}for\si\sin\s\{1\.\.65535\}.{0,1000}","greyware_tool_keyword","bash port scan","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Discovery","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","45203"
"*-Force Stop-Process -Name remote_webauthn*",".{0,1000}\-Force\sStop\-Process\s\-Name\sremote_webauthn.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45204"
"*foreach ($* {Test-NetConnection -Port *",".{0,1000}foreach\s\(\$.{0,1000}\s\{Test\-NetConnection\s\-Port\s.{0,1000}","greyware_tool_keyword","powershell","port scanner with powershell command test-NetConnection","T1049 - T1086","TA0007 - TA0005","N/A","Dispossessor","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","45207"
"*forfiles.exe* /p * /m * /c *powershell . mshta*",".{0,1000}forfiles\.exe.{0,1000}\s\/p\s.{0,1000}\s\/m\s.{0,1000}\s\/c\s.{0,1000}powershell\s\.\smshta.{0,1000}","greyware_tool_keyword","mshta","using forfiles and mshta likely to evade detection and execute malicious code. It combines file enumeration with scripting and HTML-based execution which is commonly seen in malware or sophisticated attacks","T1083 - T1059 - T1203","TA0002 - TA0005 - TA0009","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45215"
"*from dataplicity.m2m.*",".{0,1000}from\sdataplicity\.m2m\..{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#content","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","45302"
"*from lomond import WebSocket*",".{0,1000}from\slomond\simport\sWebSocket.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#content","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","45322"
"*from megacmd_tests_common import *",".{0,1000}from\smegacmd_tests_common\simport\s.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","45324"
"*from rclone import *",".{0,1000}from\srclone\simport\s.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","45340"
"*from requests_ntlm import HttpNtlmAuth*",".{0,1000}from\srequests_ntlm\simport\sHttpNtlmAuth.{0,1000}","greyware_tool_keyword","requests-ntlm","HTTP NTLM Authentication for Requests Library","T1003 - T1547.005 - T1055 - T1557","TA0008 - TA0006","N/A","N/A","Credential Access","https://pypi.org/project/requests-ntlm/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","45341"
"*from sshtunnel import *",".{0,1000}from\ssshtunnel\simport\s.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","0","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","45349"
"*from sshtunnel import SSHTunnelForwarder*",".{0,1000}from\ssshtunnel\simport\sSSHTunnelForwarder.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","0","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","45350"
"*frpc -c *frpc.ini*",".{0,1000}frpc\s\-c\s.{0,1000}frpc\.ini.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","45356"
"*frpc reload -c *",".{0,1000}frpc\sreload\s\-c\s.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","45357"
"*frpc status -c *",".{0,1000}frpc\sstatus\s\-c\s.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","45358"
"*frpc verify -c *",".{0,1000}frpc\sverify\s\-c\s.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","45359"
"*frpc_windows_amd64.exe*",".{0,1000}frpc_windows_amd64\.exe.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","45361"
"*frpc_windows_arm64.exe*",".{0,1000}frpc_windows_arm64\.exe.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","45362"
"*frps -c *frps.toml*",".{0,1000}frps\s\-c\s.{0,1000}frps\.toml.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","45363"
"*frps_windows_amd64.exe*",".{0,1000}frps_windows_amd64\.exe.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","45364"
"*frps_windows_arm64.exe*",".{0,1000}frps_windows_arm64\.exe.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","1","N/A","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","45365"
"*ftp-server -u * -P * -p 2121*",".{0,1000}ftp\-server\s\-u\s.{0,1000}\s\-P\s.{0,1000}\s\-p\s2121.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","45379"
"*ftype *findstr *dfil*",".{0,1000}ftype\s.{0,1000}findstr\s.{0,1000}dfil.{0,1000}","greyware_tool_keyword","ftype","will return the file type information for file types that include the string dfil - hidden objectif is to find cmdfile string","T1033 - T1059 - T1083","TA0007 - TA0002","N/A","N/A","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","45382"
"*ftype *findstr *SHCm*",".{0,1000}ftype\s.{0,1000}findstr\s.{0,1000}SHCm.{0,1000}","greyware_tool_keyword","ftype","will return the file type information for file types that include the string SHCm - hidden objectif is to find SHCmdFile string","T1033 - T1059 - T1083","TA0007 - TA0002","N/A","N/A","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","45383"
"*ftype *findstr dfil*",".{0,1000}ftype\s.{0,1000}findstr\sdfil.{0,1000}","greyware_tool_keyword","ftype","will return the file type information for file types that include the string dfil - hidden objectif is to find cmdfile string","T1033 - T1059 - T1083","TA0007 - TA0002","N/A","N/A","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","45384"
"*ftype *findstr SHCm*",".{0,1000}ftype\s.{0,1000}findstr\sSHCm.{0,1000}","greyware_tool_keyword","ftype","will return the file type information for file types that include the string SHCm - hidden objectif is to find SHCmdFile string","T1033 - T1059 - T1083","TA0007 - TA0002","N/A","N/A","Reconnaissance","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","45385"
"*G2MScrUtil64.exe*/cr*",".{0,1000}G2MScrUtil64\.exe.{0,1000}\/cr.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45452"
"*g2mui.exe*/cr*",".{0,1000}g2mui\.exe.{0,1000}\/cr.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45453"
"*gateway.zohoassist.com*",".{0,1000}gateway\.zohoassist\.com.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45482"
"*gbfgfbopcfokdpkdigfmoeaajfmpkbnh*",".{0,1000}gbfgfbopcfokdpkdigfmoeaajfmpkbnh.{0,1000}","greyware_tool_keyword","westwind","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","45515"
"*gbmdmipapolaohpinhblmcnpmmlgfgje*",".{0,1000}gbmdmipapolaohpinhblmcnpmmlgfgje.{0,1000}","greyware_tool_keyword","Unblock Websites","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","45516"
"*gci env:USERNAME*",".{0,1000}gci\senv\:USERNAME.{0,1000}","greyware_tool_keyword","powershell","alternativeto whoami","T1033 ","TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","3","6","N/A","N/A","N/A","N/A","45525"
"*gci -h C:\pagefile.sys*",".{0,1000}gci\s\-h\sC\:\\pagefile\.sys.{0,1000}","greyware_tool_keyword","powershell","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","N/A","Discovery","https://github.com/ice-wzl/wmiexec2","1","0","N/A","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","45526"
"*gcknhkkoolaabfmlnjonogaaifnjlfnp*",".{0,1000}gcknhkkoolaabfmlnjonogaaifnjlfnp.{0,1000}","greyware_tool_keyword","FoxyProxy Standard","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","45527"
"*gdb -nx -ex 'python import os*os.execl(\""/bin/sh\*",".{0,1000}gdb\s\-nx\s\-ex\s\'python\simport\sos.{0,1000}os\.execl\(\\\""\/bin\/sh\\.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","45533"
"*genie -c '/bin/sh'*",".{0,1000}genie\s\-c\s\'\/bin\/sh\'.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","45603"
"*geo.netsupportsoftware.com*",".{0,1000}geo\.netsupportsoftware\.com.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45608"
"*Gerenios/AADInternals*",".{0,1000}Gerenios\/AADInternals.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45614"
"*Get-AADIntAADConnectStatus*",".{0,1000}Get\-AADIntAADConnectStatus.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45659"
"*Get-AADIntAccessAccessPackages*",".{0,1000}Get\-AADIntAccessAccessPackages.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45660"
"*Get-AADIntAccessPackageAdmins*",".{0,1000}Get\-AADIntAccessPackageAdmins.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45661"
"*Get-AADIntAccessPackageCatalogs*",".{0,1000}Get\-AADIntAccessPackageCatalogs.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45662"
"*Get-AADIntAccessPackages*",".{0,1000}Get\-AADIntAccessPackages.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45663"
"*Get-AADIntAccessToken*",".{0,1000}Get\-AADIntAccessToken.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45664"
"*Get-AADIntAccessTokenFor<service>*",".{0,1000}Get\-AADIntAccessTokenFor\<service\>.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45665"
"*Get-AADIntAccessTokenForAADGraph*",".{0,1000}Get\-AADIntAccessTokenForAADGraph.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45666"
"*Get-AADIntAccessTokenForAADIAMAPI*",".{0,1000}Get\-AADIntAccessTokenForAADIAMAPI.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45667"
"*Get-AADIntAccessTokenForAADJoin*",".{0,1000}Get\-AADIntAccessTokenForAADJoin.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45668"
"*Get-AADIntAccessTokenForAccessPackages*",".{0,1000}Get\-AADIntAccessTokenForAccessPackages.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45669"
"*Get-AADIntAccessTokenForAdmin*",".{0,1000}Get\-AADIntAccessTokenForAdmin.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45670"
"*Get-AADIntAccessTokenForAzureCoreManagement*",".{0,1000}Get\-AADIntAccessTokenForAzureCoreManagement.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45671"
"*Get-AADIntAccessTokenForAzureMgmtAPI*",".{0,1000}Get\-AADIntAccessTokenForAzureMgmtAPI.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45672"
"*Get-AADIntAccessTokenForCloudShell*",".{0,1000}Get\-AADIntAccessTokenForCloudShell.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45673"
"*Get-AADIntAccessTokenForEXO*",".{0,1000}Get\-AADIntAccessTokenForEXO.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45674"
"*Get-AADIntAccessTokenForEXOPS*",".{0,1000}Get\-AADIntAccessTokenForEXOPS.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45675"
"*Get-AADIntAccessTokenForIntuneMDM*",".{0,1000}Get\-AADIntAccessTokenForIntuneMDM.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45676"
"*Get-AADIntAccessTokenForMDM*",".{0,1000}Get\-AADIntAccessTokenForMDM.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45677"
"*Get-AADIntAccessTokenForMSCommerce*",".{0,1000}Get\-AADIntAccessTokenForMSCommerce.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45678"
"*Get-AADIntAccessTokenForMSGraph*",".{0,1000}Get\-AADIntAccessTokenForMSGraph.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45679"
"*Get-AADIntAccessTokenForMSPartner*",".{0,1000}Get\-AADIntAccessTokenForMSPartner.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45680"
"*Get-AADIntAccessTokenForMySignins*",".{0,1000}Get\-AADIntAccessTokenForMySignins.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45681"
"*Get-AADIntAccessTokenForOfficeApps*",".{0,1000}Get\-AADIntAccessTokenForOfficeApps.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45682"
"*Get-AADIntAccessTokenForOneDrive*",".{0,1000}Get\-AADIntAccessTokenForOneDrive.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45683"
"*Get-AADIntAccessTokenForOneNote*",".{0,1000}Get\-AADIntAccessTokenForOneNote.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45684"
"*Get-AADIntAccessTokenForOneOfficeApps*",".{0,1000}Get\-AADIntAccessTokenForOneOfficeApps.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45685"
"*Get-AADIntAccessTokenForPTA*",".{0,1000}Get\-AADIntAccessTokenForPTA.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45686"
"*Get-AADIntAccessTokenForSARA*",".{0,1000}Get\-AADIntAccessTokenForSARA.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45687"
"*Get-AADIntAccessTokenForSPO*",".{0,1000}Get\-AADIntAccessTokenForSPO.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45688"
"*Get-AADIntAccessTokenForTeams*",".{0,1000}Get\-AADIntAccessTokenForTeams.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45689"
"*Get-AADIntAccessTokenForWHfB*",".{0,1000}Get\-AADIntAccessTokenForWHfB.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45690"
"*Get-AADIntAccessTokenUsingAdminAPI*",".{0,1000}Get\-AADIntAccessTokenUsingAdminAPI.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45691"
"*Get-AADIntAccessTokenUsingIMDS*",".{0,1000}Get\-AADIntAccessTokenUsingIMDS.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45692"
"*Get-AADIntAccessTokenWithRefreshToken*",".{0,1000}Get\-AADIntAccessTokenWithRefreshToken.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45693"
"*Get-AADIntAccountSkus*",".{0,1000}Get\-AADIntAccountSkus.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45694"
"*Get-AADIntADFSPolicyStoreRules*",".{0,1000}Get\-AADIntADFSPolicyStoreRules.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45695"
"*Get-AADIntAdminPortalAccessTokenUsingCBA*",".{0,1000}Get\-AADIntAdminPortalAccessTokenUsingCBA.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45696"
"*Get-AADIntADUserNTHash*",".{0,1000}Get\-AADIntADUserNTHash.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45697"
"*Get-AADIntAdUserNTHash*",".{0,1000}Get\-AADIntAdUserNTHash.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45698"
"*Get-AADIntADUserThumbnailPhoto*",".{0,1000}Get\-AADIntADUserThumbnailPhoto.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45699"
"*Get-AADIntAgentProxyGroups*",".{0,1000}Get\-AADIntAgentProxyGroups.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45700"
"*Get-AADIntAzureADFeature*",".{0,1000}Get\-AADIntAzureADFeature.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45701"
"*Get-AADIntAzureADFeatures*",".{0,1000}Get\-AADIntAzureADFeatures.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45702"
"*Get-AADIntAzureADPolicies*",".{0,1000}Get\-AADIntAzureADPolicies.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45703"
"*Get-AADIntAzureAuditLog*",".{0,1000}Get\-AADIntAzureAuditLog.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45704"
"*Get-AADIntAzureClassicAdministrators*",".{0,1000}Get\-AADIntAzureClassicAdministrators.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45705"
"*Get-AADIntAzureDiagnosticSettings*",".{0,1000}Get\-AADIntAzureDiagnosticSettings.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45706"
"*Get-AADIntAzureDirectoryActivityLog*",".{0,1000}Get\-AADIntAzureDirectoryActivityLog.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45707"
"*Get-AADIntAzureInformation*",".{0,1000}Get\-AADIntAzureInformation.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45708"
"*Get-AADIntAzureResourceGroups*",".{0,1000}Get\-AADIntAzureResourceGroups.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45709"
"*Get-AADIntAzureRoleAssignmentId*",".{0,1000}Get\-AADIntAzureRoleAssignmentId.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45710"
"*Get-AADIntAzureSignInLog*",".{0,1000}Get\-AADIntAzureSignInLog.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45711"
"*Get-AADIntAzureSubscriptions*",".{0,1000}Get\-AADIntAzureSubscriptions.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45712"
"*Get-AADIntAzureTenants*",".{0,1000}Get\-AADIntAzureTenants.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45713"
"*Get-AADIntAzureVMRdpSettings*",".{0,1000}Get\-AADIntAzureVMRdpSettings.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45714"
"*Get-AADIntAzureVMs*",".{0,1000}Get\-AADIntAzureVMs.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45715"
"*Get-AADIntAzureWireServerAddress*",".{0,1000}Get\-AADIntAzureWireServerAddress.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45716"
"*Get-AADIntB2CEncryptionKeys*",".{0,1000}Get\-AADIntB2CEncryptionKeys.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45717"
"*Get-AADIntCache*",".{0,1000}Get\-AADIntCache.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45718"
"*Get-AADIntCertificate*",".{0,1000}Get\-AADIntCertificate.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45719"
"*Get-AADIntCompanyInformation*",".{0,1000}Get\-AADIntCompanyInformation.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45720"
"*Get-AADIntCompanyInformation.*",".{0,1000}Get\-AADIntCompanyInformation\..{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45721"
"*Get-AADIntCompanyTags*",".{0,1000}Get\-AADIntCompanyTags.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45722"
"*Get-AADIntComplianceAPICookies*",".{0,1000}Get\-AADIntComplianceAPICookies.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45723"
"*Get-AADIntConditionalAccessPolicies*",".{0,1000}Get\-AADIntConditionalAccessPolicies.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45724"
"*Get-AADIntDesktopSSOAccountPassword*",".{0,1000}Get\-AADIntDesktopSSOAccountPassword.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45725"
"*Get-AADIntDeviceCompliance*",".{0,1000}Get\-AADIntDeviceCompliance.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45726"
"*Get-AADIntDeviceRegAuthMethods*",".{0,1000}Get\-AADIntDeviceRegAuthMethods.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45727"
"*Get-AADIntDevices*",".{0,1000}Get\-AADIntDevices.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45728"
"*Get-AADIntDeviceTransportKey*",".{0,1000}Get\-AADIntDeviceTransportKey.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45729"
"*Get-AADIntDiagnosticSettingsDetails*",".{0,1000}Get\-AADIntDiagnosticSettingsDetails.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45730"
"*Get-AADIntDPAPIKeys*",".{0,1000}Get\-AADIntDPAPIKeys.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45731"
"*Get-AADIntEASAutoDiscover*",".{0,1000}Get\-AADIntEASAutoDiscover.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45732"
"*Get-AADIntEASAutoDiscoverV1*",".{0,1000}Get\-AADIntEASAutoDiscoverV1.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45733"
"*Get-AADIntEASOptions*",".{0,1000}Get\-AADIntEASOptions.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45734"
"*Get-AADIntEndpointInstances*",".{0,1000}Get\-AADIntEndpointInstances.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45735"
"*Get-AADIntEndpointIps*",".{0,1000}Get\-AADIntEndpointIps.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45736"
"*Get-AADIntError*",".{0,1000}Get\-AADIntError.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45737"
"*Get-AADIntFOCIClientIDs*",".{0,1000}Get\-AADIntFOCIClientIDs.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45738"
"*Get-AADIntGlobalAdmins*",".{0,1000}Get\-AADIntGlobalAdmins.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45739"
"*Get-AADIntHybridHealthServiceAccessToken*",".{0,1000}Get\-AADIntHybridHealthServiceAccessToken.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45740"
"*Get-AADIntHybridHealthServiceAgentInfo*",".{0,1000}Get\-AADIntHybridHealthServiceAgentInfo.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45741"
"*Get-AADIntHybridHealthServiceBlobUploadKey*",".{0,1000}Get\-AADIntHybridHealthServiceBlobUploadKey.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45742"
"*Get-AADIntHybridHealthServiceEventHubPublisherKey*",".{0,1000}Get\-AADIntHybridHealthServiceEventHubPublisherKey.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45743"
"*Get-AADIntHybridHealthServiceMemberCredentials*",".{0,1000}Get\-AADIntHybridHealthServiceMemberCredentials.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45744"
"*Get-AADIntHybridHealthServiceMembers*",".{0,1000}Get\-AADIntHybridHealthServiceMembers.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45745"
"*Get-AADIntHybridHealthServiceMonitoringPolicies*",".{0,1000}Get\-AADIntHybridHealthServiceMonitoringPolicies.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45746"
"*Get-AADIntHybridHealthServices*",".{0,1000}Get\-AADIntHybridHealthServices.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45747"
"*Get-AADIntIdentityTokenByLiveId*",".{0,1000}Get\-AADIntIdentityTokenByLiveId.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45748"
"*Get-AADIntImmutableID*",".{0,1000}Get\-AADIntImmutableID.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45749"
"*Get-AADIntKerberosDomainSyncConfig*",".{0,1000}Get\-AADIntKerberosDomainSyncConfig.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45750"
"*Get-AADIntKerberosTicket*",".{0,1000}Get\-AADIntKerberosTicket.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45751"
"*Get-AADIntLocalDeviceJoinInfo*",".{0,1000}Get\-AADIntLocalDeviceJoinInfo.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45752"
"*Get-AADIntLocalUserCredentials*",".{0,1000}Get\-AADIntLocalUserCredentials.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45753"
"*Get-AADIntLoginInformation*",".{0,1000}Get\-AADIntLoginInformation.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45754"
"*Get-AADIntLSABackupKeys*",".{0,1000}Get\-AADIntLSABackupKeys.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45755"
"*Get-AADIntLSASecrets*",".{0,1000}Get\-AADIntLSASecrets.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45756"
"*Get-AADIntMobileDevices*",".{0,1000}Get\-AADIntMobileDevices.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45757"
"*Get-AADIntMSPartnerContracts*",".{0,1000}Get\-AADIntMSPartnerContracts.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45758"
"*Get-AADIntMSPartnerOffers*",".{0,1000}Get\-AADIntMSPartnerOffers.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45759"
"*Get-AADIntMSPartnerOrganizations*",".{0,1000}Get\-AADIntMSPartnerOrganizations.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45760"
"*Get-AADIntMSPartnerPublishers*",".{0,1000}Get\-AADIntMSPartnerPublishers.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45761"
"*Get-AADIntMSPartnerRoleMembers*",".{0,1000}Get\-AADIntMSPartnerRoleMembers.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45762"
"*Get-AADIntMSPartners*",".{0,1000}Get\-AADIntMSPartners.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45763"
"*Get-AADIntMyTeams*",".{0,1000}Get\-AADIntMyTeams.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45764"
"*Get-AADIntOAuthGrants*",".{0,1000}Get\-AADIntOAuthGrants.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45765"
"*Get-AADIntODAuthenticationCookie*",".{0,1000}Get\-AADIntODAuthenticationCookie.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45766"
"*Get-AADIntOfficeUpdateBranch*",".{0,1000}Get\-AADIntOfficeUpdateBranch.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45767"
"*Get-AADIntOneDriveFiles*",".{0,1000}Get\-AADIntOneDriveFiles.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45768"
"*Get-AADIntOpenIDConfiguration*",".{0,1000}Get\-AADIntOpenIDConfiguration.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45769"
"*Get-AADIntPortalAccessTokenUsingCBA*",".{0,1000}Get\-AADIntPortalAccessTokenUsingCBA.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45770"
"*Get-AADIntProxyAgents*",".{0,1000}Get\-AADIntProxyAgents.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45771"
"*Get-AADIntProxyGroups*",".{0,1000}Get\-AADIntProxyGroups.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45772"
"*Get-AADIntReadAccessTokenForAADGraph*",".{0,1000}Get\-AADIntReadAccessTokenForAADGraph.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45773"
"*Get-AADIntRecentLocations*",".{0,1000}Get\-AADIntRecentLocations.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45774"
"*Get-AADIntRolloutPolicies*",".{0,1000}Get\-AADIntRolloutPolicies.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45775"
"*Get-AADIntRolloutPolicyGroups*",".{0,1000}Get\-AADIntRolloutPolicyGroups.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45776"
"*Get-AADIntSARAUserInfo*",".{0,1000}Get\-AADIntSARAUserInfo.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45777"
"*Get-AADIntSeamlessSSO*",".{0,1000}Get\-AADIntSeamlessSSO.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45778"
"*Get-AADIntSelfServicePurchaseProducts*",".{0,1000}Get\-AADIntSelfServicePurchaseProducts.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45779"
"*Get-AADIntServiceLocations*",".{0,1000}Get\-AADIntServiceLocations.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45780"
"*Get-AADIntServicePrincipals*",".{0,1000}Get\-AADIntServicePrincipals.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45781"
"*Get-AADIntSettings*",".{0,1000}Get\-AADIntSettings.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45782"
"*Get-AADIntSharedWithUser*",".{0,1000}Get\-AADIntSharedWithUser.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45783"
"*Get-AADIntSkypeToken*",".{0,1000}Get\-AADIntSkypeToken.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45784"
"*Get-AADIntSPOAuthenticationHeader*",".{0,1000}Get\-AADIntSPOAuthenticationHeader.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45785"
"*Get-AADIntSPOIDCRL*",".{0,1000}Get\-AADIntSPOIDCRL.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45786"
"*Get-AADIntSPOServiceInformation*",".{0,1000}Get\-AADIntSPOServiceInformation.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45787"
"*Get-AADIntSPOSettings*",".{0,1000}Get\-AADIntSPOSettings.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45788"
"*Get-AADIntSPOSiteGroups*",".{0,1000}Get\-AADIntSPOSiteGroups.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45789"
"*Get-AADIntSPOSiteUsers*",".{0,1000}Get\-AADIntSPOSiteUsers.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45790"
"*Get-AADIntSPOUserProperties*",".{0,1000}Get\-AADIntSPOUserProperties.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45791"
"*Get-AADIntSubscriptions*",".{0,1000}Get\-AADIntSubscriptions.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45792"
"*Get-AADIntSyncConfiguration*",".{0,1000}Get\-AADIntSyncConfiguration.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45793"
"*Get-AADIntSyncCredentials*",".{0,1000}Get\-AADIntSyncCredentials.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45794"
"*Get-AADIntSyncDeviceConfiguration*",".{0,1000}Get\-AADIntSyncDeviceConfiguration.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45795"
"*Get-AADIntSyncEncryptionKey*",".{0,1000}Get\-AADIntSyncEncryptionKey.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45796"
"*Get-AADIntSyncEncryptionKeyInfo*",".{0,1000}Get\-AADIntSyncEncryptionKeyInfo.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45797"
"*Get-AADIntSyncFeatures*",".{0,1000}Get\-AADIntSyncFeatures.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45798"
"*Get-AADIntSyncObjects*",".{0,1000}Get\-AADIntSyncObjects.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45799"
"*Get-AADIntSystemMasterkeys*",".{0,1000}Get\-AADIntSystemMasterkeys.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45800"
"*Get-AADIntTeamsAvailability*",".{0,1000}Get\-AADIntTeamsAvailability.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45801"
"*Get-AADIntTeamsMessages*",".{0,1000}Get\-AADIntTeamsMessages.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45802"
"*Get-AADIntTenantApplications*",".{0,1000}Get\-AADIntTenantApplications.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45803"
"*Get-AADIntTenantAuthenticationMethods*",".{0,1000}Get\-AADIntTenantAuthenticationMethods.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45804"
"*Get-AADIntTenantAuthPolicy*",".{0,1000}Get\-AADIntTenantAuthPolicy.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45805"
"*Get-AADIntTenantDetails*",".{0,1000}Get\-AADIntTenantDetails.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45806"
"*Get-AADIntTenantDomain*",".{0,1000}Get\-AADIntTenantDomain.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45807"
"*Get-AADIntTenantDomains*",".{0,1000}Get\-AADIntTenantDomains.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45808"
"*Get-AADIntTenantGuestAccess*",".{0,1000}Get\-AADIntTenantGuestAccess.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45809"
"*Get-AADIntTenantID*",".{0,1000}Get\-AADIntTenantID.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45810"
"*Get-AADIntTenantOrganisationInformation*",".{0,1000}Get\-AADIntTenantOrganisationInformation.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45811"
"*Get-AADIntTranslation*",".{0,1000}Get\-AADIntTranslation.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45812"
"*Get-AADIntUnifiedAuditLogSettings*",".{0,1000}Get\-AADIntUnifiedAuditLogSettings.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45813"
"*Get-AADIntUserConnections*",".{0,1000}Get\-AADIntUserConnections.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45814"
"*Get-AADIntUserDetails*",".{0,1000}Get\-AADIntUserDetails.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45815"
"*Get-AADIntUserMasterkeys*",".{0,1000}Get\-AADIntUserMasterkeys.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45816"
"*Get-AADIntUserMFA*",".{0,1000}Get\-AADIntUserMFA.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45817"
"*Get-AADIntUserMFAApps*",".{0,1000}Get\-AADIntUserMFAApps.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45818"
"*Get-AADIntUserNTHash*",".{0,1000}Get\-AADIntUserNTHash.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45819"
"*Get-AADIntUserPRTKeys*",".{0,1000}Get\-AADIntUserPRTKeys.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45820"
"*Get-AADIntUserPRTToken*",".{0,1000}Get\-AADIntUserPRTToken.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45821"
"*Get-AADIntUserRealm*",".{0,1000}Get\-AADIntUserRealm.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45822"
"*Get-AADIntUserRealmExtended*",".{0,1000}Get\-AADIntUserRealmExtended.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45823"
"*Get-AADIntUserRealmV2*",".{0,1000}Get\-AADIntUserRealmV2.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45824"
"*Get-AADIntUserRealmV3*",".{0,1000}Get\-AADIntUserRealmV3.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45825"
"*Get-AADIntWindowsCredentialsSyncConfig*",".{0,1000}Get\-AADIntWindowsCredentialsSyncConfig.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","45826"
"*get-ADComputer -filter { PrimaryGroupID -eq ""516"" } -properties PrimaryGroupID*",".{0,1000}get\-ADComputer\s\-filter\s\{\sPrimaryGroupID\s\-eq\s\""516\""\s\}\s\-properties\sPrimaryGroupID.{0,1000}","greyware_tool_keyword","ldap queries","cmdlets to get computer information about Domain Controllers","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://adsecurity.org/?p=299","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","45832"
"*Get-ADComputer -Filter {TrustedForDelegation -eq $True}*","Get\-ADComputer\s\-Filter\s\{TrustedForDelegation\s\-eq\s\$True\}","greyware_tool_keyword","powershell","AD Module Enumerate computers with Unconstrained Delegation","T1021.004 - T1087.002 - T1018","TA0007 - TA0008 - TA0011","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","45833"
"*Get-ADGroup -Filter *Name -like *admin*","Get\-ADGroup\s\-Filter\s.{0,1000}Name\s\-like\s.{0,1000}admin.{0,1000}","greyware_tool_keyword","powershell","AD Module Search for a particular string in attributes (admin)","T1087.002 - T1018 - T1069.002","TA0007 - TA0009","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","45843"
"*Get-ADGroupMember Administrators -Recursive*",".{0,1000}Get\-ADGroupMember\sAdministrators\s\-Recursive.{0,1000}","greyware_tool_keyword","powershell","Powershell enumerate domains and forests","T1482 - T1069.002","TA0007 - TA0008","N/A","Black Basta","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45844"
"*Get-ADGroupMember -Identity ""Domain Admins""*",".{0,1000}Get\-ADGroupMember\s\-Identity\s\""Domain\sAdmins\"".{0,1000}","greyware_tool_keyword","powershell","List the members of the ""Domain Admins"" group within Active Directory","T1087.002","TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45845"
"*Get-ADObject -Filter {msDS-AllowedToDelegateTo * -Properties msDS-AllowedToDelegateTo*","Get\-ADObject\s\-Filter\s\{msDS\-AllowedToDelegateTo\s.{0,1000}\s\-Properties\smsDS\-AllowedToDelegateTo.{0,1000}","greyware_tool_keyword","powershell","AD Module Enumerate principals with Constrained Delegation enabled","T1021.004 - T1087.002 - T1018","TA0007 - TA0008 - TA0011","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","45846"
"*Get-ADObject -SearchBase *CN=Shadow Principal Configuration*CN=Services* (Get-ADRootDSE).configurationNamingContext) | select *msDS-ShadowPrincipalSid*","Get\-ADObject\s\-SearchBase\s.{0,1000}CN\=Shadow\sPrincipal\sConfiguration.{0,1000}CN\=Services.{0,1000}\s\(Get\-ADRootDSE\)\.configurationNamingContext\)\s\|\sselect\s.{0,1000}msDS\-ShadowPrincipalSid.{0,1000}","greyware_tool_keyword","powershell","Enumerate shadow security principals mapped to a high priv group","T1069.002 - T1087.002 - T1018","TA0007 - TA0009","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","45847"
"*Get-ADUser -filter * -Properties SamAccountName, PasswordNotRequired | where { $_.passwordnotrequired -eq ""true"" } | where {$_.enabled -eq ""true""}*",".{0,1000}Get\-ADUser\s\-filter\s.{0,1000}\s\-Properties\sSamAccountName,\sPasswordNotRequired\s\|\swhere\s\{\s\$_\.passwordnotrequired\s\-eq\s\""true\""\s\}\s\|\swhere\s\{\$_\.enabled\s\-eq\s\""true\""\}.{0,1000}","greyware_tool_keyword","ldap queries","identifying accounts with 'Password Not Required","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","45858"
"*Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth*","Get\-ADUser\s\-Filter\s\{DoesNotRequirePreAuth\s\-eq\s\$True\}\s\-Properties\sDoesNotRequirePreAuth","greyware_tool_keyword","powershell","AD module Enumerate users","T1021.004 - T1087.002 - T1018","TA0007 - TA0008 - TA0011","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","45859"
"*Get-ADUser -Filter {TrustedForDelegation -eq $True}*","Get\-ADUser\s\-Filter\s\{TrustedForDelegation\s\-eq\s\$True\}","greyware_tool_keyword","powershell","AD Module Enumerate computers with Unconstrained Delegation","T1021.004 - T1087.002 - T1018","TA0007 - TA0008 - TA0011","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","45860"
"*Get-ADUser -properties * -filter {(lastlogondate -notlike ""*"" -OR lastlogondate -le $90days) -AND (passwordlastset -le $90days) -AND (enabled -eq $True) -and (PasswordNeverExpires -eq $false) -and (whencreated -le $90days)}*",".{0,1000}Get\-ADUser\s\-properties\s.{0,1000}\s\-filter\s\{\(lastlogondate\s\-notlike\s\"".{0,1000}\""\s\-OR\slastlogondate\s\-le\s\$90days\)\s\-AND\s\(passwordlastset\s\-le\s\$90days\)\s\-AND\s\(enabled\s\-eq\s\$True\)\s\-and\s\(PasswordNeverExpires\s\-eq\s\$false\)\s\-and\s\(whencreated\s\-le\s\$90days\)\}.{0,1000}","greyware_tool_keyword","ldap queries","querying accounts that have not been logged into for over 90 days","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","0","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","45861"
"*Get-ADUsersWithoutPreAuth*",".{0,1000}Get\-ADUsersWithoutPreAuth.{0,1000}","greyware_tool_keyword","adaudit","Powershell script to do domain auditing automation","T1482 - T1087","TA0007","N/A","N/A","Discovery","https://github.com/phillips321/adaudit","1","0","N/A","N/A","8","4","389","106","2025-04-08T06:17:54Z","2018-04-20T11:29:06Z","45865"
"*Get-AppLockerPolicy -Effective *",".{0,1000}Get\-AppLockerPolicy\s\-Effective\s.{0,1000}","greyware_tool_keyword","powershell","AppLocker Get AppLocker policy","T1592","TA0043","N/A","N/A","Reconnaissance","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","greyware tool - risks of False positive !","7","8","N/A","N/A","N/A","N/A","45883"
"*getcap -r / 2>*",".{0,1000}getcap\s\-r\s\/\s2\>.{0,1000}","greyware_tool_keyword","getcap","recursively scans all the files starting from the root directory / and lists files with capabilities set","T1082 - T1007","TA0007 - TA0009","N/A","N/A","discovery","N/A","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","45912"
"*getcap -r / 2>/dev/null*",".{0,1000}getcap\s\-r\s\/\s2\>\/dev\/null.{0,1000}","greyware_tool_keyword","Getcap","Enumerating File Capabilities with Getcap","T1046 - T1083","TA0007","N/A","N/A","Reconnaissance","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","45913"
"*Get-ChildItem -Hidden C:\Users\*\AppData\Local\Microsoft\Credentials\*",".{0,1000}Get\-ChildItem\s\-Hidden\sC\:\\Users\\.{0,1000}\\AppData\\Local\\Microsoft\\Credentials\\.{0,1000}","greyware_tool_keyword","powershell","Find Potential Credential in Files - This directory often contains encrypted credentials or other sensitive files related to user accounts","T1005 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45914"
"*Get-ChildItem -Hidden C:\Users\*\AppData\Roaming\Microsoft\Credentials\*",".{0,1000}Get\-ChildItem\s\-Hidden\sC\:\\Users\\.{0,1000}\\AppData\\Roaming\\Microsoft\\Credentials\\.{0,1000}","greyware_tool_keyword","powershell","Find Potential Credential in Files - This directory often contains encrypted credentials or other sensitive files related to user accounts","T1005 - T1552.001","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","45915"
"*getcroc.schollz.com*",".{0,1000}getcroc\.schollz\.com.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","1","N/A","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","45947"
"*Get-DhcpServerv4Scope | Set-DhcpServerv4OptionValue -DnsServer *",".{0,1000}Get\-DhcpServerv4Scope\s\|\sSet\-DhcpServerv4OptionValue\s\-DnsServer\s.{0,1000}","greyware_tool_keyword","powershell","set the DNS server configuration","T1557 - T1584","TA0040 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","45962"
"*Get-DomainComputer -TrustedToAuth*","Get\-DomainComputer\s\-TrustedToAuth","greyware_tool_keyword","powershell","AD Module Enumerate principals with Constrained Delegation enabled","T1021.004 - T1087.002 - T1018","TA0007 - TA0008 - TA0011","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","45969"
"*Get-DomainUser -KerberosPreuthNotRequired -Verbose*",".{0,1000}Get\-DomainUser\s\-KerberosPreuthNotRequired\s\-Verbose.{0,1000}","greyware_tool_keyword","powershell","Powerview Enumerate users","T1069.002 - T1087.002 - T1018","TA0007 - TA0009","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","45994"
"*getent passwd | cut -d: -f1*",".{0,1000}getent\spasswd\s\|\scut\s\-d\:\s\-f1.{0,1000}","greyware_tool_keyword","getent","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","46000"
"*Get-GPO -All*","Get\-GPO\s\-All","greyware_tool_keyword","powershell","AD Module GroupPolicy - List of GPO in the domain","T1087.002 - T1018 - T1069.002","TA0007 - TA0009","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","46028"
"*Get-LAPSPasswords.ps1*",".{0,1000}Get\-LAPSPasswords\.ps1.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","46090"
"*Get-LoggedonLocal -ComputerName *",".{0,1000}Get\-LoggedonLocal\s\-ComputerName\s.{0,1000}","greyware_tool_keyword","powershell","PowerView get Locally logged users on a machine","T1069.002 - T1087.002 - T1018","TA0007 - TA0009","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","46097"
"*Get-Module AADInternals*",".{0,1000}Get\-Module\sAADInternals.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","46117"
"*Get-MpComputerStatus*",".{0,1000}Get\-MpComputerStatus.{0,1000}","greyware_tool_keyword","powershell","Gets the status of antimalware software on the computer.","T1063","TA0005 - TA0007","N/A","N/A","Discovery","https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46118"
"*Get-MpPreference | Select-Object -ExpandProperty ExclusionPath*",".{0,1000}Get\-MpPreference\s\|\sSelect\-Object\s\-ExpandProperty\sExclusionPath.{0,1000}","greyware_tool_keyword","powershell","get defender AV exclusions","T1059.003 - T1202 - T1212","TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","4","8","N/A","N/A","N/A","N/A","46119"
"*Get-NetForestCatalog*",".{0,1000}Get\-NetForestCatalog.{0,1000}","greyware_tool_keyword","PowerSploit","PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts","T1134 - T1087.001 - T1123 - T1547.001 - T1547.005 - T1059.001 - T1543.003 - T1555.004 - T1005 - T1482 - T1574.001 - T1574.007 - T1574.008 - T1574.009 - T1056.001 - T1027.005 - T1027.010 - T1003.001 - T1057 - T1055.001 - T1012 - T1620 - T1053.005 - T1113 - T1558.003 - T1552.002 - T1552.006 - T1047","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0009 - TA0011","N/A","Dispossessor - MAZE - Conti - PYSA - Avaddon - Black Basta - APT33 - Earth Lusca - APT41 - MuddyWater - FIN7 - menuPass - Leviathan - TA505 - Patchwork - FIN13 - WIZARD SPIDER - INDRIK SPIDER - PowerPool - APT32 - QUILTED TIGER - COZY BEAR - Turla","Framework","https://github.com/PowerShellMafia/PowerSploit","1","0","N/A","N/A","10","10","12274","4660","2020-08-17T23:19:49Z","2012-05-26T16:08:48Z","46133"
"*Get-NetForestDomain*",".{0,1000}Get\-NetForestDomain.{0,1000}","greyware_tool_keyword","PowerSploit","PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts","T1134 - T1087.001 - T1123 - T1547.001 - T1547.005 - T1059.001 - T1543.003 - T1555.004 - T1005 - T1482 - T1574.001 - T1574.007 - T1574.008 - T1574.009 - T1056.001 - T1027.005 - T1027.010 - T1003.001 - T1057 - T1055.001 - T1012 - T1620 - T1053.005 - T1113 - T1558.003 - T1552.002 - T1552.006 - T1047","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0009 - TA0011","N/A","Dispossessor - MAZE - Conti - PYSA - Avaddon - Black Basta - APT33 - Earth Lusca - APT41 - MuddyWater - FIN7 - menuPass - Leviathan - TA505 - Patchwork - FIN13 - WIZARD SPIDER - INDRIK SPIDER - PowerPool - APT32 - QUILTED TIGER - COZY BEAR - Turla","Framework","https://github.com/PowerShellMafia/PowerSploit","1","0","N/A","N/A","10","10","12274","4660","2020-08-17T23:19:49Z","2012-05-26T16:08:48Z","46135"
"*Get-NetForestTrust*",".{0,1000}Get\-NetForestTrust.{0,1000}","greyware_tool_keyword","PowerSploit","PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts","T1134 - T1087.001 - T1123 - T1547.001 - T1547.005 - T1059.001 - T1543.003 - T1555.004 - T1005 - T1482 - T1574.001 - T1574.007 - T1574.008 - T1574.009 - T1056.001 - T1027.005 - T1027.010 - T1003.001 - T1057 - T1055.001 - T1012 - T1620 - T1053.005 - T1113 - T1558.003 - T1552.002 - T1552.006 - T1047","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0009 - TA0011","N/A","Dispossessor - MAZE - Conti - PYSA - Avaddon - Black Basta - APT33 - Earth Lusca - APT41 - MuddyWater - FIN7 - menuPass - Leviathan - TA505 - Patchwork - FIN13 - WIZARD SPIDER - INDRIK SPIDER - PowerPool - APT32 - QUILTED TIGER - COZY BEAR - Turla","Framework","https://github.com/PowerShellMafia/PowerSploit","1","0","N/A","N/A","10","10","12274","4660","2020-08-17T23:19:49Z","2012-05-26T16:08:48Z","46136"
"*Get-NetGroup -FullData*","Get\-NetGroup\s\-FullData.{0,1000}","greyware_tool_keyword","powershell","Find groups in the current domain (PowerView)","T1069.002 - T1087.002 - T1018","TA0007 - TA0009","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","46139"
"*Get-NetGroupMember -GroupName *DNSAdmins*",".{0,1000}Get\-NetGroupMember\s\-GroupName\s.{0,1000}DNSAdmins.{0,1000}","greyware_tool_keyword","powershell","the command is used to discover the members of a specific domain group DNSAdmins which can provide an adversary with valuable information about the target environment. The knowledge of group members can be exploited by attackers to identify potential targets for privilege escalation or Lateral Movement within the network.","T1069.001","TA0007","N/A","N/A","Reconnaissance","N/A","1","0","N/A","greyware tool - risks of False positive !","7","8","N/A","N/A","N/A","N/A","46140"
"*Get-NetSession*",".{0,1000}Get\-NetSession.{0,1000}","greyware_tool_keyword","PowerSploit","PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts","T1134 - T1087.001 - T1123 - T1547.001 - T1547.005 - T1059.001 - T1543.003 - T1555.004 - T1005 - T1482 - T1574.001 - T1574.007 - T1574.008 - T1574.009 - T1056.001 - T1027.005 - T1027.010 - T1003.001 - T1057 - T1055.001 - T1012 - T1620 - T1053.005 - T1113 - T1558.003 - T1552.002 - T1552.006 - T1047","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0009 - TA0011","N/A","Dispossessor - MAZE - Conti - PYSA - Avaddon - Black Basta - APT33 - Earth Lusca - APT41 - MuddyWater - FIN7 - menuPass - Leviathan - TA505 - Patchwork - FIN13 - WIZARD SPIDER - INDRIK SPIDER - PowerPool - APT32 - QUILTED TIGER - COZY BEAR - Turla","Framework","https://github.com/PowerShellMafia/PowerSploit","1","0","N/A","N/A","10","10","12274","4660","2020-08-17T23:19:49Z","2012-05-26T16:08:48Z","46150"
"*Get-NetShare*",".{0,1000}Get\-NetShare.{0,1000}","greyware_tool_keyword","PowerSploit","PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts","T1134 - T1087.001 - T1123 - T1547.001 - T1547.005 - T1059.001 - T1543.003 - T1555.004 - T1005 - T1482 - T1574.001 - T1574.007 - T1574.008 - T1574.009 - T1056.001 - T1027.005 - T1027.010 - T1003.001 - T1057 - T1055.001 - T1012 - T1620 - T1053.005 - T1113 - T1558.003 - T1552.002 - T1552.006 - T1047","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0009 - TA0011","N/A","Dispossessor - MAZE - Conti - PYSA - Avaddon - Black Basta - APT33 - Earth Lusca - APT41 - MuddyWater - FIN7 - menuPass - Leviathan - TA505 - Patchwork - FIN13 - WIZARD SPIDER - INDRIK SPIDER - PowerPool - APT32 - QUILTED TIGER - COZY BEAR - Turla","Framework","https://github.com/PowerShellMafia/PowerSploit","1","0","N/A","N/A","10","10","12274","4660","2020-08-17T23:19:49Z","2012-05-26T16:08:48Z","46152"
"*Get-NetSubnet*",".{0,1000}Get\-NetSubnet.{0,1000}","greyware_tool_keyword","PowerSploit","PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts","T1134 - T1087.001 - T1123 - T1547.001 - T1547.005 - T1059.001 - T1543.003 - T1555.004 - T1005 - T1482 - T1574.001 - T1574.007 - T1574.008 - T1574.009 - T1056.001 - T1027.005 - T1027.010 - T1003.001 - T1057 - T1055.001 - T1012 - T1620 - T1053.005 - T1113 - T1558.003 - T1552.002 - T1552.006 - T1047","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0009 - TA0011","N/A","Dispossessor - MAZE - Conti - PYSA - Avaddon - Black Basta - APT33 - Earth Lusca - APT41 - MuddyWater - FIN7 - menuPass - Leviathan - TA505 - Patchwork - FIN13 - WIZARD SPIDER - INDRIK SPIDER - PowerPool - APT32 - QUILTED TIGER - COZY BEAR - Turla","Framework","https://github.com/PowerShellMafia/PowerSploit","1","0","N/A","N/A","10","10","12274","4660","2020-08-17T23:19:49Z","2012-05-26T16:08:48Z","46153"
"*Get-NetUser -SPN*",".{0,1000}Get\-NetUser\s\-SPN.{0,1000}","greyware_tool_keyword","powershell","PowerView Find users with SPN","T1069.002 - T1087.002 - T1018","TA0007 - TA0009","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","46155"
"*Get-RegistryAutoLogon*",".{0,1000}Get\-RegistryAutoLogon.{0,1000}","greyware_tool_keyword","PowerSploit","PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts","T1134 - T1087.001 - T1123 - T1547.001 - T1547.005 - T1059.001 - T1543.003 - T1555.004 - T1005 - T1482 - T1574.001 - T1574.007 - T1574.008 - T1574.009 - T1056.001 - T1027.005 - T1027.010 - T1003.001 - T1057 - T1055.001 - T1012 - T1620 - T1053.005 - T1113 - T1558.003 - T1552.002 - T1552.006 - T1047","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0009 - TA0011","N/A","Dispossessor - MAZE - Conti - PYSA - Avaddon - Black Basta - APT33 - Earth Lusca - APT41 - MuddyWater - FIN7 - menuPass - Leviathan - TA505 - Patchwork - FIN13 - WIZARD SPIDER - INDRIK SPIDER - PowerPool - APT32 - QUILTED TIGER - COZY BEAR - Turla","Framework","https://github.com/PowerShellMafia/PowerSploit","1","0","N/A","N/A","10","10","12274","4660","2020-08-17T23:19:49Z","2012-05-26T16:08:48Z","46200"
"*Get-SiteListPassword*",".{0,1000}Get\-SiteListPassword.{0,1000}","greyware_tool_keyword","PowerSploit","PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts","T1134 - T1087.001 - T1123 - T1547.001 - T1547.005 - T1059.001 - T1543.003 - T1555.004 - T1005 - T1482 - T1574.001 - T1574.007 - T1574.008 - T1574.009 - T1056.001 - T1027.005 - T1027.010 - T1003.001 - T1057 - T1055.001 - T1012 - T1620 - T1053.005 - T1113 - T1558.003 - T1552.002 - T1552.006 - T1047","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0009 - TA0011","N/A","Dispossessor - MAZE - Conti - PYSA - Avaddon - Black Basta - APT33 - Earth Lusca - APT41 - MuddyWater - FIN7 - menuPass - Leviathan - TA505 - Patchwork - FIN13 - WIZARD SPIDER - INDRIK SPIDER - PowerPool - APT32 - QUILTED TIGER - COZY BEAR - Turla","Framework","https://github.com/PowerShellMafia/PowerSploit","1","0","N/A","N/A","10","10","12274","4660","2020-08-17T23:19:49Z","2012-05-26T16:08:48Z","46237"
"*getsupportservice_common_dameware\logs*",".{0,1000}getsupportservice_common_dameware\\logs.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46282"
"*Get-TimedScreenshot*",".{0,1000}Get\-TimedScreenshot.{0,1000}","greyware_tool_keyword","PowerSploit","PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts","T1134 - T1087.001 - T1123 - T1547.001 - T1547.005 - T1059.001 - T1543.003 - T1555.004 - T1005 - T1482 - T1574.001 - T1574.007 - T1574.008 - T1574.009 - T1056.001 - T1027.005 - T1027.010 - T1003.001 - T1057 - T1055.001 - T1012 - T1620 - T1053.005 - T1113 - T1558.003 - T1552.002 - T1552.006 - T1047","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0009 - TA0011","N/A","Dispossessor - MAZE - Conti - PYSA - Avaddon - Black Basta - APT33 - Earth Lusca - APT41 - MuddyWater - FIN7 - menuPass - Leviathan - TA505 - Patchwork - FIN13 - WIZARD SPIDER - INDRIK SPIDER - PowerPool - APT32 - QUILTED TIGER - COZY BEAR - Turla","Framework","https://github.com/PowerShellMafia/PowerSploit","1","0","N/A","N/A","10","10","12274","4660","2020-08-17T23:19:49Z","2012-05-26T16:08:48Z","46296"
"*Get-UnquotedService*",".{0,1000}Get\-UnquotedService.{0,1000}","greyware_tool_keyword","PowerSploit","PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts","T1134 - T1087.001 - T1123 - T1547.001 - T1547.005 - T1059.001 - T1543.003 - T1555.004 - T1005 - T1482 - T1574.001 - T1574.007 - T1574.008 - T1574.009 - T1056.001 - T1027.005 - T1027.010 - T1003.001 - T1057 - T1055.001 - T1012 - T1620 - T1053.005 - T1113 - T1558.003 - T1552.002 - T1552.006 - T1047","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0008 - TA0009 - TA0011","N/A","Dispossessor - MAZE - Conti - PYSA - Avaddon - Black Basta - APT33 - Earth Lusca - APT41 - MuddyWater - FIN7 - menuPass - Leviathan - TA505 - Patchwork - FIN13 - WIZARD SPIDER - INDRIK SPIDER - PowerPool - APT32 - QUILTED TIGER - COZY BEAR - Turla","Framework","https://github.com/PowerShellMafia/PowerSploit","1","0","N/A","N/A","10","10","12274","4660","2020-08-17T23:19:49Z","2012-05-26T16:08:48Z","46304"
"*Get-WmiObject -class SMS_Authority -namespace root\CCM*",".{0,1000}Get\-WmiObject\s\-class\sSMS_Authority\s\-namespace\sroot\\CCM.{0,1000}","greyware_tool_keyword","Get-WmiObject","Get SCCM server with Get-WmiObject","T1087 - T1018","TA0007 - TA0002","N/A","N/A","Discovery","https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1","1","0","N/A","N/A","5","8","N/A","N/A","N/A","N/A","46340"
"*Get-WmiObject -Namespace ""root\directory\ldap"" -Class ds_user *",".{0,1000}Get\-WmiObject\s\-Namespace\s\""root\\directory\\ldap\""\s\-Class\sds_user\s.{0,1000}","greyware_tool_keyword","Get-WmiObject","Get all users","T1087 - T1018","TA0007 - TA0002","N/A","N/A","Discovery","https://github.com/alperenugurlu/AD_Enumeration_Hunt/blob/alperen_ugurlu_hack/AD_Enumeration_Hunt.ps1","1","0","N/A","N/A","5","1","93","18","2023-08-05T06:10:26Z","2023-08-05T05:16:57Z","46341"
"*Get-WmiObject win32_loggedonuser -ComputerName *",".{0,1000}Get\-WmiObject\swin32_loggedonuser\s\-ComputerName\s.{0,1000}","greyware_tool_keyword","Get-WmiObject","Get logged on user on remote host with Get-WmiObject","T1049 - T1018 - T1087","TA0007 - TA0002 - TA0009","N/A","N/A","Discovery","https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1","1","0","N/A","N/A","5","8","N/A","N/A","N/A","N/A","46342"
"*Get-WmiObject Win32_ShadowCopy | Remove-WmiObject*",".{0,1000}Get\-WmiObject\sWin32_ShadowCopy\s\|\sRemove\-WmiObject.{0,1000}","greyware_tool_keyword","powershell","delete shadow copies","T1490 - T1562.002","TA0040 - TA0007","N/A","N/A","Defense Evasion","https://rexorvc0.com/2024/06/19/Akira-The-Old-New-Style-Crime/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46343"
"*ggackgngljinccllcmbgnpgpllcjepgc*",".{0,1000}ggackgngljinccllcmbgnpgpllcjepgc.{0,1000}","greyware_tool_keyword","WindmillVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","46361"
"*ghcr.io/agrinman/tunnelto*",".{0,1000}ghcr\.io\/agrinman\/tunnelto.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","1","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","46378"
"*ghcr.io/ao-space/gt:client-dev*",".{0,1000}ghcr\.io\/ao\-space\/gt\:client\-dev.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","1","N/A","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","46379"
"*ghcr.io/ao-space/gt:server-dev*",".{0,1000}ghcr\.io\/ao\-space\/gt\:server\-dev.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","1","N/A","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","46380"
"*gimp -idf --batch-interpreter=python-fu-eval -b 'import os* os.execl(*/bin/sh*",".{0,1000}gimp\s\-idf\s\-\-batch\-interpreter\=python\-fu\-eval\s\-b\s\'import\sos.{0,1000}\sos\.execl\(.{0,1000}\/bin\/sh.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","46413"
"*github*/xmrig/xmrig*",".{0,1000}github.{0,1000}\/xmrig\/xmrig.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","46427"
"*github*ao-space/gt*",".{0,1000}github.{0,1000}ao\-space\/gt.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","1","N/A","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","46428"
"*github*koding/tunnel*",".{0,1000}github.{0,1000}koding\/tunnel.{0,1000}","greyware_tool_keyword","tunnel","Tunnel is a server/client package that enables to proxy public connections to your local machine over a tunnel connection from the local machine to the public server. What this means is, you can share your localhost even if it doesn't have a Public IP or if it's not reachable from outside","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/koding/tunnel","1","1","N/A","N/A","10","10","328","72","2023-10-20T13:43:58Z","2015-05-28T07:26:42Z","46429"
"*github.com*/jprq/releases/download/*",".{0,1000}github\.com.{0,1000}\/jprq\/releases\/download\/.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","1","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","46430"
"*github.com/tailscale*",".{0,1000}github\.com\/tailscale.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","46441"
"*gitlab.com/SoftEther/VPN.git*",".{0,1000}gitlab\.com\/SoftEther\/VPN\.git.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","46445"
"*gjknjjomckknofjidppipffbpoekiipm*",".{0,1000}gjknjjomckknofjidppipffbpoekiipm.{0,1000}","greyware_tool_keyword","VPN Free","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","46452"
"*gkojfkhlekighikafcpjkiklfbnlmeio*",".{0,1000}gkojfkhlekighikafcpjkiklfbnlmeio.{0,1000}","greyware_tool_keyword","Hola Free VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","46453"
"*GlavSoft LLC.*",".{0,1000}GlavSoft\sLLC\..{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46455"
"*global.rel.tunnels.api.visualstudio.com*",".{0,1000}global\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","46468"
"*global.rel.tunnels.api.visualstudio.com*",".{0,1000}global\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","vscode","Starts a reverse connection over global.rel.tunnels.api.visualstudio.com via websockets","T1090.003 - T1059.001 - T1071.001","TA0011 - TA0002","N/A","N/A","C2","https://badoption.eu/blog/2023/01/31/code_c2.html","0","1","N/A","risk of False positive","10","10","N/A","N/A","N/A","N/A","46469"
"*gnirotinoMemitlaeRelbasiD*",".{0,1000}gnirotinoMemitlaeRelbasiD.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46487"
"*gogost/gost*",".{0,1000}gogost\/gost.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","46572"
"*go-gost/gost*",".{0,1000}go\-gost\/gost.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","1","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","46573"
"*GoodSync Server*",".{0,1000}GoodSync\sServer.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","Service Name","9","10","N/A","N/A","N/A","N/A","46586"
"*GoodSync-vsub-2Go-Setup.exe*",".{0,1000}GoodSync\-vsub\-2Go\-Setup\.exe.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","1","N/A","portable version","9","10","N/A","N/A","N/A","N/A","46587"
"*google-chrome-stable_current_amd64.deb*",".{0,1000}google\-chrome\-stable_current_amd64\.deb.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46600"
"*gost -L=*@*",".{0,1000}gost\s\-L\=.{0,1000}\@.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","46623"
"*gost -L=socks5://*",".{0,1000}gost\s\-L\=socks5\:\/\/.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","0","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","46629"
"*GoTo MyPC Installer.exe*",".{0,1000}GoTo\sMyPC\sInstaller\.exe.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46641"
"*GOTO MYPC INSTALLER.EXE-*.pf*",".{0,1000}GOTO\sMYPC\sINSTALLER\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46642"
"*GoTo Opener.exe *",".{0,1000}GoTo\sOpener\.exe\s.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46643"
"*GOTO OPENER.EXE-*.pf*",".{0,1000}GOTO\sOPENER\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46644"
"*Goto.exe*?type=crashpad-handler*",".{0,1000}Goto\.exe.{0,1000}\?type\=crashpad\-handler.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46645"
"*GoToMyPC_Installation.log*",".{0,1000}GoToMyPC_Installation\.log.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46646"
"*GoToMyPC_Setup.log*",".{0,1000}GoToMyPC_Setup\.log.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46647"
"*GoToMyPCSetup_x64.msi*",".{0,1000}GoToMyPCSetup_x64\.msi.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46648"
"*GoToScrUtils.exe*/cr*",".{0,1000}GoToScrUtils\.exe.{0,1000}\/cr.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","46649"
"*gotunnelme *",".{0,1000}gotunnelme\s.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/NoahShen/gotunnelme","1","0","N/A","N/A","10","10","171","45","2018-01-06T04:41:15Z","2013-10-18T02:46:51Z","46650"
"*gpg --list-keys*",".{0,1000}gpg\s\-\-list\-keys.{0,1000}","greyware_tool_keyword","gpg","List gpg keys for privilege escalation","T1553.002","TA0006","N/A","N/A","Privilege Escalation","N/A","1","0","N/A","N/A","4","8","N/A","N/A","N/A","N/A","46657"
"*gpg_keys/xmrig.asc*",".{0,1000}gpg_keys\/xmrig\.asc.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","46658"
"*Grant-AADIntAzureUserAccessAdminRole*",".{0,1000}Grant\-AADIntAzureUserAccessAdminRole.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","46680"
"*grep -* *DBPassword*",".{0,1000}grep\s\-.{0,1000}\s.{0,1000}DBPassword.{0,1000}","greyware_tool_keyword","grep","Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. # search for plain text user/passwords","T1059 - T1046 - T1087.002 - T1078.004","TA0002 - TA0007 - TA0004 - TA0006","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","greyware tool - risks of False positive !","3","6","N/A","N/A","N/A","N/A","46705"
"*grep *password /var/www*",".{0,1000}grep\s.{0,1000}password\s\/var\/www.{0,1000}","greyware_tool_keyword","grep","search for passwords","T1005 - T1083 - T1213","TA0006","N/A","N/A","Credential Access","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","46706"
"*grep *password.* /etc/*.conf*",".{0,1000}grep\s.{0,1000}password\..{0,1000}\s\/etc\/.{0,1000}\.conf.{0,1000}","greyware_tool_keyword","grep","Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. # search for plain text user/passwords","T1059 - T1046 - T1087.002 - T1078.004","TA0002 - TA0007 - TA0004 - TA0006","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","greyware tool - risks of False positive !","3","6","N/A","N/A","N/A","N/A","46707"
"*grep :0: /etc/passwd*",".{0,1000}grep\s\:0\:\s\/etc\/passwd.{0,1000}","greyware_tool_keyword","grep","Look for users with a UID of 0","T1005 - T1083 - T1213","TA0006","N/A","N/A","Credential Access","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","46708"
"*grep -i pass *",".{0,1000}grep\s\-i\spass\s.{0,1000}","greyware_tool_keyword","grep","Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.","T1059 - T1046 - T1087.002 - T1078.004","TA0002 - TA0007 - TA0004 - TA0006","N/A","N/A","Privilege Escalation","https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/","1","0","#linux","greyware tool - risks of False positive !","3","6","N/A","N/A","N/A","N/A","46709"
"*grep -i user *",".{0,1000}grep\s\-i\suser\s.{0,1000}","greyware_tool_keyword","grep","Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. # search for plain text user/passwords","T1059 - T1046 - T1087.002 - T1078.004","TA0002 - TA0007 - TA0004 - TA0006","N/A","N/A","Privilege Escalation","https://gtfobins.github.io/","1","0","#linux","greyware tool - risks of False positive !","3","6","N/A","N/A","N/A","N/A","46710"
"*grep -R db_passwd*",".{0,1000}grep\s\-R\sdb_passwd.{0,1000}","greyware_tool_keyword","grep","Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. # search for plain text user/passwords","T1059 - T1046 - T1087.002 - T1078.004","TA0002 - TA0007 - TA0004 - TA0006","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","greyware tool - risks of False positive !","3","6","N/A","N/A","N/A","N/A","46711"
"*grep -roiE *password*",".{0,1000}grep\s\-roiE\s.{0,1000}password.{0,1000}","greyware_tool_keyword","grep","Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. # search for plain text user/passwords","T1059 - T1046 - T1087.002 - T1078.004","TA0002 - TA0007 - TA0004 - TA0006","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","greyware tool - risks of False positive !","3","6","N/A","N/A","N/A","N/A","46712"
"*grep*|pwd=|passwd=|password=*",".{0,1000}grep.{0,1000}\|pwd\=\|passwd\=\|password\=.{0,1000}","greyware_tool_keyword","grep","search for passwords","T1005 - T1083 - T1213","TA0006","N/A","N/A","Credential Access","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","46713"
"*grep*password|pwd|pass*",".{0,1000}grep.{0,1000}password\|pwd\|pass.{0,1000}","greyware_tool_keyword","grep","search for passwords","T1213 - T1081","TA0006 - TA0007","N/A","N/A","Credential Access","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","46714"
"*groupadd boringproxy*",".{0,1000}groupadd\sboringproxy.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","46721"
"*gtfobins*",".{0,1000}gtfobins.{0,1000}","greyware_tool_keyword","gtfobins","GTFOBins is a curated list of Unix binaries that can used to bypass local security restrictions in misconfigured systems malicious use of legitimate binaries","T1059 - T1068  -  T1136","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://gtfobins.github.io/","1","1","#linux","high false positive risks - low signal","2","5","N/A","N/A","N/A","N/A","46793"
"*hackforums.net/*",".{0,1000}hackforums\.net\/.{0,1000}","greyware_tool_keyword","hackforums.net","Hack Forums - a well-known online community frequently referenced in various pieces of malicious code","T1588.003","TA0011","N/A","N/A","Exploitation tool","hackforums.net","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","46848"
"*--headless --disable-gpu --disable-logging --dump-dom https://getip.pro*",".{0,1000}\-\-headless\s\-\-disable\-gpu\s\-\-disable\-logging\s\-\-dump\-dom\shttps\:\/\/getip\.pro.{0,1000}","greyware_tool_keyword","ducktail","infostealer command to retrieve public ip address","T1596 - T1590.005","TA0043 - TA0007 - TA0009","Ducktail ","N/A","Reconnaissance","https://www.trendmicro.com/en_be/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","47077"
"*hhdobjgopfphlmjbmnpglhfcgppchgje*",".{0,1000}hhdobjgopfphlmjbmnpglhfcgppchgje.{0,1000}","greyware_tool_keyword","AdGuard VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","47146"
"*higioemojdadgdbhbbbkfbebbdlfjbip*",".{0,1000}higioemojdadgdbhbbbkfbebbdlfjbip.{0,1000}","greyware_tool_keyword","Unlimited VPN & Proxy by ibVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","47172"
"*HINT: PAExec probably needs to be *",".{0,1000}HINT\:\sPAExec\sprobably\sneeds\sto\sbe\s.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","47188"
"*hipncndjamdcmphkgngojegjblibadbe*",".{0,1000}hipncndjamdcmphkgngojegjblibadbe.{0,1000}","greyware_tool_keyword","RusVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","47201"
"*HISTCONTROL=ignoredups:ignorespace*",".{0,1000}HISTCONTROL\=ignoredups\:ignorespace.{0,1000}","greyware_tool_keyword","bash","use a space in front of your bash command and it won't be logged with the following option","T1070.004 - T1562.001","TA0005 ","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware tool - risks of False positive ! Misconfiguration","8","10","N/A","N/A","N/A","N/A","47202"
"*history -a* tail -n1 ~/.bash_history > /dev/tcp/*/*",".{0,1000}history\s\-a.{0,1000}\stail\s\-n1\s\~\/\.bash_history\s\>\s\/dev\/tcp\/.{0,1000}\/.{0,1000}","greyware_tool_keyword","bash keylogger","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Exploitation tool","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","47203"
"*history -c*",".{0,1000}history\s\-c.{0,1000}","greyware_tool_keyword","bash","Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml","1","0","#linux","greyware tool - risks of False positive !","10","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","47204"
"*history -d -2 && history -d -1*",".{0,1000}history\s\-d\s\-2\s\&\&\shistory\s\-d\s\-1.{0,1000}","greyware_tool_keyword","history","Removes the most recently logged command.","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","47205"
"*HISTORY=/dev/null*",".{0,1000}HISTORY\=\/dev\/null.{0,1000}","greyware_tool_keyword","bash","Clear command history in linux which is used for defense evasion. ","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","47207"
"*HKCR\.anydesk\*",".{0,1000}HKCR\\\.anydesk\\.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47214"
"*HKCR\.vnc*",".{0,1000}HKCR\\\.vnc.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","47215"
"*HKCR\.vnc*",".{0,1000}HKCR\\\.vnc.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","#registry","registry path","10","10","N/A","N/A","N/A","N/A","47216"
"*HKCR\nsm\shell\open\command*",".{0,1000}HKCR\\nsm\\shell\\open\\command.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","47217"
"*HKCR\NSScriptFile\*",".{0,1000}HKCR\\NSScriptFile\\.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","47218"
"*HKCR\REMOTEPC*",".{0,1000}HKCR\\REMOTEPC.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","47219"
"*HKCR\supremo\shell\*",".{0,1000}HKCR\\supremo\\shell\\.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","47220"
"*HKEY_CLASSES_ROOT\rustdesk*",".{0,1000}HKEY_CLASSES_ROOT\\rustdesk.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","47223"
"*HKEY_CURRENT_USER\Software\ATERA Networks*",".{0,1000}HKEY_CURRENT_USER\\Software\\ATERA\sNetworks.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","47226"
"*HKEY_LOCAL_MACHINE\SOFTWARE\ATERA Networks*",".{0,1000}HKEY_LOCAL_MACHINE\\SOFTWARE\\ATERA\sNetworks.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","47227"
"*HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Radmin\*",".{0,1000}HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","47228"
"*HKLM\SOFTWARE\Box\Box*",".{0,1000}HKLM\\SOFTWARE\\Box\\Box.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","0","#registry","N/A","6","7","N/A","N/A","N/A","N/A","47229"
"*HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System* /v EnableLUA /t REG_DWORD /d 0 /f*",".{0,1000}HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System.{0,1000}\s\/v\sEnableLUA\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","disables User Account Control","T1112","TA0004 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/nathanlopez/Stitch/blob/8e22e91c94237959c02d521aab58dc7e3d994cea/PyLib/disableUAC.py#L8","1","0","#registry","N/A","10","10","3285","677","2024-01-04T20:02:51Z","2017-01-06T02:26:01Z","47230"
"*HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Devtunnels"" /v DisableDevTunnelsInVisualStudio /t REG_DWORD /d 0 /f*",".{0,1000}HKLM\\SOFTWARE\\Policies\\Microsoft\\VisualStudio\\Devtunnels\""\s\/v\sDisableDevTunnelsInVisualStudio\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","47231"
"*HKLM\SOFTWARE\SoftEther VPN *",".{0,1000}HKLM\\SOFTWARE\\SoftEther\sVPN\s.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#registry #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","47232"
"*HKLM\SOFTWARE\TeamViewer*",".{0,1000}HKLM\\SOFTWARE\\TeamViewer.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","#registry","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","47233"
"*HKLM\System\CurrentControlSet\Services\Client32*",".{0,1000}HKLM\\System\\CurrentControlSet\\Services\\Client32.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","47234"
"*HKLM\Vpn_Check_Admin_Key_*",".{0,1000}HKLM\\Vpn_Check_Admin_Key_.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#registry #VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","47235"
"*hnmpcagpplmpfojmgmnngilcnanddlhb*",".{0,1000}hnmpcagpplmpfojmgmnngilcnanddlhb.{0,1000}","greyware_tool_keyword","Windscribe","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","47250"
"*hoapmlpnmpaehilehggglehfdlnoegck*",".{0,1000}hoapmlpnmpaehilehggglehfdlnoegck.{0,1000}","greyware_tool_keyword","Tunnello VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","47252"
"*homeassistant.local:8123*",".{0,1000}homeassistant\.local\:8123.{0,1000}","greyware_tool_keyword","homeway.io","Expose local servers to the internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://homeway.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47262"
"*'host' => 'sharedwithexpose.com'*",".{0,1000}\'host\'\s\=\>\s\'sharedwithexpose\.com\'.{0,1000}","greyware_tool_keyword","expose","tunneling service - written in pure PHP","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/beyondcode/expose","1","0","N/A","N/A","10","10","4367","280","2025-04-04T13:57:03Z","2020-04-14T19:18:38Z","47281"
"*HostVersion=2.0*EngineVersion=2.0*",".{0,100}(?s)HostVersion\=2\.0.+?(?=EngineVersion\=)EngineVersion\=2.{0,100}","greyware_tool_keyword","powershell","downgrading to powershell version 2","T1059.001 - T1546.015 - T1086","TA0002 - TA0003 - TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47289"
"*http*.sslip.io*",".{0,1000}http.{0,1000}\.sslip\.io.{0,1000}","greyware_tool_keyword","sslip.io","sslip.io is a DNS server that maps specially-crafted DNS A records to IP addresses e.g. 127-0-0-1.sslip.io maps to 127.0.0.1","T1568.002 - T1048.003","TA0003 - TA0004","N/A","N/A","C2","https://github.com/cunnie/sslip.io","1","1","N/A","letigimate tool abused by threat actor to bypass IP blockage and encrypt traffic","6","10","737","79","2025-04-04T14:05:21Z","2015-08-26T18:43:35Z","47332"
"*http*/agent-api-*.atera.com*",".{0,1000}http.{0,1000}\/agent\-api\-.{0,1000}\.atera\.com.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47334"
"*http*api.zrok.*",".{0,1000}http.{0,1000}api\.zrok\..{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","47362"
"*http://*.interact.sh*",".{0,1000}http\:\/\/.{0,1000}\.interact\.sh.{0,1000}","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C4","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","1","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","47373"
"*http://*.localhost.run*",".{0,1000}http\:\/\/.{0,1000}\.localhost\.run.{0,1000}","greyware_tool_keyword","localhost.run","Put a locally running HTTP HTTPS or TLS app on the internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://localhost.run/","1","1","#filehostingservice","N/A","10","10","N/A","N/A","N/A","N/A","47374"
"*http://*.ngrok.io*","http\:\/\/.{0,1000}\.ngrok\.io.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","47375"
"*http://*.pagekite.me*",".{0,1000}http\:\/\/.{0,1000}\.pagekite\.me.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","47384"
"*http://*.remote.moe/*",".{0,1000}http\:\/\/.{0,1000}\.remote\.moe\/.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","1","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","47385"
"*http://*.serveo.net*",".{0,1000}http\:\/\/.{0,1000}\.serveo\.net.{0,1000}","greyware_tool_keyword","serveo.net","Expose local servers to the internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://serveo.net","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47386"
"*http://*.ssi.sh*",".{0,1000}http\:\/\/.{0,1000}\.ssi\.sh.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","1","N/A","N/A","10","10","4203","325","2025-04-10T20:04:08Z","2019-02-15T15:36:23Z","47387"
"*http://*.trycloudfare.com*",".{0,1000}http\:\/\/.{0,1000}\.trycloudfare\.com.{0,1000}","greyware_tool_keyword","trycloudflare.com","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47390"
"*http://*.tunnelmole.net*",".{0,1000}http\:\/\/.{0,1000}\.tunnelmole\.net.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","1","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","47391"
"*http://*.zrok.io*",".{0,1000}http\:\/\/.{0,1000}\.zrok\.io.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","47392"
"*http://*:9000/restic*",".{0,1000}http\:\/\/.{0,1000}\:9000\/restic.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","1","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","47398"
"*http://127.0.0.1:18080*",".{0,1000}http\:\/\/127\.0\.0\.1\:18080.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","47414"
"*http://127.0.0.1:2019/id/*",".{0,1000}http\:\/\/127\.0\.0\.1\:2019\/id\/.{0,1000}","greyware_tool_keyword","SirTunnel","SirTunnel enables you to securely expose a webserver running on your computer to a public URL using HTTPS.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/anderspitman/SirTunnel","1","1","N/A","N/A","10","10","1436","119","2024-03-24T20:15:50Z","2020-09-23T00:15:26Z","47415"
"*http://127.0.0.1:3320/-/healthcheck*",".{0,1000}http\:\/\/127\.0\.0\.1\:3320\/\-\/healthcheck.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","1","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","47417"
"*http://127.0.0.1:4000*",".{0,1000}http\:\/\/127\.0\.0\.1\:4000.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","47419"
"*http://127.0.0.1:4040/api/logs/*",".{0,1000}http\:\/\/127\.0\.0\.1\:4040\/api\/logs\/.{0,1000}","greyware_tool_keyword","expose","tunneling service - written in pure PHP","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/beyondcode/expose","1","1","N/A","N/A","10","10","4367","280","2025-04-04T13:57:03Z","2020-04-14T19:18:38Z","47420"
"*http://127.0.0.1:4040/api/tunnels*",".{0,1000}http\:\/\/127\.0\.0\.1\:4040\/api\/tunnels.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","47421"
"*http://127.0.0.1:8000/gate.html*",".{0,1000}http\:\/\/127\.0\.0\.1\:8000\/gate\.html.{0,1000}","greyware_tool_keyword","golang_c2","C2 written in Go for red teams aka gorfice2k","T1071 - T1021  -  T1090","TA0011 - TA0008 - TA0010","N/A","N/A","C2","https://github.com/m00zh33/golang_c2","1","1","N/A","N/A","10","10","6","8","2019-03-18T00:46:41Z","2019-03-19T02:39:59Z","47429"
"*http://127.0.0.1:8384*",".{0,1000}http\:\/\/127\.0\.0\.1\:8384.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","1","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","47435"
"*http://127.0.0.1:9191*",".{0,1000}http\:\/\/127\.0\.0\.1\:9191.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","47437"
"*http://antibody-software.com/files/wiztreeversion.php*",".{0,1000}http\:\/\/antibody\-software\.com\/files\/wiztreeversion\.php.{0,1000}","greyware_tool_keyword","wiztree","legitimate tool abused by threat actors to obtain network files and directory listings","T1083","TA0007","N/A","Fox Kitten - Faust - Bitlocker - Akira - Cactus - BlackSuit - Royal","Discovery","N/A","1","1","N/A","N/A","3","6","N/A","N/A","N/A","N/A","47445"
"*http://api.guerrillamail.com/ajax.php?*",".{0,1000}http\:\/\/api\.guerrillamail\.com\/ajax\.php\?.{0,1000}","greyware_tool_keyword","guerrillamail","using the API of a disposable email address to use anytime - could be abused by malicious actors","T1071.003","TA0005 - TA0001","N/A","N/A","Defense Evasion","https://www.guerrillamail.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47446"
"*http://arslan.koding.io/*",".{0,1000}http\:\/\/arslan\.koding\.io\/.{0,1000}","greyware_tool_keyword","tunnel","Tunnel is a server/client package that enables to proxy public connections to your local machine over a tunnel connection from the local machine to the public server. What this means is, you can share your localhost even if it doesn't have a Public IP or if it's not reachable from outside","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/koding/tunnel","1","1","N/A","N/A","10","10","328","72","2023-10-20T13:43:58Z","2015-05-28T07:26:42Z","47447"
"*http://bore.pub/*",".{0,1000}http\:\/\/bore\.pub\/.{0,1000}","greyware_tool_keyword","bore","bore is a simple CLI tool for making tunnels to localhost","T1090 - T1090.003 - T1572 - T1572.001","TA0042 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/ekzhang/bore","1","1","N/A","N/A","10","10","9634","410","2025-04-14T21:52:18Z","2022-04-04T02:47:54Z","47453"
"*http://canarytokens.com/*/*",".{0,1000}http\:\/\/canarytokens\.com\/.{0,1000}\/.{0,1000}","greyware_tool_keyword","canarytokens.com","free honeypot detection tokens but also abused by attacker for payload callback confirmation","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","http://canarytokens.com","1","1","N/A","Out of band interaction domains","10","10","N/A","N/A","N/A","N/A","47455"
"*http://dnslog.cn/*",".{0,1000}http\:\/\/dnslog\.cn\/.{0,1000}","greyware_tool_keyword","dnslog.cn","allows users to create a unique URL to collect and inspect HTTP requests. It is commonly used for debugging webhooks - it can also be abused by attackers for verifying the reachability and effectiveness of their payloads","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","http://dnslog.cn","1","1","N/A","Out of band interaction domains","10","10","N/A","N/A","N/A","N/A","47456"
"*http://dsrt.dyndns.org:8888/uvs_freeupdate_en.htm*",".{0,1000}http\:\/\/dsrt\.dyndns\.org\:8888\/uvs_freeupdate_en\.htm.{0,1000}","greyware_tool_keyword","Universal Virus Sniffer","Universal Virus Sniffer detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","Phobos","Defense Evasion","https://www.majorgeeks.com/files/details/universal_virus_sniffer.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","47457"
"*http://dsrt.dyndns.org:8888/uvs_register_en.htm*",".{0,1000}http\:\/\/dsrt\.dyndns\.org\:8888\/uvs_register_en\.htm.{0,1000}","greyware_tool_keyword","Universal Virus Sniffer","Universal Virus Sniffer detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","Phobos","Defense Evasion","https://www.majorgeeks.com/files/details/universal_virus_sniffer.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","47458"
"*http://get-my-ip.ddns.softether-network.net/ddns/getmyip.ashx*",".{0,1000}http\:\/\/get\-my\-ip\.ddns\.softether\-network\.net\/ddns\/getmyip\.ashx.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","47460"
"*http://get-my-ip.ddns.uxcom.jp/ddns/getmyip.ashx*",".{0,1000}http\:\/\/get\-my\-ip\.ddns\.uxcom\.jp\/ddns\/getmyip\.ashx.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","47461"
"*http://get-my-ip-v6.ddns.softether-network.net/ddns/getmyip.ashx*",".{0,1000}http\:\/\/get\-my\-ip\-v6\.ddns\.softether\-network\.net\/ddns\/getmyip\.ashx.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","47462"
"*http://get-my-ip-v6.ddns.uxcom.jp/ddns/getmyip.ashx*",".{0,1000}http\:\/\/get\-my\-ip\-v6\.ddns\.uxcom\.jp\/ddns\/getmyip\.ashx.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","47463"
"*http://localhost:1337*",".{0,1000}http\:\/\/localhost\:1337.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","47472"
"*http://localhost:1337/previewlogin*",".{0,1000}http\:\/\/localhost\:1337\/previewlogin.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","47473"
"*http://localhost:7681*",".{0,1000}http\:\/\/localhost\:7681.{0,1000}","greyware_tool_keyword","supershell","Supershell is a C2 remote control platform accessed through WEB services. By establishing a reverse SSH tunnel it obtains a fully interactive Shell and supports multi-platform architecture Payload","T1090 - T1059 - T1021","TA0011 - TA0005 - TA0002","N/A","N/A","C2","https://github.com/tdragon6/Supershell","1","1","N/A","N/A","10","10","1561","196","2023-09-26T13:53:55Z","2023-03-25T15:02:43Z","47480"
"*http://localhost:7777*",".{0,1000}http\:\/\/localhost\:7777.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","47481"
"*http://local-tailscaled.sock*",".{0,1000}http\:\/\/local\-tailscaled\.sock.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","47487"
"*http://pastie.org/p/*/raw*",".{0,1000}http\:\/\/pastie\.org\/p\/.{0,1000}\/raw.{0,1000}","greyware_tool_keyword","pastie.org","accessing paste raw content","T1119","TA0009","N/A","N/A","Collection","http://pastie.org/","1","1","#PastebinLike","N/A","8","8","N/A","N/A","N/A","N/A","47503"
"*http://pastie.org/pastes/create*",".{0,1000}http\:\/\/pastie\.org\/pastes\/create.{0,1000}","greyware_tool_keyword","pastie.org","sending data to a pastebin","T1567.002","TA0010","N/A","N/A","Data Exfiltration","http://pastie.org/","1","1","#PastebinLike","N/A","8","8","N/A","N/A","N/A","N/A","47504"
"*http://requestbin.net/r/*",".{0,1000}http\:\/\/requestbin\.net\/r\/.{0,1000}","greyware_tool_keyword","requestbin.net","allows users to create a unique URL to collect and inspect HTTP requests. It is commonly used for debugging webhooks - it can also be abused by attackers for verifying the reachability and effectiveness of their payloads","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","http://requestbin.net","1","1","N/A","Out of band interaction domains","10","10","N/A","N/A","N/A","N/A","47507"
"*http://senet.aoi.flets-east.jp/ddns/getmyip.ashx*",".{0,1000}http\:\/\/senet\.aoi\.flets\-east\.jp\/ddns\/getmyip\.ashx.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","47508"
"*http://senet.p-ns.flets-west.jp/ddns/getmyip.ashx*",".{0,1000}http\:\/\/senet\.p\-ns\.flets\-west\.jp\/ddns\/getmyip\.ashx.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","47509"
"*http://senet-flets.v6.softether.co.jp/ddns/getmyip.ashx*",".{0,1000}http\:\/\/senet\-flets\.v6\.softether\.co\.jp\/ddns\/getmyip\.ashx.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","47510"
"*http://support.kaspersky.com/viruses/tdsskiller.xmlt*",".{0,1000}http\:\/\/support\.kaspersky\.com\/viruses\/tdsskiller\.xmlt.{0,1000}","greyware_tool_keyword","TDSKiller","TDSKiller detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Avaddon","Defense Evasion","https://www.majorgeeks.com/files/details/kaspersky_tdsskiller.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","47515"
"*http://tcp.btunnel.in*",".{0,1000}http\:\/\/tcp\.btunnel\.in.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","1","N/A","N/A","9","8","N/A","N/A","N/A","N/A","47518"
"*http://temp.sh/*/*",".{0,1000}https\:\/\/temp\.sh\/.{0,1000}\/.{0,1000}","greyware_tool_keyword","temp.sh","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","Black Basta","Collection","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47519"
"*http://up.pagekite.net/*",".{0,1000}http\:\/\/up\.pagekite\.net\/.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","47522"
"*http://update.iobit.com/infofiles/iobitunlocker.upt*",".{0,1000}http\:\/\/update\.iobit\.com\/infofiles\/iobitunlocker\.upt.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","1","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","47523"
"*http://www.advanced-port-scanner.com/checkupdate.php*",".{0,1000}http\:\/\/www\.advanced\-port\-scanner\.com\/checkupdate\.php.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","47527"
"*http://www.epoolsoft.com/pchunter/pchunter_free*",".{0,1000}http\:\/\/www\.epoolsoft\.com\/pchunter\/pchunter_free.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","47531"
"*http://www.epoolsoft.com/PCHunter_Standard*",".{0,1000}http\:\/\/www\.epoolsoft\.com\/PCHunter_Standard.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","47532"
"*http://www.proxifier.com/distr/last_versions/ProxifierMac*",".{0,1000}http\:\/\/www\.proxifier\.com\/distr\/last_versions\/ProxifierMac.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A","47538"
"*http://www.proxifier.com/distr/last_versions/ProxifierPortable*",".{0,1000}http\:\/\/www\.proxifier\.com\/distr\/last_versions\/ProxifierPortable.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A","47539"
"*http://zerobinftagjpeeebbvyzjcqyjpmjvynj5qlexwyxe7l3vqejxnqv5qd.onion*",".{0,1000}http\:\/\/zerobinftagjpeeebbvyzjcqyjpmjvynj5qlexwyxe7l3vqejxnqv5qd\.onion.{0,1000}","greyware_tool_keyword","zerobin.net","accessing paste raw content","T1119","TA0009","N/A","N/A","Collection","https://zerobin.net/","1","1","#PastebinLike","N/A","8","8","N/A","N/A","N/A","N/A","47545"
"*https://*.*.devtunnels.ms*",".{0,1000}https\:\/\/.{0,1000}\..{0,1000}\.devtunnels\.ms.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","47585"
"*https://*.*.devtunnels.ms*",".{0,1000}https\:\/\/.{0,1000}\..{0,1000}\.devtunnels\.ms.{0,1000}","greyware_tool_keyword","vscode","built-in port forwarding. This feature allows you to share locally running services over the internet to other people and devices.","T1090 - T1003 - T1571","TA0010 - TA0002 - TA0009","N/A","N/A","C2","https://twitter.com/code/status/1699869087071899669","0","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47586"
"*https://*.app.github.dev/*",".{0,1000}https\:\/\/.{0,1000}\.app\.github\.dev\/.{0,1000}","greyware_tool_keyword","github","access to a GitHub Codespace environment - Github Codespaces have a public port forwarding option allowing you to make your server available for the public.","T1071 - T1572","TA0001 - TA0005","N/A","N/A","Collection","https://detect.fyi/how-threat-actors-use-github-bd991c11ed37","0","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","47587"
"*https://*.brs.devtunnels.ms/*",".{0,1000}https\:\/\/.{0,1000}\.brs\.devtunnels\.ms\/.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","0","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","47588"
"*https://*.btunnel.co.in*",".{0,1000}https\:\/\/.{0,1000}\.btunnel\.co\.in.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","1","N/A","N/A","9","8","N/A","N/A","N/A","N/A","47589"
"*https://*.btunnel.co.in*",".{0,1000}https\:\/\/.{0,1000}\.btunnel\.co\.in.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","1","N/A","N/A","9","8","N/A","N/A","N/A","N/A","47590"
"*https://*.btunnel.co.in*",".{0,1000}https\:\/\/.{0,1000}\.btunnel\.co\.in.{0,1000}","greyware_tool_keyword","btunnel.in","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://www.btunnel.in/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47591"
"*https://*.dev.servers.ddns.softether-network.net/ddns/ddns.aspx*",".{0,1000}https\:\/\/.{0,1000}\.dev\.servers\.ddns\.softether\-network\.net\/ddns\/ddns\.aspx.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","47592"
"*https://*.dev.servers-v6.ddns.softether-network.net/ddns/ddns.aspx*",".{0,1000}https\:\/\/.{0,1000}\.dev\.servers\-v6\.ddns\.softether\-network\.net\/ddns\/ddns\.aspx.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","47593"
"*https://*.euw.devtunnels.ms*",".{0,1000}https\:\/\/.{0,1000}\.euw\.devtunnels\.ms.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","0","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","47594"
"*https://*.fex.net/download/*",".{0,1000}https\:\/\/.{0,1000}\.fex\.net\/download\/.{0,1000}","greyware_tool_keyword","fex.net","hosting service abused by attackers","T1583.003 - T1071 - T1102","TA0010 - TA0005 - TA0009","N/A","N/A","Collection","https://fex.net","1","1","#filehostingservice","downloading a file","10","10","N/A","N/A","N/A","N/A","47595"
"*https://*.fex.net/upload/*",".{0,1000}https\:\/\/.{0,1000}\.fex\.net\/upload\/.{0,1000}","greyware_tool_keyword","fex.net","hosting service abused by attackers","T1583.003 - T1071 - T1102","TA0010 - TA0005 - TA0009","N/A","N/A","Data Exfiltration","https://fex.net","1","1","#filehostingservice","uploading a file","10","10","N/A","N/A","N/A","N/A","47596"
"*https://*.free.beeceptor.com*",".{0,1000}https\:\/\/.{0,1000}\.free\.beeceptor\.com.{0,1000}","greyware_tool_keyword","beeceptor.com","temporary public URL for your localhost + port combination - ideal for real-time testing - can be abused for payload callback confirmation","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://beeceptor.com/local-tunnel","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47597"
"*https://*.localhost.run*",".{0,1000}https\:\/\/.{0,1000}\.localhost\.run.{0,1000}","greyware_tool_keyword","localhost.run","Put a locally running HTTP HTTPS or TLS app on the internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://localhost.run/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47599"
"*https://*.localtunnel.me*",".{0,1000}https\:\/\/.{0,1000}\.localtunnel\.me.{0,1000}","greyware_tool_keyword","localtunnels","client for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/localtunnel","1","1","N/A","N/A","8","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","47600"
"*https://*.my.auvik.com/*",".{0,1000}https\:\/\/.{0,1000}\.my\.auvik\.com\/.{0,1000}","greyware_tool_keyword","auvik","cloud-based network management software","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.auvik.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47601"
"*https://*.ngrok.io*","https\:\/\/.{0,1000}\.ngrok\.io.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","47602"
"*https://*.pagekite.me*",".{0,1000}https\:\/\/.{0,1000}\.pagekite\.me.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","47604"
"*https://*.pulseway.com/app/main/*",".{0,1000}https\:\/\/.{0,1000}\.pulseway\.com\/app\/main\/.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47605"
"*https://*.remote.moe/*",".{0,1000}https\:\/\/.{0,1000}\.remote\.moe\/.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","1","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","47606"
"*https://*.screenconnect.com/Bin/*.exe*",".{0,1000}https\:\/\/.{0,1000}\.screenconnect\.com\/Bin\/.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","ScreenConnect","control remote servers - abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","screenconnect.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47607"
"*https://*.screenconnect.com/Host*",".{0,1000}https\:\/\/.{0,1000}\.screenconnect\.com\/Host.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47608"
"*https://*.sendspace.com/upload*",".{0,1000}https\:\/\/.{0,1000}\.sendspace\.com\/upload.{0,1000}","greyware_tool_keyword","sendspace.com","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","Dispossessor - Black Basta - Hive - Ragnar Locker - Royal - LockBit - Vice Society","Data Exfiltration","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","47609"
"*https://*.serveo.net*",".{0,1000}https\:\/\/.{0,1000}\.serveo\.net.{0,1000}","greyware_tool_keyword","serveo.net","Expose local servers to the internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://serveo.net","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47610"
"*https://*.ssi.sh*",".{0,1000}https\:\/\/.{0,1000}\.ssi\.sh.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","1","N/A","N/A","10","10","4203","325","2025-04-10T20:04:08Z","2019-02-15T15:36:23Z","47611"
"*https://*.tacticalrmm.com/*",".{0,1000}https\:\/\/.{0,1000}\.tacticalrmm\.com\/.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","47612"
"*https://*.telebit.io*",".{0,1000}https\:\/\/.{0,1000}\.telebit\.io.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47613"
"*https://*.trycloudfare.com*",".{0,1000}https\:\/\/.{0,1000}\.trycloudfare\.com.{0,1000}","greyware_tool_keyword","trycloudflare.com","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47616"
"*https://*.trycloudflare.com*",".{0,1000}https\:\/\/.{0,1000}\.trycloudflare\.com.{0,1000}","greyware_tool_keyword","trycloudflare.com","Attackers abuse this service to expose malicious servers on a *.trycloudflare.com subdomain","T1567.002 - T1102 - T1071.001 - T1036","TA0001 - TA0005 - TA0009","N/A","N/A","Collection","https://lots-project.com/site/2a2e747279636c6f7564666c6172652e636f6d","0","1","N/A","N/A","8","8","N/A","N/A","N/A","N/A","47617"
"*https://*.tunnelmole.net*",".{0,1000}https\:\/\/.{0,1000}\.tunnelmole\.net.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","1","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","47618"
"*https://*.use.devtunnels.ms*",".{0,1000}https\:\/\/.{0,1000}\.use\.devtunnels\.ms.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","0","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","47620"
"*https://*.zoho.com/pconnect*",".{0,1000}https\:\/\/.{0,1000}\.zoho\.com\/pconnect.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47621"
"*https://*.zohoassist.com/w_socket*",".{0,1000}https\:\/\/.{0,1000}\.zohoassist\.com\/w_socket.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47622"
"*https://*.zrok.io*",".{0,1000}https\:\/\/.{0,1000}\.zrok\.io.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","47623"
"*https://*:9000/restic*",".{0,1000}https\:\/\/.{0,1000}\:9000\/restic.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","1","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","47627"
"*https://0bin.net/paste/*+*",".{0,1000}https\:\/\/0bin\.net\/paste\/.{0,1000}\+.{0,1000}","greyware_tool_keyword","0bin.net","Accessing a paste on 0bin.net","T1213 - T1190","TA0001 - TA0009 - TA0010","N/A","N/A","Collection","https://0bin.net","1","1","#PastebinLike","N/A","5","10","N/A","N/A","N/A","N/A","47631"
"*https://0bin.net/paste/create*",".{0,1000}https\:\/\/0bin\.net\/paste\/create.{0,1000}","greyware_tool_keyword","0bin.net","Creating a paste on 0bin.net","T1213 - T1190","TA0001 - TA0009 - TA0010","N/A","N/A","Data Exfiltration","https://0bin.net","1","1","#PastebinLike","N/A","9","10","N/A","N/A","N/A","N/A","47632"
"*https://12ft.io/api/proxy?q=http*",".{0,1000}https\:\/\/12ft\.io\/api\/proxy\?q\=http.{0,1000}","greyware_tool_keyword","12ft.io","Attackers can use 12ft.io to masquerade their domain for phishing purposes.","T1204.002 - T1036 - T1566.002","TA0001 - TA0005","N/A","N/A","Defense Evasion","https://12ft.io/","0","1","N/A","N/A","5","5","N/A","N/A","N/A","N/A","47643"
"*https://12ft.io/proxy?q=*",".{0,1000}https\:\/\/12ft\.io\/proxy\?q\=.{0,1000}","greyware_tool_keyword","12ft.io","Attackers can use 12ft.io to masquerade their domain for phishing purposes.","T1204.002 - T1036 - T1566.002","TA0001 - TA0005","N/A","N/A","Defense Evasion","https://12ft.io/","0","1","N/A","N/A","5","5","N/A","N/A","N/A","N/A","47644"
"*https://1ty.me/*",".{0,1000}https\:\/\/1ty\.me\/.{0,1000}","greyware_tool_keyword","1ty.me","temporary notes service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","N/A","Collection","https://1ty.me","1","1","#PastebinLike","downloading or uploading data","10","10","N/A","N/A","N/A","N/A","47645"
"*https://1ty.me/?mode=ajax&cmd=create_note*",".{0,1000}https\:\/\/1ty\.me\/\?mode\=ajax\&cmd\=create_note.{0,1000}","greyware_tool_keyword","1ty.me","temporary notes service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://1ty.me","1","1","#PastebinLike","creating note","10","10","N/A","N/A","N/A","N/A","47646"
"*https://aadinternals.com/aadinternals/*",".{0,1000}https\:\/\/aadinternals\.com\/aadinternals\/.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","47648"
"*https://aka.ms/DevTunnelCliInstall*",".{0,1000}https\:\/\/aka\.ms\/DevTunnelCliInstall.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","0","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","47650"
"*https://aka.ms/TunnelsCliDownload/*",".{0,1000}https\:\/\/aka\.ms\/TunnelsCliDownload\/.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","47651"
"*https://anonfiles.com/*/*",".{0,1000}https\:\/\/anonfiles\.com\/.{0,1000}\/.{0,1000}","greyware_tool_keyword","anonfiles.com","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","BlackCat - BitLocker - AvosLocker - Hive - Royal - LockBit - Vice Society - Conti - RansomHub","Collection","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","47653"
"*https://anymailfinder.com/search/*",".{0,1000}https\:\/\/anymailfinder\.com\/search\/.{0,1000}","greyware_tool_keyword","anymailfinder","used by attackers to find informations about a company users","T1593 - T1596 - T1213","TA0009","N/A","N/A","Reconnaissance","https://anymailfinder.com","1","1","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","47654"
"*https://apaste.info/p/new*",".{0,1000}https\:\/\/apaste\.info\/p\/new.{0,1000}","greyware_tool_keyword","apaste.info","Creating a paste on apaste.info/","T1213 - T1190","TA0001 - TA0009 - TA0010","N/A","N/A","Data Exfiltration","https://apaste.info/","1","1","#PastebinLike","N/A","9","10","N/A","N/A","N/A","N/A","47655"
"*https://api.anonfiles.com/upload*",".{0,1000}https\:\/\/api\.anonfiles\.com\/upload.{0,1000}","greyware_tool_keyword","anonfiles.com","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","BlackCat - BitLocker - AvosLocker - Hive - Royal - LockBit - Vice Society - Conti - RansomHub","Data Exfiltration","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","47656"
"*https://api.dropboxapi.com/*",".{0,1000}https\:\/\/api\.dropboxapi\.com\/.{0,1000}","greyware_tool_keyword","DBC2","DBC2 (DropboxC2) is a modular post-exploitation tool composed of an agent running on the victim's machine - a controler running on any machine - powershell modules and Dropbox servers as a means of communication.","T1105 - T1071.004 - T1102","TA0003 - TA0002 - TA0008","N/A","BlackCat - Scattered Spider*","C2","https://github.com/Arno0x/DBC2","1","1","N/A","Dropbox API calls - Understanding your environment with the applications used and allowed will enhances the effectiveness of your hunt here","10","10","295","86","2017-10-27T07:39:02Z","2016-12-14T10:35:56Z","47657"
"*https://api.fex.net/api/v1/anonymous/file*",".{0,1000}https\:\/\/api\.fex\.net\/api\/v1\/anonymous\/file.{0,1000}","greyware_tool_keyword","fex.net","hosting service abused by attackers","T1583.003 - T1071 - T1102","TA0010 - TA0005 - TA0009","N/A","N/A","Data Exfiltration","https://fex.net","1","1","#filehostingservice","uploading a file","10","10","N/A","N/A","N/A","N/A","47659"
"*https://api.freefilesync.org/new_installation*",".{0,1000}https\:\/\/api\.freefilesync\.org\/new_installation.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","1","#filehostingservice","N/A","9","10","N/A","N/A","N/A","N/A","47660"
"*https://api.hunter.io/*",".{0,1000}https\:\/\/api\.hunter\.io\/.{0,1000}","greyware_tool_keyword","Hunter.io","used by attacker and pentester while gathering information. Hunter lets you find email addresses in seconds and connect with the people that matter for your business","T1597 - T1526 - T1087 - T1078 - T1056 - T1018 - T1016 - T1583 - T1589","TA0001 - TA0002 - TA0003 - TA0005 - TA0007 - TA0011","N/A","N/A","Reconnaissance","https://hunter.io/","1","1","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","47662"
"*https://api.my-ip.io/ip*",".{0,1000}https\:\/\/api\.my\-ip\.io\/ip.{0,1000}","greyware_tool_keyword","my-ip.io","abused by ransomwares","T1486 - T1490","TA0040","N/A","N/A","Ransomware","https://github.com/rivitna/Malware","1","0","#content","N/A","4","4","357","52","2025-04-22T10:00:56Z","2021-07-28T21:00:52Z","47664"
"*https://api.openai.com/v1/files*",".{0,1000}https\:\/\/api\.openai\.com\/v1\/files.{0,1000}","greyware_tool_keyword","ratchatpt","C2 using openAI API","T1094 - T1071.001","TA0011 - TA0002","N/A","N/A","C2","https://github.com/spartan-conseil/ratchatpt","0","1","N/A","risk of False positive","10","10","16","6","2023-06-09T12:39:00Z","2023-06-09T09:19:10Z","47666"
"*https://api.tailscale.com/api/v2/*",".{0,1000}https\:\/\/api\.tailscale\.com\/api\/v2\/.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","47668"
"*https://api.telegram.org/bot*/sendMessage*",".{0,1000}https\:\/\/api\.telegram\.org\/bot.{0,1000}\/sendMessage.{0,1000}","greyware_tool_keyword","TelegramRAT","Cross Platform Telegram based RAT that communicates via telegram to evade network restrictions","T1071.001 - T1105 - T1027","TA0011 - TA0005 - TA0002","N/A","N/A","C2","https://github.com/machine1337/TelegramRAT","1","1","N/A","N/A","10","10","372","62","2024-01-23T12:05:59Z","2023-06-30T10:59:55Z","47669"
"*https://app.action1.com/agent/*/Windows/*.msi*",".{0,1000}https\:\/\/app\.action1\.com\/agent\/.{0,1000}\/Windows\/.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","1","N/A","https://app.action1.com/agent/{ID}/Windows/agent(My_Organization).msi","10","10","N/A","N/A","N/A","N/A","47670"
"*https://app.level.io/devices*",".{0,1000}https\:\/\/app\.level\.io\/devices.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47671"
"*https://apps.apple.com/us/app/tailscale/id*",".{0,1000}https\:\/\/apps\.apple\.com\/us\/app\/tailscale\/id.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","#macos","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","47672"
"*https://assist.zoho.com/assist-join?key=*",".{0,1000}https\:\/\/assist\.zoho\.com\/assist\-join\?key\=.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47673"
"*https://assist.zoho.com/customer-session-details?client_token=*",".{0,1000}https\:\/\/assist\.zoho\.com\/customer\-session\-details\?client_token\=.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47674"
"*https://assist.zoho.com/join?join_source=EMAIL_INVITE*",".{0,1000}https\:\/\/assist\.zoho\.com\/join\?join_source\=EMAIL_INVITE.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47675"
"*https://assist.zoho.com/join-session?key=*",".{0,1000}https\:\/\/assist\.zoho\.com\/join\-session\?key\=.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47676"
"*https://assist.zoho.com/org/*",".{0,1000}https\:\/\/assist\.zoho\.com\/org\/.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47677"
"*https://assist.zoho.com/viewer-assist*",".{0,1000}https\:\/\/assist\.zoho\.com\/viewer\-assist.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47678"
"*https://aur.archlinux.org/jprq.git*",".{0,1000}https\:\/\/aur\.archlinux\.org\/jprq\.git.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","1","#linux","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","47679"
"*https://bashupload.com*",".{0,1000}https\:\/\/bashupload\.com.{0,1000}","greyware_tool_keyword","bashupload.com","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","N/A","Data Exfiltration","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47683"
"*https://bayfiles.com/*",".{0,1000}https\:\/\/bayfiles\.com\/.{0,1000}","greyware_tool_keyword","bayfiles","hosting site abused by attackers - blocked site in a lot of countries","T1567 - T1071 - T1020 - T1005","TA0010 - TA0009","N/A","CyClops","Collection","N/A","1","1","#filehostingservice","N/A","10","10","N/A","N/A","N/A","N/A","47684"
"*https://bitbucket.org/*/downloads/*.bat*",".{0,1000}https\:\/\/bitbucket\.org\/.{0,1000}\/downloads\/.{0,1000}\.bat.{0,1000}","greyware_tool_keyword","bitbucket.org","legitimate hosting platform abused by malwares like lummastealer","T1213 - T1102","TA0009","Lumma Stealer","N/A","Collection","N/A","0","1","#filehostingservice","N/A","5","7","N/A","N/A","N/A","N/A","47688"
"*https://bitbucket.org/*/downloads/*.dll*",".{0,1000}https\:\/\/bitbucket\.org\/.{0,1000}\/downloads\/.{0,1000}\.dll.{0,1000}","greyware_tool_keyword","bitbucket.org","legitimate hosting platform abused by malwares like lummastealer","T1213 - T1102","TA0009","Lumma Stealer","N/A","Collection","N/A","0","1","#filehostingservice","N/A","5","7","N/A","N/A","N/A","N/A","47689"
"*https://bitbucket.org/*/downloads/*.dll*",".{0,1000}https\:\/\/bitbucket\.org\/.{0,1000}\/downloads\/.{0,1000}\.dll.{0,1000}","greyware_tool_keyword","bitbucket.org","legitimate hosting platform abused by malwares like lummastealer","T1213 - T1102","TA0009","Lumma Stealer","N/A","Collection","N/A","0","1","#filehostingservice","N/A","5","7","N/A","N/A","N/A","N/A","47690"
"*https://bitbucket.org/*/downloads/*.exe*",".{0,1000}https\:\/\/bitbucket\.org\/.{0,1000}\/downloads\/.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","bitbucket.org","legitimate hosting platform abused by malwares like lummastealer","T1213 - T1102","TA0009","Lumma Stealer","N/A","Collection","N/A","0","1","#filehostingservice","N/A","5","7","N/A","N/A","N/A","N/A","47691"
"*https://bitbucket.org/*/downloads/*.ps1*",".{0,1000}https\:\/\/bitbucket\.org\/.{0,1000}\/downloads\/.{0,1000}\.ps1.{0,1000}","greyware_tool_keyword","bitbucket.org","legitimate hosting platform abused by malwares like lummastealer","T1213 - T1102","TA0009","Lumma Stealer","N/A","Collection","N/A","0","1","#filehostingservice","N/A","5","7","N/A","N/A","N/A","N/A","47692"
"*https://bitbucket.org/*/downloads/*.rar*",".{0,1000}https\:\/\/bitbucket\.org\/.{0,1000}\/downloads\/.{0,1000}\.rar.{0,1000}","greyware_tool_keyword","bitbucket.org","legitimate hosting platform abused by malwares like lummastealer","T1213 - T1102","TA0009","Lumma Stealer","N/A","Collection","N/A","0","1","#filehostingservice","N/A","5","7","N/A","N/A","N/A","N/A","47693"
"*https://bitbucket.org/*/downloads/*.zip*",".{0,1000}https\:\/\/bitbucket\.org\/.{0,1000}\/downloads\/.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","bitbucket.org","legitimate hosting platform abused by malwares like lummastealer","T1213 - T1102","TA0009","Lumma Stealer","N/A","Collection","N/A","0","1","#filehostingservice","N/A","5","7","N/A","N/A","N/A","N/A","47694"
"*https://boringproxy.io/installation*",".{0,1000}https\:\/\/boringproxy\.io\/installation.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","1","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","47702"
"*https://browser.lol/vnc?server=*",".{0,1000}https\:\/\/browser\.lol\/vnc\?server\=.{0,1000}","greyware_tool_keyword","browser.lol","Virtual Browser - Safely visit blocked or risky websites - can be used to bypass network restrictions within a corporate environment","T1071 - T1090 - T1562","TA0005","N/A","N/A","Defense Evasion","https://browser.lol","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A","47703"
"*https://burrow.io/* | bash *",".{0,1000}https\:\/\/burrow\.io\/.{0,1000}\s\|\sbash\s.{0,1000}","greyware_tool_keyword","burrow","Expose localhost to the internet using a public URL","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://burrow.io","1","0","#linux","N/A","9","8","N/A","N/A","N/A","N/A","47706"
"*https://burrow.io/tunnels*",".{0,1000}https\:\/\/burrow\.io\/tunnels.{0,1000}","greyware_tool_keyword","burrow","Expose localhost to the internet using a public URL","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://burrow.io","1","1","N/A","N/A","9","8","N/A","N/A","N/A","N/A","47707"
"*https://c3pool.com/#/*",".{0,1000}https\:\/\/c3pool\.com\/\#\/.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","47709"
"*https://clbin.com/*",".{0,1000}https\:\/\/clbin\.com\/.{0,1000}","greyware_tool_keyword","clbin.com","clbin.com be used for C&C purposes. The attacker will place commands on a textbin paste and have the malware fetch the commands.","T1567.002","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://clbin.com/","1","1","#PastebinLike","N/A","8","8","N/A","N/A","N/A","N/A","47711"
"*https://cloud.screenconnect.com/#/trialtoinstance?cookieValue=*",".{0,1000}https\:\/\/cloud\.screenconnect\.com\/\#\/trialtoinstance\?cookieValue\=.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47712"
"*https://content.dropboxapi.com/2/files/upload*",".{0,1000}https\:\/\/content\.dropboxapi\.com\/2\/files\/upload.{0,1000}","greyware_tool_keyword","dropbox","uploading file to dropbox with the API","T1105 - T1071.001 - T1567.002","TA0011 - TA0009 - TA0010","N/A","BlackCat - Scattered Spider* - Operation BugDrop - COZY BEAR - Turla - LockBit - Pandora","Data Exfiltration","https://github.com/I-Am-Jakoby/PowerShell-for-Hackers/blob/main/Functions/DropBox-Upload.md","1","1","#filehostingservice","N/A","7","10","1249","146","2024-06-16T04:10:39Z","2022-05-10T04:12:53Z","47719"
"*https://crates.io/crates/localtunnel-client*",".{0,1000}https\:\/\/crates\.io\/crates\/localtunnel\-client.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","1","N/A","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","47723"
"*https://crates.io/crates/localtunnel-server*",".{0,1000}https\:\/\/crates\.io\/crates\/localtunnel\-server.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","1","N/A","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","47724"
"*https://docs.level.io/1.0/admin-guides/level-watchdog-task*",".{0,1000}https\:\/\/docs\.level\.io\/1\.0\/admin\-guides\/level\-watchdog\-task.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47738"
"*https://download.advanced-ip-scanner.com/download/files/*.exe*",".{0,1000}https\:\/\/download\.advanced\-ip\-scanner\.com\/download\/files\/.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","advanced-ip-scanner","The program shows all network devices. gives you access to shared folders. provides remote control of computers (via RDP and Radmin) and can even remotely switch computers off. It is easy to use and runs as a portable edition (abused by TA)","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","MAZE - BlackSuit - Royal - Akira - LockBit - Diavol - GoGoogle - INC Ransom - Hive - ZolaConti2 - Darkside - UNC24653 - Egregor4 - Hades - Evilcorp5 - REvil6 - Ryuk - UNC18787 - UNC24477 - Vice Society - FiveHands - Sarcoma - DragonForce - MedusaLocker - Mimic - Loki","Discovery","https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","47740"
"*https://downloads.level.io/install_linux.sh*",".{0,1000}https\:\/\/downloads\.level\.io\/install_linux\.sh.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","47742"
"*https://downloads.level.io/install_mac_os.sh*",".{0,1000}https\:\/\/downloads\.level\.io\/install_mac_os\.sh.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47743"
"*https://downloads.level.io/install_windows.exe*",".{0,1000}https\:\/\/downloads\.level\.io\/install_windows\.exe.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47744"
"*https://downloads.level.io/stable/level-linux-amd64*",".{0,1000}https\:\/\/downloads\.level\.io\/stable\/level\-linux\-amd64.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","47745"
"*https://downloads.solarwinds.com/solarwinds/Release/DameWare/*",".{0,1000}https\:\/\/downloads\.solarwinds\.com\/solarwinds\/Release\/DameWare\/.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","1","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","47746"
"*https://dropmefiles.com/*",".{0,1000}https\:\/\/dropmefiles\.com\/.{0,1000}","greyware_tool_keyword","dropmefiles.com","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","Mallox - Dispossessor - BitLocker - Black Basta - Hive - Royal - LockBit - Vice Society","Collection","https://github.com/Casualtek/Ransomchats/blob/4a25ac6ad165a4e600aeb72718c3ad41e8f6ce3a/Mallox/20230427.json#L286C25-L286C48","1","1","#filehostingservice","downloading files url","8","6","504","51","2025-04-19T17:43:15Z","2023-05-02T16:17:48Z","47749"
"*https://dropmefiles.com/s3/upload/*",".{0,1000}https\:\/\/dropmefiles\.com\/s3\/upload\/.{0,1000}","greyware_tool_keyword","dropmefiles.com","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","Mallox - Dispossessor - BitLocker - Black Basta - Hive - Royal - LockBit - Vice Society","Data Exfiltration","https://github.com/Casualtek/Ransomchats/blob/4a25ac6ad165a4e600aeb72718c3ad41e8f6ce3a/Mallox/20230427.json#L286C25-L286C48","1","1","#filehostingservice","uploading files url","10","6","504","51","2025-04-19T17:43:15Z","2023-05-02T16:17:48Z","47750"
"*https://easyupload.io/*",".{0,1000}https\:\/\/easyupload\.io\/.{0,1000}","greyware_tool_keyword","easyupload.io","file hosting platform abused by attackers to host malicious - url used when downloading a file on the site","T1567.002 - T1071.001 - T1041 - T1036.002","TA0009","N/A","Black Basta","Collection","N/A","1","1","#filehostingservice","N/A","8","10","N/A","N/A","N/A","N/A","47751"
"*https://easyupload.io/action.php*",".{0,1000}https\:\/\/easyupload\.io\/action\.php.{0,1000}","greyware_tool_keyword","easyupload.io","hosting platform abused by attackers","T1105 - T1071.001 - T1567.002 - T1041","TA0010 - TA0005","N/A","Akira","Data Exfiltration","N/A","1","1","#filehostingservice","uploading url","8","6","N/A","N/A","N/A","N/A","47752"
"*https://easyupload.io/cdn-cgi/rum*",".{0,1000}https\:\/\/easyupload\.io\/cdn\-cgi\/rum.{0,1000}","greyware_tool_keyword","easyupload.io","hosting platform abused by attackers","T1105 - T1071.001 - T1567.002 - T1041","TA0010 - TA0005","N/A","Akira","Data Exfiltration","N/A","1","1","#filehostingservice","uploading url","8","6","N/A","N/A","N/A","N/A","47753"
"*https://expose.dev/api/servers*",".{0,1000}https\:\/\/expose\.dev\/api\/servers.{0,1000}","greyware_tool_keyword","expose","tunneling service - written in pure PHP","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/beyondcode/expose","1","1","N/A","N/A","10","10","4367","280","2025-04-04T13:57:03Z","2020-04-14T19:18:38Z","47757"
"*https://expose.dev/register*",".{0,1000}https\:\/\/expose\.dev\/register.{0,1000}","greyware_tool_keyword","expose","tunneling service - written in pure PHP","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/beyondcode/expose","1","1","N/A","N/A","10","10","4367","280","2025-04-04T13:57:03Z","2020-04-14T19:18:38Z","47758"
"*https://file.io/*",".{0,1000}https\:\/\/file\.io\/.{0,1000}","greyware_tool_keyword","file.io","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","BlackCat - Black Basta - Akira - AvosLocker - Hive - Ragnar Locker - Royal - LockBit - Vice Society - Conti","Collection","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47761"
"*https://file.io/?title=*",".{0,1000}https\:\/\/file\.io\/\?title\=.{0,1000}","greyware_tool_keyword","file.io","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","BlackCat - Black Basta - Akira - AvosLocker - Hive - Ragnar Locker - Royal - LockBit - Vice Society - Conti","Data Exfiltration","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47762"
"*https://filebin.net/*",".{0,1000}https\:\/\/filebin\.net\/.{0,1000}","greyware_tool_keyword","filebin.net","file hosting platform abused by attackers to host malicious file - raw access and api available","T1119","TA0009 - TA0010","N/A","N/A","Collection","https://filebin.net","1","1","#filehostingservice","N/A","8","8","N/A","N/A","N/A","N/A","47763"
"*https://files.catbox.moe/*","https:\/\/files\.catbox\.moe\/[^\s\n]+","greyware_tool_keyword","catbox.moe","The cutest free file host you've ever seen - abused by threat actors","T1560.001 - T1190 - T1102 - T1027.002","TA0001 - TA0005 - TA0042","N/A","N/A","Collection","https://files[.]catbox.moe","1","1","#filehostingservice","N/A","9","10","N/A","N/A","N/A","N/A","47764"
"*https://fleetdm.com/resources/install-fleetctl.sh*",".{0,1000}https\:\/\/fleetdm\.com\/resources\/install\-fleetctl\.sh.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","1","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","47765"
"*https://freefilesync.org/donate*",".{0,1000}https\:\/\/freefilesync\.org\/donate.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","1","#filehostingservice","N/A","9","10","N/A","N/A","N/A","N/A","47768"
"*https://get.telebit.io*",".{0,1000}https\:\/\/get\.telebit\.io.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47769"
"*https://github.com/mandiant/SilkETW/releases/download/v0.8/SilkETW_SilkService_v8.zip*",".{0,1000}https\:\/\/github\.com\/mandiant\/SilkETW\/releases\/download\/v0\.8\/SilkETW_SilkService_v8\.zip.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","1","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","47778"
"*https://github-com.translate.goog/*",".{0,1000}https\:\/\/github\-com\.translate\.goog\/.{0,1000}","greyware_tool_keyword","translate.goog","accessing github through google translate (evasion) false positive risk","T1090.003","TA0005","N/A","N/A","Defense Evasion","https://*-com.translate.goog/*","0","1","N/A","N/A","1","3","N/A","N/A","N/A","N/A","47782"
"*https://gofile.io/d/*",".{0,1000}https\:\/\/gofile\.io\/d\/.{0,1000}","greyware_tool_keyword","ransomware_notes","detection patterns retrieved in ransomware notes archives","T1486","TA0040","N/A","N/A","Ransomware","https://github.com/threatlabz/ransomware_notes","1","1","N/A","downloading files from gofile.io","10","4","354","55","2025-04-04T19:06:04Z","2022-08-01T15:14:59Z","47785"
"*https://googleweblight.com/i?u=*ipfs.*.html*",".{0,1000}https\:\/\/googleweblight\.com\/i\?u\=.{0,1000}ipfs\..{0,1000}\.html.{0,1000}","greyware_tool_keyword","googleweblight.com","Open Redirect vulnerability being exploited by threat actors in Google Web Light","T1584.001 - T1534","TA0008","N/A","N/A","Phishing","https://x.com/1ZRR4H/status/1723062039680000255","1","1","N/A","N/A","9","10","N/A","N/A","N/A","N/A","47786"
"*https://gost.run/tutorials/*",".{0,1000}https\:\/\/gost\.run\/tutorials\/.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","1","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","47787"
"*https://gost.run/tutorials/api/config*",".{0,1000}https\:\/\/gost\.run\/tutorials\/api\/config.{0,1000}","greyware_tool_keyword","gost","GO Simple Tunnel - a simple tunnel written in golang","T1572","TA0011 - TA0003","N/A","Dispossessor - EMBER BEAR","C2","https://github.com/go-gost/gost","1","1","N/A","N/A","10","10","4986","573","2025-02-18T15:35:15Z","2020-02-12T14:58:08Z","47788"
"*https://homeway.io/install.sh*",".{0,1000}https\:\/\/homeway\.io\/install\.sh.{0,1000}","greyware_tool_keyword","homeway.io","Expose local servers to the internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://homeway.io/","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","47795"
"*https://hunter.io/*",".{0,1000}https\:\/\/hunter\.io\/.{0,1000}","greyware_tool_keyword","Hunter.io","used by attacker and pentester while gathering information. Hunter lets you find email addresses in seconds and connect with the people that matter for your business","T1597 - T1526 - T1087 - T1078 - T1056 - T1018 - T1016 - T1583 - T1589","TA0001 - TA0002 - TA0003 - TA0005 - TA0007 - TA0011","N/A","N/A","Reconnaissance","https://hunter.io/","1","1","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","47796"
"*https://hypertunnel.ga*",".{0,1000}https\:\/\/hypertunnel\.ga.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","1","N/A","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","47797"
"*https://ip138.com/iplookup.asp?ip=*&action=2*",".{0,1000}https\:\/\/ip138\.com\/iplookup\.asp\?ip\=.{0,1000}\&action\=2.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47799"
"*https://ipv4.myip.wtf/text*",".{0,1000}https\:\/\/ipv4\.myip\.wtf\/text.{0,1000}","greyware_tool_keyword","ipv4.myip.wtf","get public ip address. Used by disctopia-c2","T1016 - T1071.001","TA0005 - TA0002","N/A","N/A","Reconnaissance","https://github.com/3ct0s/disctopia-c2/blob/main/libraries/disctopia.py","1","1","N/A","greyware_tools high risks of false positives","N/A","10","609","139","2024-07-18T10:16:19Z","2022-01-02T22:03:10Z","47800"
"*https://jprq.io/auth*",".{0,1000}https\:\/\/jprq\.io\/auth.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","1","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","47803"
"*https://jprq.io/install.sh*",".{0,1000}https\:\/\/jprq\.io\/install\.sh.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","1","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","47804"
"*https://link.remote.it/support/rpi-linux-quick-install*",".{0,1000}https\:\/\/link\.remote\.it\/support\/rpi\-linux\-quick\-install.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","1","#linux","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","47807"
"*https://localtunnel.me*",".{0,1000}https\:\/\/localtunnel\.me.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/localtunnel/localtunnel","1","1","N/A","N/A","10","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","47809"
"*https://localtunnel.me*",".{0,1000}https\:\/\/localtunnel\.me.{0,1000}","greyware_tool_keyword","localtunnels","server for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/server","1","1","N/A","N/A","8","10","3163","1033","2024-03-20T09:14:46Z","2013-06-16T22:30:48Z","47810"
"*https://localxpose.io/download*",".{0,1000}https\:\/\/localxpose\.io\/download.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","1","N/A","N/A","10","1","N/A","N/A","N/A","N/A","47811"
"*https://login.remotepc.com/rpcnew*",".{0,1000}https\:\/\/login\.remotepc\.com\/rpcnew.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47812"
"*https://login.tailscale.com/admin/settings/keys*",".{0,1000}https\:\/\/login\.tailscale\.com\/admin\/settings\/keys.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","47813"
"*https://maildrop.cc/inbox/?mailbox=*",".{0,1000}https\:\/\/maildrop\.cc\/inbox\/\?mailbox\=.{0,1000}","greyware_tool_keyword","maildrop","disposable email address to use anytime.","T1071.003","TA0005 - TA0001","N/A","N/A","Defense Evasion","https://maildrop.cc/","1","1","N/A","N/A","4","5","N/A","N/A","N/A","N/A","47814"
"*https://matrix.org/_matrix/client/r0/rooms/*/send/m.room.message*",".{0,1000}https\:\/\/matrix\.org\/_matrix\/client\/r0\/rooms\/.{0,1000}\/send\/m\.room\.message.{0,1000}","greyware_tool_keyword","goMatrixC2","C2 leveraging Matrix/Element Messaging Platform as Backend to control Implants in goLang.","T1090 - T1027 - T1071","TA0011 - TA0009 - TA0010","N/A","N/A","C2","https://github.com/n1k7l4i/goMatrixC2","1","0","N/A","N/A","10","","N/A","","","","47818"
"*https://media.discordapp.net/attachments/*.bat*",".{0,1000}https\:\/\/media\.discordapp\.net\/attachments\/.{0,1000}\.bat.{0,1000}","greyware_tool_keyword","discord","Downloading discord executables and archives attachments","T1189","TA0001 - TA0009","N/A","N/A","Collection","N/A","1","1","N/A","N/A","6","9","N/A","N/A","N/A","N/A","47821"
"*https://media.discordapp.net/attachments/*.exe*",".{0,1000}https\:\/\/media\.discordapp\.net\/attachments\/.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","discord","Downloading discord executables and archives attachments","T1189","TA0001 - TA0009","N/A","N/A","Collection","N/A","1","1","N/A","N/A","6","9","N/A","N/A","N/A","N/A","47822"
"*https://media.discordapp.net/attachments/*.hta*",".{0,1000}https\:\/\/media\.discordapp\.net\/attachments\/.{0,1000}\.hta.{0,1000}","greyware_tool_keyword","discord","Downloading discord executables and archives attachments","T1189","TA0001 - TA0009","N/A","N/A","Collection","N/A","1","1","N/A","N/A","6","9","N/A","N/A","N/A","N/A","47823"
"*https://media.discordapp.net/attachments/*.iso*",".{0,1000}https\:\/\/media\.discordapp\.net\/attachments\/.{0,1000}\.iso.{0,1000}","greyware_tool_keyword","discord","Downloading discord executables and archives attachments","T1189","TA0001 - TA0009","N/A","N/A","Collection","N/A","1","1","N/A","N/A","6","9","N/A","N/A","N/A","N/A","47824"
"*https://media.discordapp.net/attachments/*.jar*",".{0,1000}https\:\/\/media\.discordapp\.net\/attachments\/.{0,1000}\.jar.{0,1000}","greyware_tool_keyword","discord","Downloading discord executables and archives attachments","T1189","TA0001 - TA0009","N/A","N/A","Collection","N/A","1","1","N/A","N/A","6","9","N/A","N/A","N/A","N/A","47825"
"*https://media.discordapp.net/attachments/*.msi*",".{0,1000}https\:\/\/media\.discordapp\.net\/attachments\/.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","discord","Downloading discord executables and archives attachments","T1189","TA0001 - TA0009","N/A","N/A","Collection","N/A","1","1","N/A","N/A","6","9","N/A","N/A","N/A","N/A","47826"
"*https://media.discordapp.net/attachments/*.py*",".{0,1000}https\:\/\/media\.discordapp\.net\/attachments\/.{0,1000}\.py.{0,1000}","greyware_tool_keyword","discord","Downloading discord executables and archives attachments","T1189","TA0001 - TA0009","N/A","N/A","Collection","N/A","1","1","N/A","N/A","6","9","N/A","N/A","N/A","N/A","47827"
"*https://media.discordapp.net/attachments/*.vbs*",".{0,1000}https\:\/\/media\.discordapp\.net\/attachments\/.{0,1000}\.vbs.{0,1000}","greyware_tool_keyword","discord","Downloading discord executables and archives attachments","T1189","TA0001 - TA0009","N/A","N/A","Collection","N/A","1","1","N/A","N/A","6","9","N/A","N/A","N/A","N/A","47828"
"*https://media.discordapp.net/attachments/*.zip*",".{0,1000}https\:\/\/media\.discordapp\.net\/attachments\/.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","discord","Downloading discord executables and archives attachments","T1189","TA0001 - TA0009","N/A","N/A","Collection","N/A","1","1","N/A","N/A","6","9","N/A","N/A","N/A","N/A","47829"
"*https://mega.io/cmd#download*",".{0,1000}https\:\/\/mega\.io\/cmd\#download.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","47831"
"*https://mega.nz/file/*",".{0,1000}https\:\/\/mega\.nz\/file\/.{0,1000}","greyware_tool_keyword","mega.nz","Direct file download links on Mega.nz - file sharing activity often abused by attackers for Collection","T1105 - T1114 - T1083","TA0009","N/A","Akira - Conti - mount-locker - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - MONTI - DarkSide - Black Basta","Collection","N/A","1","1","#filehostingservice #P2P","N/A","7","8","N/A","N/A","N/A","N/A","47832"
"*https://mega.nz/folder/*",".{0,1000}https\:\/\/mega\.nz\/folder\/.{0,1000}","greyware_tool_keyword","mega.nz","Direct folder sharing links on Mega.nz for accessing multiple files - file sharing activity often abused by attackers for Collection","T1105 - T1114 - T1083","TA0009","N/A","Akira - Conti - mount-locker - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - MONTI - DarkSide - Black Basta","Collection","N/A","1","1","#filehostingservice #P2P","N/A","7","8","N/A","N/A","N/A","N/A","47833"
"*https://mega.nz/folder/8L80QKyL#glRTp6Zc0gppwp03IG03tA*",".{0,1000}https\:\/\/mega\.nz\/folder\/8L80QKyL\#glRTp6Zc0gppwp03IG03tA.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","47834"
"*https://mega.nz/folder/bxomFKwL#3V1dUJFzL98t1GqXX29IXg*",".{0,1000}https\:\/\/mega\.nz\/folder\/bxomFKwL\#3V1dUJFzL98t1GqXX29IXg.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","47835"
"*https://mega.nz/folder/D0w0nYiY#egvjqP5R-anbBdsJg8QRVg*",".{0,1000}https\:\/\/mega\.nz\/folder\/D0w0nYiY\#egvjqP5R\-anbBdsJg8QRVg.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","47836"
"*https://mega.nz/folder/gflVFLhC#6neMkeJrt4dWboRTc1NLUg*",".{0,1000}https\:\/\/mega\.nz\/folder\/gflVFLhC\#6neMkeJrt4dWboRTc1NLUg.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","47837"
"*https://mega.nz/linux/repo/*",".{0,1000}https\:\/\/mega\.nz\/linux\/repo\/.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","47838"
"*https://mega.nz/linux/repo/*.deb*",".{0,1000}https\:\/\/mega\.nz\/linux\/repo\/.{0,1000}\.deb.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","1","#linux","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","47839"
"*https://meshcentral.com/login*",".{0,1000}https\:\/\/meshcentral\.com\/login.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","1","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","47840"
"*https://myexternalip.com/raw*",".{0,1000}https\:\/\/myexternalip\.com\/raw.{0,1000}","greyware_tool_keyword","myexternalip.com","return external ip address","T1046 - T1595 - T1595.001","TA0007 - TA0040","N/A","N/A","Reconnaissance","https://myexternalip.com/raw","1","1","N/A","False positives warning - used by some C2 projects but legitimate site","1","6","N/A","N/A","N/A","N/A","47844"
"*https://new.express.adobe.com/publishedV2/urn:aaid:sc:*",".{0,1000}https\:\/\/new\.express\.adobe\.com\/publishedV2\/urn\:aaid\:sc\:.{0,1000}","greyware_tool_keyword","adobe.com","Attackers can use adobe.com to masquerade their domain for phishing purposes.","T1204.002 - T1036 - T1566.002","TA0001 - TA0005","N/A","N/A","Defense Evasion","N/A","0","1","N/A","N/A","1","1","N/A","N/A","N/A","N/A","47846"
"*https://nopaste.net/*",".{0,1000}https\:\/\/nopaste\.net\/.{0,1000}","greyware_tool_keyword","nopaste.net","nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration","T1567.002 - T1036.005 - T1102 - T1071.001","TA0005 - TA0009 - TA0010","N/A","N/A","Data Exfiltration","https://www.shellhub.io/","1","1","#Pastebinlike  #filehostingservice","monitor PUT requests for data exfiltration","8","10","N/A","N/A","N/A","N/A","47847"
"*https://nordvpn.com*/ovpn/*.ovpn*",".{0,1000}https\:\/\/nordvpn\.com.{0,1000}\/ovpn\/.{0,1000}\.ovpn.{0,1000}","greyware_tool_keyword","NordVPN","OVPN configuration for nordvpn accessed within corporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://nordvpn.com","0","1","#VPN","N/A","8","10","N/A","N/A","N/A","N/A","47848"
"*https://nsproducts.azureedge.net/nsm-*/NetSupport*",".{0,1000}https\:\/\/nsproducts\.azureedge\.net\/nsm\-.{0,1000}\/NetSupport.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47852"
"*https://oshi.at/*",".{0,1000}https\:\/\/oshi\.at\/.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","1","#filehostingservice #P2P","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","47855"
"*https://pagekite.net/downloads/*",".{0,1000}https\:\/\/pagekite\.net\/downloads\/.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","47856"
"*https://pagekite.net/pk/src/*",".{0,1000}https\:\/\/pagekite\.net\/pk\/src\/.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","47857"
"*https://portal.ehorus.com/#/agents/*",".{0,1000}https\:\/\/portal\.ehorus\.com\/\#\/agents\/.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47870"
"*https://portal.xeox.com/*",".{0,1000}https\:\/\/portal\.xeox\.com\/.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47871"
"*https://portr.dev/client/installation/*",".{0,1000}https\:\/\/portr\.dev\/client\/installation\/.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","47872"
"*https://privatebin.net/*",".{0,1000}https\:\/\/privatebin\.net\/.{0,1000}","greyware_tool_keyword","privatebin.net","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with Black Basta victims","T1071.001 - T1567.002 - T1005","TA0010 - TA0009","N/A","Black Basta","Data Exfiltration","N/A","0","1","#PastebinLike","N/A","5","6","N/A","N/A","N/A","N/A","47873"
"*https://privatix-temp-mail-v1.p.rapidapi.com/request/domains/*",".{0,1000}https\:\/\/privatix\-temp\-mail\-v1\.p\.rapidapi\.com\/request\/domains\/.{0,1000}","greyware_tool_keyword","temp-mail","using the API of a disposable email address to use anytime - could be abused by malicious actors","T1071.003","TA0005 - TA0001","N/A","N/A","Defense Evasion","temp-mail.org","1","1","N/A","api doc https://rapidapi.com/Privatix/api/temp-mail","9","10","N/A","N/A","N/A","N/A","47875"
"*https://privatix-temp-mail-v1.p.rapidapi.com/request/mail/id/null/*",".{0,1000}https\:\/\/privatix\-temp\-mail\-v1\.p\.rapidapi\.com\/request\/mail\/id\/null\/.{0,1000}","greyware_tool_keyword","temp-mail","using the API of a disposable email address to use anytime - could be abused by malicious actors","T1071.003","TA0005 - TA0001","N/A","N/A","Defense Evasion","temp-mail.org","1","1","N/A","api doc https://rapidapi.com/Privatix/api/temp-mail","9","10","N/A","N/A","N/A","N/A","47877"
"*https://privnote.com/*",".{0,1000}https\:\/\/privnote\.com\/.{0,1000}","greyware_tool_keyword","privnote.com","temporary notes service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","Akira - Black Basta","Collection","https://github.com/Casualtek/Ransomchats/blob/4a25ac6ad165a4e600aeb72718c3ad41e8f6ce3a/Akira/20240620.json#L31C27-L31C48","1","1","#PastebinLike","downloading files url","5","6","504","51","2025-04-19T17:43:15Z","2023-05-02T16:17:48Z","47878"
"*https://pubsub.zoho.com/*_deskUserPresence/pubsub*",".{0,1000}https\:\/\/pubsub\.zoho\.com\/.{0,1000}_deskUserPresence\/pubsub.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47881"
"*https://put.io/?login*",".{0,1000}https\:\/\/put\.io\/\?login.{0,1000}","greyware_tool_keyword","put.io","A storage and torrenting service abused by attackers","T1583.003 - T1071 - T1102","TA0010 - TA0005 - TA0009","N/A","Scattered Spider - RagnarLocker - Medusa","Data Exfiltration","https://put.i","1","1","#filehostingservice #P2P","N/A","10","10","N/A","N/A","N/A","N/A","47882"
"*https://put.io/default/magnet?url=*",".{0,1000}https\:\/\/put\.io\/default\/magnet\?url\=.{0,1000}","greyware_tool_keyword","put.io","A storage and torrenting service abused by attackers","T1583.003 - T1071 - T1102","TA0010 - TA0005 - TA0009","N/A","Scattered Spider - RagnarLocker - Medusa","Collection","https://put.i","1","1","#filehostingservice #P2P","N/A","10","10","N/A","N/A","N/A","N/A","47883"
"*https://put.io/transfers*",".{0,1000}https\:\/\/put\.io\/transfers.{0,1000}","greyware_tool_keyword","put.io","A storage and torrenting service abused by attackers","T1583.003 - T1071 - T1102","TA0010 - TA0005 - TA0009","N/A","Scattered Spider - RagnarLocker - Medusa","Data Exfiltration","https://put.i","1","1","#filehostingservice #P2P","N/A","10","10","N/A","N/A","N/A","N/A","47884"
"*https://put.io/v2/oauth2/register*",".{0,1000}https\:\/\/put\.io\/v2\/oauth2\/register.{0,1000}","greyware_tool_keyword","put.io","A storage and torrenting service abused by attackers","T1583.003 - T1071 - T1102","TA0010 - TA0005 - TA0009","N/A","Scattered Spider - RagnarLocker - Medusa","Data Exfiltration","https://put.i","1","1","#filehostingservice #P2P","N/A","10","10","N/A","N/A","N/A","N/A","47885"
"*https://qaz.im/*",".{0,1000}https\:\/\/qaz\.im\/.{0,1000}","greyware_tool_keyword","qaz.im","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","AvosLocker - Black Basta","Data Exfiltration","https://qaz.im/","1","1","#filehostingservice","uploading files url","10","10","N/A","N/A","N/A","N/A","47889"
"*https://qaz.im/load/*",".{0,1000}https\:\/\/qaz\.im\/load\/.{0,1000}","greyware_tool_keyword","qaz.im","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","AvosLocker - Black Basta","Collection","https://qaz.im/","1","1","#filehostingservice","downloading files url","10","10","N/A","N/A","N/A","N/A","47890"
"*https://qaz.im/zaq/*",".{0,1000}https\:\/\/qaz\.im\/zaq\/.{0,1000}","greyware_tool_keyword","qaz.im","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","AvosLocker - Black Basta","Collection","https://qaz.im/","1","1","#filehostingservice","downloading notes url","10","10","N/A","N/A","N/A","N/A","47891"
"*https://qaz.is/*",".{0,1000}https\:\/\/qaz\.is\/.{0,1000}","greyware_tool_keyword","qaz.is","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","AvosLocker - Black Basta","Data Exfiltration","https://qaz.is/","1","1","#filehostingservice","uploading files url","10","10","N/A","N/A","N/A","N/A","47892"
"*https://qaz.is/load/*",".{0,1000}https\:\/\/qaz\.is\/load\/.{0,1000}","greyware_tool_keyword","qaz.is","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","AvosLocker - Black Basta","Collection","https://qaz.is/","1","1","#filehostingservice","downloading files url","10","10","N/A","N/A","N/A","N/A","47893"
"*https://qaz.is/zaq/*",".{0,1000}https\:\/\/qaz\.is\/zaq\/.{0,1000}","greyware_tool_keyword","qaz.is","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","AvosLocker - Black Basta","Collection","https://qaz.is/","1","1","#filehostingservice","downloading notes url","10","10","N/A","N/A","N/A","N/A","47894"
"*https://qaz.su*",".{0,1000}https\:\/\/qaz\.su.{0,1000}","greyware_tool_keyword","qaz.su","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","AvosLocker - Black Basta","Data Exfiltration","https://qaz.su/","1","1","#filehostingservice","uploading files url","10","10","N/A","N/A","N/A","N/A","47895"
"*https://qaz.su/load/*",".{0,1000}https\:\/\/qaz\.su\/load\/.{0,1000}","greyware_tool_keyword","qaz.su","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","AvosLocker - Black Basta","Collection","https://qaz.su/","1","1","#filehostingservice","downloading files url","10","10","N/A","N/A","N/A","N/A","47896"
"*https://qaz.su/zaq/*",".{0,1000}https\:\/\/qaz\.su\/zaq\/.{0,1000}","greyware_tool_keyword","qaz.su","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","AvosLocker - Black Basta","Collection","https://qaz.su/","1","1","#filehostingservice","downloading notes url","10","10","N/A","N/A","N/A","N/A","47897"
"*https://qu.ax/*.*","https\:\/\/qu\.ax\/[^\s\n]+","greyware_tool_keyword","qu.ax","qu.ax is a quick and private file hosting service - abused by threat actors","T1560.001 - T1190 - T1102 - T1027.002","TA0001 - TA0005 - TA0042","N/A","N/A","Collection","https://qu[.]ax/","1","1","#filehostingservice","N/A","9","10","N/A","N/A","N/A","N/A","47898"
"*https://rclone.org/install.sh*",".{0,1000}https\:\/\/rclone\.org\/install\.sh.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","1","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","47906"
"*https://rdprelay*.support.services.microsoft.com*",".{0,1000}https\:\/\/rdprelay.{0,1000}\.support\.services\.microsoft\.com.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","1","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","47907"
"*https://remoteassistance.support.services.microsoft.com/*",".{0,1000}https\:\/\/remoteassistance\.support\.services\.microsoft\.com\/.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","1","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","47909"
"*https://remotedesktop.google.com/_/oauthredirect*",".{0,1000}https\:\/\/remotedesktop\.google\.com\/_\/oauthredirect.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47910"
"*https://remotedesktop.google.com/headless*",".{0,1000}https\:\/\/remotedesktop\.google\.com\/headless.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47911"
"*https://rentry.co/*",".{0,1000}https\:\/\/rentry\.co\/.{0,1000}","greyware_tool_keyword","rentry.co","accessing a pastebinlike site - often abused by malware","T1105 - T1114 - T1083","TA0009","N/A","N/A","Collection","N/A","1","1","#PastebinLike","N/A","5","8","N/A","N/A","N/A","N/A","47912"
"*https://rentry.co/*/raw*",".{0,1000}https\:\/\/rentry\.co\/.{0,1000}\/raw.{0,1000}","greyware_tool_keyword","rentry.co","raw format paste access attempt - abused by attackers to store malicious payloads","T1105 - T1114 - T1083","TA0009","N/A","N/A","Collection","N/A","1","1","#PastebinLike","N/A","7","8","N/A","N/A","N/A","N/A","47913"
"*https://rentry.co/cdn-cgi/challenge-platform/*",".{0,1000}https\:\/\/rentry\.co\/cdn\-cgi\/challenge\-platform\/.{0,1000}","greyware_tool_keyword","rentry.co","raw format paste access attempt - abused by attackers to store malicious payloads","T1105 - T1114 - T1083","TA0009","N/A","N/A","Collection","N/A","1","1","#PastebinLike","N/A","7","8","N/A","N/A","N/A","N/A","47914"
"*https://requestbin.net/r/*",".{0,1000}https\:\/\/requestbin\.net\/r\/.{0,1000}","greyware_tool_keyword","requestbin.net","allows users to create a unique URL to collect and inspect HTTP requests. It is commonly used for debugging webhooks - it can also be abused by attackers for verifying the reachability and effectiveness of their payloads","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","http://requestbin.net","1","1","N/A","Out of band interaction domains","10","10","N/A","N/A","N/A","N/A","47915"
"*https://s3.amazonaws.com/sshx/sshx-*",".{0,1000}https\:\/\/s3\.amazonaws\.com\/sshx\/sshx\-.{0,1000}","greyware_tool_keyword","sshx","Fast collaborative live terminal sharing over the web","T1021.004 - T1041 - T1059 - T1071.001","TA0002 - TA0009 - TA0011 - TA0010","N/A","N/A","C2","https://github.com/ekzhang/sshx","1","1","N/A","N/A","10","10","6379","220","2025-02-12T20:40:30Z","2022-02-12T23:29:33Z","47916"
"*https://s3.filebin.net/filebin/*",".{0,1000}https\:\/\/s3\.filebin\.net\/filebin\/.{0,1000}","greyware_tool_keyword","filebin.net","file hosting platform abused by attackers to host malicious file - raw access and api available","T1119","TA0009","N/A","N/A","Collection","https://filebin.net","1","1","#filehostingservice","N/A","8","8","N/A","N/A","N/A","N/A","47917"
"*https://secure.logmeinrescue.com/R?i=2&Code=*",".{0,1000}https\:\/\/secure\.logmeinrescue\.com\/R\?i\=2\&Code\=.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47919"
"*https://secure.logmeinrescue.com/TechnicianConsole/Launch*",".{0,1000}https\:\/\/secure\.logmeinrescue\.com\/TechnicianConsole\/Launch.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47920"
"*https://send.exploit.in/api/download*",".{0,1000}https\:\/\/send\.exploit\.in\/api\/download.{0,1000}","greyware_tool_keyword","send.exploit.in","downloading files - hosting service frequently exploited by attackers - should be blocked","T1567 - T1071 - T1020 - T1005","TA0010 - TA0009","N/A","LockBit - Hive - Black Basta","Collection","N/A","1","1","#filehostingservice","N/A","10","10","N/A","N/A","N/A","N/A","47921"
"*https://send.exploit.in/api/info/*",".{0,1000}https\:\/\/send\.exploit\.in\/api\/info\/.{0,1000}","greyware_tool_keyword","send.exploit.in","uploading files - hosting service frequently exploited by attackers - should be blocked","T1567 - T1071 - T1020 - T1005","TA0010 - TA0009","N/A","LockBit - Hive - Black Basta","Data Exfiltration","N/A","1","1","#filehostingservice","N/A","10","10","N/A","N/A","N/A","N/A","47922"
"*https://send.exploit.in/api/metadata/*",".{0,1000}https\:\/\/send\.exploit\.in\/api\/metadata\/.{0,1000}","greyware_tool_keyword","send.exploit.in","uploading files - hosting service frequently exploited by attackers - should be blocked","T1567 - T1071 - T1020 - T1005","TA0010 - TA0009","N/A","LockBit - Hive - Black Basta","Data Exfiltration","N/A","1","1","#filehostingservice","N/A","10","10","N/A","N/A","N/A","N/A","47923"
"*https://senet-flets.v6.softether.co.jp/ddns/ddns.aspx*",".{0,1000}https\:\/\/senet\-flets\.v6\.softether\.co\.jp\/ddns\/ddns\.aspx.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","47924"
"*https://share.riseup.net/2*",".{0,1000}https\:\/\/share\.riseup\.net\/2.{0,1000}","greyware_tool_keyword","share.riseup.net","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","AvosLocker","Collection","https://share.riseup.net","1","1","#filehostingservice","downloading files url","10","10","N/A","N/A","N/A","N/A","47925"
"*https://share.riseup.net/up*",".{0,1000}https\:\/\/share\.riseup\.net\/up.{0,1000}","greyware_tool_keyword","share.riseup.net","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","AvosLocker","Data Exfiltration","https://share.riseup.net","1","1","#filehostingservice","uploading files url","10","10","N/A","N/A","N/A","N/A","47926"
"*https://silentbreaksecurity.com/adaptive-dll-hijacking*",".{0,1000}https\:\/\/silentbreaksecurity\.com\/adaptive\-dll\-hijacking.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","1","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","47929"
"*https://slack.com/api/channels.create*",".{0,1000}https\:\/\/slack\.com\/api\/channels\.create.{0,1000}","greyware_tool_keyword","slack","API usage of slack - creating channel - abused by multiple C2","T1059.003 - T1071.004 - T1562.001","TA0002 - TA0010 - TA0011","N/A","N/A","C2","https://github.com/mthcht/Purpleteam/blob/main/Detection/Threat%20Hunting/generic/C2_abusing_API_services.md","0","1","N/A","/!\ very high risk of FP - hunting only","1","2","184","19","2024-12-20T10:22:25Z","2022-12-05T12:40:02Z","47930"
"*https://spark.adobe.com/page/*",".{0,1000}https\:\/\/spark\.adobe\.com\/page\/.{0,1000}","greyware_tool_keyword","adobe.com","Attackers can use adobe.com to masquerade their domain for phishing purposes.","T1204.002 - T1036 - T1566.002","TA0001 - TA0005","N/A","N/A","Defense Evasion","https://www.joesandbox.com/analysis/515360/0/html","0","1","N/A","N/A","1","1","N/A","N/A","N/A","N/A","47936"
"*https://sshx.io/get*",".{0,1000}https\:\/\/sshx\.io\/get.{0,1000}","greyware_tool_keyword","sshx","Fast collaborative live terminal sharing over the web","T1021.004 - T1041 - T1059 - T1071.001","TA0002 - TA0009 - TA0011 - TA0010","N/A","N/A","C2","https://github.com/ekzhang/sshx","1","1","N/A","N/A","10","10","6379","220","2025-02-12T20:40:30Z","2022-02-12T23:29:33Z","47939"
"*https://sshx.io/s/*",".{0,1000}https\:\/\/sshx\.io\/s\/.{0,1000}","greyware_tool_keyword","sshx","Fast collaborative live terminal sharing over the web","T1021.004 - T1041 - T1059 - T1071.001","TA0002 - TA0009 - TA0011 - TA0010","N/A","N/A","C2","https://github.com/ekzhang/sshx","1","1","N/A","N/A","10","10","6379","220","2025-02-12T20:40:30Z","2022-02-12T23:29:33Z","47940"
"*https://steamcommunity.com/profiles/*",".{0,1000}https\:\/\/steamcommunity\.com\/profiles\/.{0,1000}","greyware_tool_keyword","steam","Steam profiles have been leveraged to host payload addresses for malware delivery - making them a potential threat vector in corporate environments. This tactic can serve as a valuable hunting tip for threat detection efforts","T1102 - T1091 - T1204","TA0001 - TA0009","Lumma Stealer","N/A","Collection","N/A","0","1","N/A","N/A","1","1","N/A","N/A","N/A","N/A","47941"
"*https://store-*.ufile.io/v1/upload/*",".{0,1000}https\:\/\/store\-.{0,1000}\.ufile\.io\/v1\/upload\/.{0,1000}","greyware_tool_keyword","ufile.io","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","Hive","Data Exfiltration","https://ufile.io","1","1","N/A","uploading files url","10","10","N/A","N/A","N/A","N/A","47942"
"*https://sun.aweray.com/*/download*",".{0,1000}https\:\/\/sun\.aweray\.com\/.{0,1000}\/download.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47943"
"*https://tailscale.com/s/resolvconf-overwrite*",".{0,1000}https\:\/\/tailscale\.com\/s\/resolvconf\-overwrite.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","47954"
"*https://temp.sh/*/*",".{0,1000}https\:\/\/temp\.sh\/.{0,1000}\/.{0,1000}","greyware_tool_keyword","temp.sh","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","Black Basta","Collection","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47955"
"*https://temp.sh/upload*",".{0,1000}https\:\/\/temp\.sh\/upload.{0,1000}","greyware_tool_keyword","temp.sh","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","Black Basta","Data Exfiltration","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47956"
"*https://tempsend.com/*",".{0,1000}https\:\/\/tempsend\.com\/.{0,1000}","greyware_tool_keyword","tempsend.com","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","N/A","Collection","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47957"
"*https://tempsend.com/send*",".{0,1000}https\:\/\/tempsend\.com\/send.{0,1000}","greyware_tool_keyword","tempsend.com","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","N/A","Data Exfiltration","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47958"
"*https://termbin.com/test*",".{0,1000}https\:\/\/termbin\.com\/test.{0,1000}","greyware_tool_keyword","termbin.com","accessing paste raw content","T1119","TA0009","N/A","N/A","Collection","termbin.com","1","1","N/A","N/A","8","8","N/A","N/A","N/A","N/A","47959"
"*https://textbin.net/raw/*",".{0,1000}https\:\/\/textbin\.net\/raw\/.{0,1000}","greyware_tool_keyword","textbin.net","textbin.net raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","textbin.net","1","1","#PastebinLike","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","47960"
"*https://tmate.io/t/*",".{0,1000}https\:\/\/tmate\.io\/t\/.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","1","#linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","47962"
"*https://tmpfiles.org/dl/*.exe*",".{0,1000}https\:\/\/tmpfiles\.org\/dl\/.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","tmpfiles.org","download of an executable files from tmpfiles.org often used by ransomware groups","T1566.002 - T1192 - T1105","TA0001 - TA0002","N/A","N/A","Collection","N/A","1","1","#filehostingservice","greyware tool - risk of false positive !","10","10","N/A","N/A","N/A","N/A","47963"
"*https://tox.chat/download.html*",".{0,1000}https\:\/\/tox\.chat\/download\.html.{0,1000}","greyware_tool_keyword","ransomware_notes","detection patterns retrieved in ransomware notes archives","T1486","TA0040","N/A","N/A","Ransomware","https://github.com/threatlabz/ransomware_notes","1","1","N/A","N/A","10","4","354","55","2025-04-04T19:06:04Z","2022-08-01T15:14:59Z","47965"
"*https://track.adform.net/C/?bn=*;cpdir=http*",".{0,1000}https\:\/\/track\.adform\.net\/C\/\?bn\=.{0,1000}\;cpdir\=http.{0,1000}","greyware_tool_keyword","track.adform.net","Attackers can use track.adform.net to masquerade their domain for phishing purposes.","T1204.002 - T1036 - T1566.002","TA0001 - TA0005","N/A","N/A","Defense Evasion","https://www.joesandbox.com/analysis/514456/0/html","0","1","N/A","N/A","5","5","N/A","N/A","N/A","N/A","47966"
"*https://transfer.sh*",".{0,1000}https\:\/\/transfer\.sh.{0,1000}","greyware_tool_keyword","transfer.sh","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","Black Basta","Data Exfiltration","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47967"
"*https://transfert-my-files.com/files/*",".{0,1000}https\:\/\/transfert\-my\-files\.com\/files\/.{0,1000}","greyware_tool_keyword","transfert-my-files.com","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","N/A","Collection","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47970"
"*https://transfert-my-files.com/inc/upload.php*",".{0,1000}https\:\/\/transfert\-my\-files\.com\/inc\/upload\.php.{0,1000}","greyware_tool_keyword","transfert-my-files.com","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","N/A","Data Exfiltration","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47971"
"*https://tunnel.pyjam.as/*",".{0,1000}https\:\/\/tunnel\.pyjam\.as\/.{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47973"
"*https://tunnelmole.com/docs*",".{0,1000}https\:\/\/tunnelmole\.com\/docs.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","1","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","47974"
"*https://tunnelmole.com/downloads/tmole.exe*",".{0,1000}https\:\/\/tunnelmole\.com\/downloads\/tmole\.exe.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","47975"
"*https://tunwg.com*",".{0,1000}https\:\/\/tunwg\.com.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","1","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","47977"
"*https://ufile.io/*",".{0,1000}https\:\/\/ufile\.io\/.{0,1000}","greyware_tool_keyword","ufile.io","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","Hive","Collection","https://ufile.io","1","1","N/A","downloading files url","5","6","N/A","N/A","N/A","N/A","47978"
"*https://ufile.io/v1/upload/*",".{0,1000}https\:\/\/ufile\.io\/v1\/upload\/.{0,1000}","greyware_tool_keyword","ufile.io","temporary file hosting service - abused by attackers to share informations with their victims","T1105 - T1071","TA0010 - TA0009","N/A","Hive","Data Exfiltration","https://ufile.io","1","1","#filehostingservice","uploading files url","10","10","N/A","N/A","N/A","N/A","47979"
"*https://update.lansweeper.com/installation.aspx*",".{0,1000}https\:\/\/update\.lansweeper\.com\/installation\.aspx.{0,1000}","greyware_tool_keyword","Lansweeper","Lansweeper discovers and inventories IT assets - gathering system - software and user data - abused by attackers","T1016 - T1082","TA0007","N/A","EvilCorp*","Discovery","https://www.lansweeper.com/","1","1","N/A","N/A","6","7","N/A","N/A","N/A","N/A","47981"
"*https://us4-wms6.zoho.com*",".{0,1000}https\:\/\/us4\-wms6\.zoho\.com.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","47982"
"*https://usaupload.com/account/ajax/load_files*",".{0,1000}https\:\/\/usaupload\.com\/account\/ajax\/load_files.{0,1000}","greyware_tool_keyword","usaupload","uploading files to usaupload","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://usaupload.com/","1","1","#filehostingservice","N/A","10","10","N/A","N/A","N/A","N/A","47983"
"*https://usaupload.com/account/ajax/uploader*",".{0,1000}https\:\/\/usaupload\.com\/account\/ajax\/uploader.{0,1000}","greyware_tool_keyword","usaupload","uploading files to usaupload","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","N/A","Data Exfiltration","https://usaupload.com/","1","1","#filehostingservice","N/A","10","10","N/A","N/A","N/A","N/A","47984"
"*https://we.tl/t-*",".{0,1000}https\:\/\/we\.tl\/t\-.{0,1000}","greyware_tool_keyword","wetransfer","WeTransfer is a popular file sharing service often used by malicious actors for phishing campaigns due to its legitimate reputation and widespread use even within some enterprises to share files","T1608.001 - T1566 - T1002 - T1048 - T1204","TA0001 - TA0002 - TA0010","N/A","EXOTIC LILY","Phishing","https://twitter.com/mthcht/status/1658853848323182597","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47987"
"*https://webhook.site/*-*-*-*",".{0,1000}https\:\/\/webhook\.site\/.{0,1000}\-.{0,1000}\-.{0,1000}\-.{0,1000}","greyware_tool_keyword","webhook.site","test HTTP webhooks with this handy tool that displays requests instantly - abused by attacker for payload callback confirmation","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/webhooksite/webhook.site","1","1","N/A","Out of band interaction domains","10","10","5806","457","2025-04-04T10:42:59Z","2016-03-21T08:45:42Z","47990"
"*https://wetransfer.com/api/v4/transfers/*",".{0,1000}https\:\/\/wetransfer\.com\/api\/v4\/transfers\/.{0,1000}","greyware_tool_keyword","wetransfer","WeTransfer is a popular file-sharing service often used by malicious actors for phishing campaigns due to its legitimate reputation and widespread use even within some enterprises to share files","T1608.001 - T1566 - T1002 - T1048 - T1204","TA0001 - TA0002 - TA0010","N/A","EXOTIC LILY","Phishing","https://twitter.com/mthcht/status/1658853848323182597","1","1","#filehostingservice","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47991"
"*https://wetransfer.com/downloads/*",".{0,1000}https\:\/\/wetransfer\.com\/downloads\/.{0,1000}","greyware_tool_keyword","wetransfer","WeTransfer is a popular file-sharing service often used by malicious actors for phishing campaigns due to its legitimate reputation and widespread use even within some enterprises to share files","T1608.001 - T1566 - T1002 - T1048 - T1204","TA0001 - TA0002 - TA0010","N/A","EXOTIC LILY","Phishing","https://twitter.com/mthcht/status/1658853848323182597","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","47992"
"*https://www.4shared.com/get/*",".{0,1000}https\:\/\/www\.4shared\.com\/get\/.{0,1000}","greyware_tool_keyword","4shared.com","Downloading a file from 4shared.com","T1105 - T1071 - T1125","TA0009","N/A","Turla","Collection","4shared.com","1","1","#filehostingservice","N/A","6","5","N/A","N/A","N/A","N/A","47998"
"*https://www.autohotkey.com/download/*",".{0,1000}https\:\/\/www\.autohotkey\.com\/download\/.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","1","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","47999"
"*https://www.btunnel.in/downloads*",".{0,1000}https\:\/\/www\.btunnel\.in\/downloads.{0,1000}","greyware_tool_keyword","btunnel","Btunnel is a publicly accessible reverse proxy","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://www.btunnel.in","1","1","N/A","N/A","9","8","N/A","N/A","N/A","N/A","48003"
"*https://www.dataplicity.com/*.py*",".{0,1000}https\:\/\/www\.dataplicity\.com\/.{0,1000}\.py.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","1","N/A","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","48004"
"*https://www.duckdns.org/update?domains=*",".{0,1000}https\:\/\/www\.duckdns\.org\/update\?domains\=.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","1","N/A","N/A","5","10","N/A","N/A","N/A","N/A","48005"
"*https://www.email-format.com/d/*",".{0,1000}https\:\/\/www\.email\-format\.com\/d\/.{0,1000}","greyware_tool_keyword","email-format","used by attackers to find informations about a company users","T1593 - T1596 - T1213","TA0009","N/A","N/A","Reconnaissance","https://www.email-format.com","1","1","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","48006"
"*https://www.guerrillamail.com/compose*",".{0,1000}https\:\/\/www\.guerrillamail\.com\/compose.{0,1000}","greyware_tool_keyword","guerrillamail","disposable email address to use anytime.","T1071.003","TA0005 - TA0001","N/A","N/A","Defense Evasion","https://www.guerrillamail.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","48008"
"*https://www.guerrillamail.com/inbox*",".{0,1000}https\:\/\/www\.guerrillamail\.com\/inbox.{0,1000}","greyware_tool_keyword","guerrillamail","disposable email address to use anytime.","T1071.003","TA0005 - TA0001","N/A","N/A","Defense Evasion","https://www.guerrillamail.com","1","1","N/A","N/A","8","9","N/A","N/A","N/A","N/A","48009"
"*https://www.lansweeper.com/installation.aspx*",".{0,1000}https\:\/\/www\.lansweeper\.com\/installation\.aspx.{0,1000}","greyware_tool_keyword","Lansweeper","Lansweeper discovers and inventories IT assets - gathering system - software and user data - abused by attackers","T1016 - T1082","TA0007","N/A","EvilCorp*","Discovery","https://www.lansweeper.com/","1","1","N/A","N/A","6","7","N/A","N/A","N/A","N/A","48012"
"*https://www.majorgeeks.com/files/details/pc_hunter.html*",".{0,1000}https\:\/\/www\.majorgeeks\.com\/files\/details\/pc_hunter\.html.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","48013"
"*https://www.mediafire.com/api/*/folder/get_content.php*",".{0,1000}https\:\/\/www\.mediafire\.com\/api\/.{0,1000}\/folder\/get_content\.php.{0,1000}","greyware_tool_keyword","mediafire","downloading from mediafire","T1105 - T1114 - T1083","TA0009","N/A","Black Basta","Collection","N/A","1","1","#filehostingservice","N/A","7","8","N/A","N/A","N/A","N/A","48014"
"*https://www.nirsoft.net/toolsdownload/*",".{0,1000}https\:\/\/www\.nirsoft\.net\/toolsdownload\/.{0,1000}","greyware_tool_keyword","nirsoft tools","NirSoft is a legitimate software company that develops system utilities for Windows. Some of its tools can be used by malicious actors to recover passwords harvest sensitive information and conduct password attacks.","T1003 - T1003.001 - T1003.002 - T1110 - T1566","TA0002 - TA0003 - TA0004 - TA0006 - TA0007 - TA0008 - TA0011","N/A","N/A","Collection","N/A","1","1","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","48016"
"*https://www.nirsoft.net/toolsdownload/*.exe*",".{0,1000}https\:\/\/www\.nirsoft\.net\/toolsdownload\/.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","nirsoft tools","some of nirsoft tools can be abused by attackers to retrieve passwords ","T1003 - T1021 - T1056 - T1110 - T1212 - T1552","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Credential Access","nirsoft.net","1","1","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","48017"
"*https://www.nirsoft.net/toolsdownload/*.zip*",".{0,1000}https\:\/\/www\.nirsoft\.net\/toolsdownload\/.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","nirsoft tools","some of nirsoft tools can be abused by attackers to retrieve passwords ","T1003 - T1021 - T1056 - T1110 - T1212 - T1552","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Credential Access","nirsoft.net","1","1","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","48018"
"*https://www.nirsoft.net/utils/*.exe*",".{0,1000}https\:\/\/www\.nirsoft\.net\/utils\/.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","nirsoft tools","some of nirsoft tools can be abused by attackers to retrieve passwords ","T1003 - T1021 - T1056 - T1110 - T1212 - T1552","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Credential Access","nirsoft.net","1","1","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","48019"
"*https://www.nirsoft.net/utils/*.zip*",".{0,1000}https\:\/\/www\.nirsoft\.net\/utils\/.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","nirsoft tools","some of nirsoft tools can be abused by attackers to retrieve passwords ","T1003 - T1021 - T1056 - T1110 - T1212 - T1552","TA0001 - TA0002 - TA0003 - TA0005 - TA0006 - TA0007 - TA0011","N/A","N/A","Credential Access","nirsoft.net","1","1","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","48020"
"*https://www.premiumize.me/*",".{0,1000}https\:\/\/www\.premiumize\.me\/.{0,1000}","greyware_tool_keyword","premiumize.me","hosting service abused by attackers","T1583.003 - T1071 - T1102","TA0010 - TA0005 - TA0009","N/A","N/A","Collection","www.premiumize.me","1","1","#filehostingservice #P2P","N/A","10","10","N/A","N/A","N/A","N/A","48022"
"*https://www.sendspace.com/delete*",".{0,1000}https\:\/\/www\.sendspace\.com\/delete.{0,1000}","greyware_tool_keyword","sendspace.com","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","Dispossessor - Black Basta - Hive - Ragnar Locker - Royal - LockBit - Vice Society","Collection","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","48023"
"*https://www.sendspace.com/file/*",".{0,1000}\shttps\:\/\/www\.sendspace\.com\/file\/.{0,1000}","greyware_tool_keyword","sendspace.com","Interesting observation on the file-sharing platform preferences derived from the negotiations chats with LockBit victims","T1567 - T1022 - T1074 - T1105","TA0011 - TA0009 - TA0010 - TA0008","N/A","Dispossessor - Black Basta - Hive - Ragnar Locker - Royal - LockBit - Vice Society","Collection","https://twitter.com/mthcht/status/1660953897622544384","1","1","#filehostingservice","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","48024"
"*https://www.skymem.info/srch?q=*",".{0,1000}https\:\/\/www\.skymem\.info\/srch\?q\=.{0,1000}","greyware_tool_keyword","skymen.info","used by attackers to find informations about a company users","T1593 - T1596 - T1213","TA0009","N/A","N/A","Reconnaissance","https://www.skymem.info","1","1","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","48025"
"*https://www.softether-download.com/*",".{0,1000}https\:\/\/www\.softether\-download\.com\/.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","48026"
"*https://www.softperfect.com/download/files/netscan*",".{0,1000}https\:\/\/www\.softperfect\.com\/download\/files\/netscan.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","48027"
"*https://www.softperfect.com/products/networkscanner/?from=nver*",".{0,1000}https\:\/\/www\.softperfect\.com\/products\/networkscanner\/\?from\=nver.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","48028"
"*https://www.telerik.com/download/fiddler/*",".{0,1000}https\:\/\/www\.telerik\.com\/download\/fiddler\/.{0,1000}","greyware_tool_keyword","fiddler","fiddler - capture https requests","T1056 - T1040 - T1557","TA0009 - TA00010","N/A","N/A","Collection","https://www.telerik.com/","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","48032"
"*https://www.wireguard.com/install*",".{0,1000}https\:\/\/www\.wireguard\.com\/install.{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","48035"
"*https://www.wireguard.com/install*",".{0,1000}https\:\/\/www\.wireguard\.com\/install.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","48036"
"*https://zerobin.net/?*",".{0,1000}https\:\/\/zerobin\.net\/\?.{0,1000}","greyware_tool_keyword","zerobin.net","accessing paste raw content","T1119","TA0009","N/A","N/A","Collection","https://zerobin.net/","1","1","#PastebinLike","N/A","8","8","N/A","N/A","N/A","N/A","48041"
"*https://zerobin.net/js/privatebin.js*",".{0,1000}https\:\/\/zerobin\.net\/js\/privatebin\.js.{0,1000}","greyware_tool_keyword","zerobin.net","sending data to a pastebin","T1567.002","TA0010","N/A","N/A","Data Exfiltration","https://zerobin.net/","1","1","#PastebinLike","N/A","8","8","N/A","N/A","N/A","N/A","48042"
"*https://zrok.*",".{0,1000}https\:\/\/zrok\..{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","48043"
"*hub.ehorus.com",".{0,1000}hub\.ehorus\.com","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","48058"
"*humphd/VncSharp*",".{0,1000}humphd\/VncSharp.{0,1000}","greyware_tool_keyword","VncSharp","VncSharp is a GPL implementation of the VNC Remote Framebuffer (RFB) Protocol for the .NET Framework","T1021.001 - T1219  - T1071.001","TA0007 - TA0008","Carbanak","FIN7 - Carbanak","Lateral Movement","https://github.com/humphd/VncSharp","1","1","N/A","N/A","8","3","246","179","2019-02-18T16:04:27Z","2012-03-05T15:23:41Z","48059"
"*hypertunnel.lvh.me*",".{0,1000}hypertunnel\.lvh\.me.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","1","N/A","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","48086"
"*hypertunnel-server@latest*",".{0,1000}hypertunnel\-server\@latest.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","1","N/A","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","48087"
"*hypnotoad -s webapp.pl && sleep 5*",".{0,1000}hypnotoad\s\-s\swebapp\.pl\s\&\&\ssleep\s5.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","0","#filehostingservice","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","48090"
"*icacls ""%appdata%\Microsoft\Windows\Start Menu\Programs\Startup"" 2>nul*",".{0,1000}icacls\s\""\%appdata\%\\Microsoft\\Windows\\Start\sMenu\\Programs\\Startup\""\s2\>nul.{0,1000}","greyware_tool_keyword","icacls","associated with PEASS-ng - Privilege Escalation Awesome Scripts suite","T1098","TA0004 - TA0005","N/A","N/A","Privilege Escalation","https://github.com/peass-ng/PEASS-ng","1","0","N/A","N/A","10","10","17347","3209","2025-04-01T04:29:00Z","2019-01-13T19:58:24Z","48118"
"*icacls ""%programdata%\Microsoft\Windows\Start Menu\Programs\Startup"" 2>nul*",".{0,1000}icacls\s\""\%programdata\%\\Microsoft\\Windows\\Start\sMenu\\Programs\\Startup\""\s2\>nul.{0,1000}","greyware_tool_keyword","icacls","associated with PEASS-ng - Privilege Escalation Awesome Scripts suite","T1098","TA0004 - TA0005","N/A","N/A","Privilege Escalation","https://github.com/peass-ng/PEASS-ng","1","0","N/A","N/A","10","10","17347","3209","2025-04-01T04:29:00Z","2019-01-13T19:58:24Z","48120"
"*icacls ""%programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*"" 2>nul*",".{0,1000}icacls\s\""\%programdata\%\\Microsoft\\Windows\\Start\sMenu\\Programs\\Startup\\.{0,1000}\""\s2\>nul.{0,1000}","greyware_tool_keyword","icacls","associated with PEASS-ng - Privilege Escalation Awesome Scripts suite","T1098","TA0004 - TA0005","N/A","N/A","Privilege Escalation","https://github.com/peass-ng/PEASS-ng","1","0","N/A","N/A","10","10","17347","3209","2025-04-01T04:29:00Z","2019-01-13T19:58:24Z","48122"
"*icacls ""C:\Documents and Settings\%username%\Start Menu\Programs\Startup"" 2>nul*",".{0,1000}icacls\s\""C\:\\Documents\sand\sSettings\\\%username\%\\Start\sMenu\\Programs\\Startup\""\s2\>nul.{0,1000}","greyware_tool_keyword","icacls","associated with PEASS-ng - Privilege Escalation Awesome Scripts suite","T1098","TA0004 - TA0005","N/A","N/A","Privilege Escalation","https://github.com/peass-ng/PEASS-ng","1","0","N/A","N/A","10","10","17347","3209","2025-04-01T04:29:00Z","2019-01-13T19:58:24Z","48124"
"*icacls ""C:\Documents and Settings\%username%\Start Menu\Programs\Startup\*"" 2>nul*",".{0,1000}icacls\s\""C\:\\Documents\sand\sSettings\\\%username\%\\Start\sMenu\\Programs\\Startup\\.{0,1000}\""\s2\>nul.{0,1000}","greyware_tool_keyword","icacls","associated with PEASS-ng - Privilege Escalation Awesome Scripts suite","T1098","TA0004 - TA0005","N/A","N/A","Privilege Escalation","https://github.com/peass-ng/PEASS-ng","1","0","N/A","N/A","10","10","17347","3209","2025-04-01T04:29:00Z","2019-01-13T19:58:24Z","48126"
"*icacls ""C:\Documents and Settings\All Users\Start Menu\Programs\Startup"" 2>nul*",".{0,1000}icacls\s\""C\:\\Documents\sand\sSettings\\All\sUsers\\Start\sMenu\\Programs\\Startup\""\s2\>nul.{0,1000}","greyware_tool_keyword","icacls","associated with PEASS-ng - Privilege Escalation Awesome Scripts suite","T1098","TA0004 - TA0005","N/A","N/A","Privilege Escalation","https://github.com/peass-ng/PEASS-ng","1","0","N/A","N/A","10","10","17347","3209","2025-04-01T04:29:00Z","2019-01-13T19:58:24Z","48128"
"*icacls ""C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*"" 2>nul*",".{0,1000}icacls\s\""C\:\\Documents\sand\sSettings\\All\sUsers\\Start\sMenu\\Programs\\Startup\\.{0,1000}\""\s2\>nul.{0,1000}","greyware_tool_keyword","icacls","associated with PEASS-ng - Privilege Escalation Awesome Scripts suite","T1098","TA0004 - TA0005","N/A","N/A","Privilege Escalation","https://github.com/peass-ng/PEASS-ng","1","0","N/A","N/A","10","10","17347","3209","2025-04-01T04:29:00Z","2019-01-13T19:58:24Z","48130"
"*icacls ""C:\windows\system32\config\SAM"" /grant*",".{0,1000}icacls\s\""C\:\\windows\\system32\\config\\SAM\""\s\/grant.{0,1000}","greyware_tool_keyword","icalcs","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/ice-wzl/wmiexec2","1","0","N/A","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","48132"
"*icacls *(x86)\360"" * /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\(x86\)\\360\""\s.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48133"
"*icacls *\360safe* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\360safe.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48134"
"*icacls *\AVAST Software* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\AVAST\sSoftware.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48135"
"*icacls *\AVG""* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\AVG\"".{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48136"
"*icacls *\Avira* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\Avira.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48137"
"*icacls *\Cezurity* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\Cezurity.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48138"
"*icacls *\COMODO* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\COMODO.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48139"
"*icacls *\Doctor Web* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\Doctor\sWeb.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48140"
"*icacls *\Enigma Software Group* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\Enigma\sSoftware\sGroup.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48141"
"*icacls *\ESET* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\ESET.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48142"
"*icacls *\GRIZZLY Antivirus* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\GRIZZLY\sAntivirus.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48143"
"*icacls *\grizzly* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\grizzly.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48144"
"*icacls *\Kaspersky Lab* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\Kaspersky\sLab.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48145"
"*icacls *\Malwarebytes* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\Malwarebytes.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48146"
"*icacls *\Malwarebytes* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\Malwarebytes.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48147"
"*icacls *\McAfee* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\McAfee.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48148"
"*icacls *\Norton* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\Norton.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48149"
"*icacls *\Panda Security* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\Panda\sSecurity.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48150"
"*icacls *\SpyHunter* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\SpyHunter.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48151"
"*icacls *\SpyHunter* /deny %username%:(OI)(CI)(F)*",".{0,1000}icacls\s.{0,1000}\\SpyHunter.{0,1000}\s\/deny\s\%username\%\:\(OI\)\(CI\)\(F\).{0,1000}","greyware_tool_keyword","icalcs","malware behavior - modify the permissions on files or directories that match AV name","T1222","TA0005","N/A","N/A","Defense Evasion","https://www.hybrid-analysis.com/sample/22a2fc907d960e67fe9def8946907fd324f77afce3f2792750f1ddb1de76fc9f/5ed63f715448965c0d232702","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48152"
"*icacls c:\windows\system32\sethc.exe *",".{0,1000}icacls\sc\:\\windows\\system32\\sethc\.exe\s.{0,1000}","greyware_tool_keyword","icalcs","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z","48153"
"*icacls* /grant Everyone:F /T /C /Q*",".{0,1000}icacls.{0,1000}\s\/grant\sEveryone\:F\s\/T\s\/C\s\/Q.{0,1000}","greyware_tool_keyword","icalcs","Grants full control to ""Everyone"" on all files and directories recursively, suppressing output and errors.","T1222.001 - T1098","TA0005 - TA0003","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","48155"
"*icacls.exe C:\Windows\System32\amsi.dll /grant administrators:F*",".{0,1000}icacls\.exe\sC\:\\Windows\\System32\\amsi\.dll\s\/grant\sadministrators\:F.{0,1000}","greyware_tool_keyword","icalcs","Spartacus DLL/COM Hijacking Toolkit","T1574.001 - T1055.001 - T1027.002","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://www.pavel.gr/blog/neutralising-amsi-system-wide-as-an-admin","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","48157"
"*identify_offensive_tools.ps1*",".{0,1000}identify_offensive_tools\.ps1.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","1","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","48187"
"*IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(*",".{0,1000}IEX\s\(\[System\.Text\.Encoding\]\:\:UTF8\.GetString\(\[System\.Convert\]\:\:FromBase64String\(.{0,1000}","greyware_tool_keyword","powershell","suspicious base64 execution often observed by stealers - could also be used legitimely by some script","T1059.001 - T1140 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","7","9","N/A","N/A","N/A","N/A","48207"
"*IEX(New-Object System.Net.WebClient).DownloadString(""https://raw.githubusercontent.com/*",".{0,1000}IEX\(New\-Object\sSystem\.Net\.WebClient\)\.DownloadString\(\""https\:\/\/raw\.githubusercontent\.com\/.{0,1000}","greyware_tool_keyword","powershell","download from github from memory","T1105 - T1059.001 - T1204","TA0009 - TA0002","N/A","N/A","Collection","N/A","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","48209"
"*IEX*nopaste.net*",".{0,1000}IEX.{0,1000}nopaste\.net.{0,1000}","greyware_tool_keyword","nopaste.net","nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration","T1567.002 - T1036.005 - T1102 - T1071.001","TA0005 - TA0009 - TA0010","N/A","N/A","Collection","https://www.shellhub.io/","1","0","#Pastebinlike  #filehostingservice","N/A","8","10","N/A","N/A","N/A","N/A","48210"
"*if [ -f /tmp/tmpwatch ] * then*",".{0,1000}if\s\[\s\-f\s\/tmp\/tmpwatch\s\]\s.{0,1000}\sthen.{0,1000}","greyware_tool_keyword","tmpwatch","Equation Group hack tool set command exploitation- tmpwatch - removes files which haven't been accessed for a period of time","T1070.004 - T1059 - T1047","TA0007 - TA0002 - TA0040","N/A","N/A","Malware","https://linux.die.net/man/8/tmpwatch","1","0","#content","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","48211"
"*ifconfig * hw ether *",".{0,1000}ifconfig\s.{0,1000}\shw\sether\s.{0,1000}","greyware_tool_keyword","ifconfig","change mac address with ifconfig","T1027","TA0002","N/A","N/A","Defense Evasion","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","48219"
"*ifconfig * hw ether *:*:*",".{0,1000}ifconfig\s.{0,1000}\shw\sether\s.{0,1000}\:.{0,1000}\:.{0,1000}","greyware_tool_keyword","ifconfig","changing mac address with ifconfig","T1497.001 - T1036.004 - T1059.001","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","48220"
"*ifconfig -a | grep * | xargs nmap -*",".{0,1000}ifconfig\s\-a\s\|\sgrep\s.{0,1000}\s\|\sxargs\snmap\s\-.{0,1000}","greyware_tool_keyword","nmap","Nmap Scan Every Interface that is Assigned an IP address","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","8","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","48221"
"*ifnaibldjfdmaipaddffmgcmekjhiloa*",".{0,1000}ifnaibldjfdmaipaddffmgcmekjhiloa.{0,1000}","greyware_tool_keyword","FREE VPN DEWELOPMENT","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","48222"
"*igahhbkcppaollcjeaaoapkijbnphfhb*",".{0,1000}igahhbkcppaollcjeaaoapkijbnphfhb.{0,1000}","greyware_tool_keyword","Social VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","48223"
"*import PyInstaller*",".{0,1000}import\sPyInstaller.{0,1000}","greyware_tool_keyword","pyinstaller","PyInstaller bundles a Python application and all its dependencies into a single package executable.","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","N/A","N/A","Resource Development","https://www.pyinstaller.org/","1","0","N/A","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","48389"
"*import pyshark*",".{0,1000}import\spyshark.{0,1000}","greyware_tool_keyword","pyshark","Python wrapper for tshark allowing python packet parsing using wireshark dissectors","T1040 - T1213 - T1105 - T1572","TA0009 - TA0007","N/A","N/A","Discovery","https://github.com/KimiNewt/pyshark","1","0","N/A","N/A","6","10","2355","439","2024-12-04T15:41:20Z","2013-12-28T14:38:22Z","48391"
"*import SimpleHTTPServer*",".{0,1000}import\sSimpleHTTPServer.{0,1000}","greyware_tool_keyword","simplehttpserver","quick web server in python","T1021.002 - T1059.006","TA0002 - TA0005","N/A","N/A","Data Exfiltration","https://docs.python.org/2/library/simplehttpserver.html","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","48396"
"*import socket, socks, listen, serve, wrap_ssl, GreenPool*",".{0,1000}import\ssocket,\ssocks,\slisten,\sserve,\swrap_ssl,\sGreenPool.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","N/A","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","48397"
"*import sshtunnel*",".{0,1000}import\ssshtunnel.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","0","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","48399"
"*Import-Module *\OpenSSHUtils*",".{0,1000}Import\-Module\s.{0,1000}\\OpenSSHUtils.{0,1000}","greyware_tool_keyword","Openssh","monitoring openssh usage","T1098.003 - T1562.004 - T1021.004","TA0006 - TA0002 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - FANCY BEAR","C2","https://github.com/PowerShell/openssh-portable","1","0","N/A","N/A","10","10","1859","333","2025-04-18T17:52:43Z","2016-11-02T04:18:48Z","48421"
"*Import-Module AADInternals*",".{0,1000}Import\-Module\sAADInternals.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","48423"
"*inc1.rel.tunnels.api.visualstudio.com*",".{0,1000}inc1\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","48434"
"*Incoming cmd Message: {""command"":""beginsharing""*",".{0,1000}Incoming\scmd\sMessage\:\s\{\""command\""\:\""beginsharing\"".{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","48452"
"*inconshreveable/ngrok*",".{0,1000}inconshreveable\/ngrok.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","48453"
"*info.meshcentral.com*",".{0,1000}info\.meshcentral\.com.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","48461"
"*Info: {""command"":""forwardtoagent"", ""context"":{""command"":""requestresponse"",""context"":{""responsename"":""beginsharing*",".{0,1000}Info\:\s\{\""command\""\:\""forwardtoagent\"",\s\""context\""\:\{\""command\""\:\""requestresponse\"",\""context\""\:\{\""responsename\""\:\""beginsharing.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","48462"
"*Info: {""command"":""rdp_native_event"", ""context"":{ ""eventname"":""rdp_native_relay_connection_succeeded""} *",".{0,1000}Info\:\s\{\""command\""\:\""rdp_native_event\"",\s\""context\""\:\{\s\""eventname\""\:\""rdp_native_relay_connection_succeeded\""\}\s.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","48463"
"*info@rustdesk.com*",".{0,1000}info\@rustdesk\.com.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","#email","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","48473"
"*info@skelsecprojects.com*",".{0,1000}info\@skelsecprojects\.com.{0,1000}","greyware_tool_keyword","evilrdp","Th evil twin of aardwolfgui using the aardwolf RDP client library that gives you extended control over the target and additional scripting capabilities from the command line.","T1021.001 - T1056.001 - T1113 - T1078.002 - T1105 - T1090.002 - T1059.001","TA0008 - TA0002 - TA0005 - TA0001 - TA0009 - TA0010 - TA0011","N/A","Black Basta","C2","https://github.com/skelsec/evilrdp","1","0","#email","N/A","10","10","299","31","2025-03-15T13:37:21Z","2023-11-29T13:44:58Z","48474"
"*infrastructure/remotemoe.service*",".{0,1000}infrastructure\/remotemoe\.service.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","1","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","48483"
"*Initializing RDP Wrapper*",".{0,1000}Initializing\sRDP\sWrapper.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","48492"
"*inligpkjkhbpifecbdjhmdpcfhnlelja*",".{0,1000}inligpkjkhbpifecbdjhmdpcfhnlelja.{0,1000}","greyware_tool_keyword","Free One Touch VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","48567"
"*inomeogfingihgjfjlpeplalcfajhgai*",".{0,1000}inomeogfingihgjfjlpeplalcfajhgai.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","48583"
"*install -g localtunnel*",".{0,1000}install\s\-g\slocaltunnel.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/localtunnel/localtunnel","1","0","N/A","N/A","10","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","48607"
"*install -g telebit*",".{0,1000}install\s\-g\stelebit.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","48608"
"*install pyinstaller*",".{0,1000}install\spyinstaller.{0,1000}","greyware_tool_keyword","pyinstaller","PyInstaller bundles a Python application and all its dependencies into a single package executable.","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","N/A","N/A","Resource Development","https://www.pyinstaller.org/","1","0","N/A","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","48622"
"*install snmpcheck*",".{0,1000}install\ssnmpcheck.{0,1000}","greyware_tool_keyword","snmpcheck","automate the process of gathering information of any devices with SNMP protocol support. like snmpwalk - snmpcheck allows you to enumerate the SNMP devices and places the output in a very human readable friendly format. It could be useful for penetration testing or systems monitoring","T1046 - T1018","TA0007 - TA0005","N/A","N/A","Reconnaissance","http://www.nothink.org/codes/snmpcheck/index.php","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","48628"
"*install tshark*",".{0,1000}install\stshark.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","48630"
"*install -y tailscale*",".{0,1000}install\s\-y\stailscale.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","48634"
"*install.bat AweSun*",".{0,1000}install\.bat\sAweSun.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","48635"
"*install.tunnelmole.com",".{0,1000}install\.tunnelmole\.com","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","1","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","48636"
"*Install-AADIntForceNTHash*",".{0,1000}Install\-AADIntForceNTHash.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","48706"
"*Install-Module AADInternals*",".{0,1000}Install\-Module\sAADInternals.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","48710"
"*Install-Module AADInternals*",".{0,1000}Install\-Module\sAADInternals.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","48711"
"*Install-PswaWebApplication -UseTestCertificate*",".{0,1000}Install\-PswaWebApplication\s\-UseTestCertificate.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A","48718"
"*Install-PswaWebApplication*",".{0,1000}Install\-PswaWebApplication.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A","48719"
"*install-sshd.ps1*",".{0,1000}install\-sshd\.ps1.{0,1000}","greyware_tool_keyword","openssh-portable","monitoring openssh usage","T1098.003 - T1562.004 - T1021.004","TA0006 - TA0002 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider*","C2","https://github.com/PowerShell/openssh-portable","1","0","N/A","N/A","10","10","1859","333","2025-04-18T17:52:43Z","2016-11-02T04:18:48Z","48723"
"*Install-WindowsFeature -Name Web-Server -IncludeManagementTools*",".{0,1000}Install\-WindowsFeature\s\-Name\sWeb\-Server\s\-IncludeManagementTools.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A","48727"
"*Install-WindowsFeature WindowsPowerShellWebAccess*",".{0,1000}Install\-WindowsFeature\sWindowsPowerShellWebAccess.{0,1000}","greyware_tool_keyword","powershell","enable the PowerShell Web Access featur which could be used for remote access and potential","T1548.002 - T1059.001","TA0003","N/A","N/A","Persistence","https://www.cisa.gov/sites/default/files/2024-08/aa24-241a-iran-based-cyber-actors-enabling-ransomware-attacks-on-us-organizations_0.pdf","1","0","N/A","sigma pr https://github.com/SigmaHQ/sigma/pull/4997/files","10","10","N/A","N/A","N/A","N/A","48728"
"*interactsh -*",".{0,1000}interactsh\s\-.{0,1000}","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C10","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","0","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","48730"
"*interactsh*.exe",".{0,1000}interactsh.{0,1000}\.exe","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C9","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","1","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","48731"
"*interactsh*oast.*",".{0,1000}interactsh.{0,1000}oast\..{0,1000}","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C14","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","1","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","48732"
"*interactsh-client -*",".{0,1000}interactsh\-client\s\-.{0,1000}","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C11","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","0","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","48733"
"*interactsh-server -*",".{0,1000}interactsh\-server\s\-.{0,1000}","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C13","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","0","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","48734"
"*InternetIdService.exe*",".{0,1000}InternetIdService\.exe.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","48743"
"*InventoryApplicationFile\action1_agent.ex*",".{0,1000}InventoryApplicationFile\\action1_agent\.ex.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","48766"
"*InventoryApplicationFile\action1_remote.e*",".{0,1000}InventoryApplicationFile\\action1_remote\.e.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","48767"
"*Invoke-AADIntAzureVMScript*",".{0,1000}Invoke\-AADIntAzureVMScript.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","48781"
"*Invoke-AADIntPhishing*",".{0,1000}Invoke\-AADIntPhishing.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","48782"
"*Invoke-AADIntReconAsGuest*",".{0,1000}Invoke\-AADIntReconAsGuest.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","48783"
"*Invoke-AADIntReconAsInsider*",".{0,1000}Invoke\-AADIntReconAsInsider.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","48785"
"*Invoke-AADIntReconAsOutsider*",".{0,1000}Invoke\-AADIntReconAsOutsider.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","48786"
"*Invoke-AADIntSyncAgent*",".{0,1000}Invoke\-AADIntSyncAgent.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","48787"
"*Invoke-AADIntUserEnumerationAsGuest*",".{0,1000}Invoke\-AADIntUserEnumerationAsGuest.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","48788"
"*Invoke-AADIntUserEnumerationAsInsider*",".{0,1000}Invoke\-AADIntUserEnumerationAsInsider.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","48790"
"*Invoke-AADIntUserEnumerationAsOutsider*",".{0,1000}Invoke\-AADIntUserEnumerationAsOutsider.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","48791"
"*Invoke-ADRecon*",".{0,1000}Invoke\-ADRecon.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","1","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","48816"
"*Invoke-EnumerateLocalAdmin -Verbose*",".{0,1000}Invoke\-EnumerateLocalAdmin\s\-Verbose.{0,1000}","greyware_tool_keyword","powershell","Find local admins on the domain machines","T1069.002 - T1087.002 - T1018","TA0007 - TA0009","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","48995"
"*invoke-expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(*",".{0,1000}invoke\-expression\(\[System\.Text\.Encoding\]\:\:UTF8\.GetString\(\[System\.Convert\]\:\:FromBase64String\(.{0,1000}","greyware_tool_keyword","powershell","suspicious base64 execution often observed by stealers - could also be used legitimely by some script","T1059.001 - T1140 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","7","9","N/A","N/A","N/A","N/A","49033"
"*Invoke-LdapBranchVisitor*",".{0,1000}Invoke\-LdapBranchVisitor.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","0","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","49145"
"*Invoke-LdapQuery -*ConvertFrom-LdapSearchResult*",".{0,1000}Invoke\-LdapQuery\s\-.{0,1000}ConvertFrom\-LdapSearchResult.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","0","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","49146"
"*Invoke-Maldaptive*",".{0,1000}Invoke\-Maldaptive.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","1","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","49164"
"*invoke-rc.d dropbear *",".{0,1000}invoke\-rc\.d\sdropbear\s.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","0","N/A","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","49405"
"*Invoke-UserHunter -CheckAccess*",".{0,1000}Invoke\-UserHunter\s\-CheckAccess.{0,1000}","greyware_tool_keyword","powershell","Check local admin access for the current user where the targets are found","T1078.003 - T1046 - T1087.001","TA0002 - TA0007 - TA0040","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","49782"
"*Invoke-UserImpersonation -Credential *",".{0,1000}Invoke\-UserImpersonation\s\-Credential\s.{0,1000}","greyware_tool_keyword","adrecon","ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.","T1018 - T1087.001 - T1069.001 - T1003.002 - T1482","TA0007 - TA0009 - TA0040","N/A","Scattered Spider*","Discovery","https://github.com/adrecon/ADRecon","1","0","N/A","AD Enumeration","7","8","780","109","2024-10-15T03:41:29Z","2018-12-15T13:00:09Z","49789"
"*Invoke-WebRequest ifconfig.me/ip*Content.Trim()",".{0,1000}Invoke\-WebRequest\sifconfig\.me\/ip.{0,1000}Content\.Trim\(\)","greyware_tool_keyword","powershell","C2 server to connect to a victim machine via reverse shell","T1090 - T1090.001 - T1071 - T1071.001","TA0011 ","N/A","N/A","C2","https://github.com/reveng007/C2_Server","1","0","N/A","N/A","10","10","54","18","2022-02-27T02:00:02Z","2021-03-05T12:35:45Z","49825"
"*IObitUnlocker.sys*",".{0,1000}IObitUnlocker\.sys.{0,1000}","greyware_tool_keyword","IObitUnlocker","unlocking locked files on Windows systems","T1222 - T1070 - T1485","TA0005 - TA0040","N/A","PLAY","Defense Evasion","https://www.iobit.com/en/iobit-unlocker.php#","1","0","N/A","often used legitimatly - admin tool","5","9","N/A","N/A","N/A","N/A","49877"
"*iocnglnmfkgfedpcemdflhkchokkfeii*",".{0,1000}iocnglnmfkgfedpcemdflhkchokkfeii.{0,1000}","greyware_tool_keyword","sVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","49878"
"*iolonopooapdagdemdoaihahlfkncfgg*",".{0,1000}iolonopooapdagdemdoaihahlfkncfgg.{0,1000}","greyware_tool_keyword","Azino VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","49893"
"*ionice /bin/sh -p*",".{0,1000}ionice\s\/bin\/sh\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","49896"
"*ip l set dev * address *:*:*",".{0,1000}ip\sl\sset\sdev\s.{0,1000}\saddress\s.{0,1000}\:.{0,1000}\:.{0,1000}","greyware_tool_keyword","ip","changing mac address with ip","T1497.001 - T1036.004 - T1059.001","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","49902"
"*ip.remotepc.com*",".{0,1000}ip\.remotepc\.com.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","network","10","10","N/A","N/A","N/A","N/A","49910"
"*ipscan 1*.255*",".{0,1000}ipscan\s1.{0,1000}\.255.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","49916"
"*ipscan 10.*",".{0,1000}ipscan\s10\..{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","49917"
"*ipscan 172.*",".{0,1000}ipscan\s172\..{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","49918"
"*ipscan 192.168.*",".{0,1000}ipscan\s192\.168\..{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","49919"
"*ipscan.exe -*",".{0,1000}ipscan\.exe\s\-.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","49920"
"*ipscan-win64-*.exe*",".{0,1000}ipscan\-win64\-.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","1","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","49921"
"*ipt2socks -R -n 9999 -j 50 -u * -s * -l *",".{0,1000}ipt2socks\s\-R\s\-n\s9999\s\-j\s50\s\-u\s.{0,1000}\s\-s\s.{0,1000}\s\-l\s.{0,1000}","greyware_tool_keyword","LTProxy","Linux Transparent Proxy (Similar to Proxifiter)","T1090 - T1573.001 - T1571 - T1071.001","TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://github.com/L-codes/LTProxy","1","0","#linux","N/A","10","1","31","5","2024-11-27T05:09:47Z","2021-11-11T15:17:54Z","49923"
"*iptables -A OUTPUT -p tcp --dport 514 -j DROP*",".{0,1000}iptables\s\-A\sOUTPUT\s\-p\stcp\s\-\-dport\s514\s\-j\sDROP.{0,1000}","greyware_tool_keyword","iptables","iptables to block syslog forwarding","T1562.004","TA0005","N/A","N/A","Defense Evasion","https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day?hl=en","1","0","#linux","N/A","9","9","N/A","N/A","N/A","N/A","49925"
"*iptables -A OUTPUT -p tcp --dport 6514 -j DROP*",".{0,1000}iptables\s\-A\sOUTPUT\s\-p\stcp\s\-\-dport\s6514\s\-j\sDROP.{0,1000}","greyware_tool_keyword","iptables","iptables to block syslog forwarding","T1562.004","TA0005","N/A","N/A","Defense Evasion","https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day?hl=en","1","0","#linux","N/A","9","9","N/A","N/A","N/A","N/A","49926"
"*iptables -A OUTPUT -p udp --dport 514 -j DROP*",".{0,1000}iptables\s\-A\sOUTPUT\s\-p\sudp\s\-\-dport\s514\s\-j\sDROP.{0,1000}","greyware_tool_keyword","iptables","iptables to block syslog forwarding","T1562.004","TA0005","N/A","N/A","Defense Evasion","https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day?hl=en","1","0","#linux","N/A","9","9","N/A","N/A","N/A","N/A","49927"
"*iptables -A OUTPUT -p udp --dport 6514 -j DROP*",".{0,1000}iptables\s\-A\sOUTPUT\s\-p\sudp\s\-\-dport\s6514\s\-j\sDROP.{0,1000}","greyware_tool_keyword","iptables","iptables to block syslog forwarding","T1562.004","TA0005","N/A","N/A","Defense Evasion","https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day?hl=en","1","0","#linux","N/A","9","9","N/A","N/A","N/A","N/A","49928"
"*ITarianRemoteAccessSetup.exe*",".{0,1000}ITarianRemoteAccessSetup\.exe.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","49951"
"*IWR*nopaste.net*",".{0,1000}IWR.{0,1000}nopaste\.net.{0,1000}","greyware_tool_keyword","nopaste.net","nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration","T1567.002 - T1036.005 - T1102 - T1071.001","TA0005 - TA0009 - TA0010","N/A","N/A","Collection","https://www.shellhub.io/","1","0","#Pastebinlike  #filehostingservice","N/A","8","10","N/A","N/A","N/A","N/A","49983"
"*jajilbjjinjmgcibalaakngmkilboobh*",".{0,1000}jajilbjjinjmgcibalaakngmkilboobh.{0,1000}","greyware_tool_keyword","Astar VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","49999"
"*jbnmpdkcfkochpanomnkhnafobppmccn*",".{0,1000}jbnmpdkcfkochpanomnkhnafobppmccn.{0,1000}","greyware_tool_keyword","apkfold free vpn","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","50039"
"*jdgilggpfmjpbodmhndmhojklgfdlhob*",".{0,1000}jdgilggpfmjpbodmhndmhojklgfdlhob.{0,1000}","greyware_tool_keyword","Browser VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","50041"
"*jedieiamjmoflcknjdjhpieklepfglin*",".{0,1000}jedieiamjmoflcknjdjhpieklepfglin.{0,1000}","greyware_tool_keyword","FastestVPN Proxy","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","50049"
"*jerson/tap/pgrok*",".{0,1000}jerson\/tap\/pgrok.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","1","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","50051"
"*jgbaghohigdbgbolncodkdlpenhcmcge*",".{0,1000}jgbaghohigdbgbolncodkdlpenhcmcge.{0,1000}","greyware_tool_keyword","Free VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","50056"
"*jliodmnojccaloajphkingdnpljdhdok*",".{0,1000}jliodmnojccaloajphkingdnpljdhdok.{0,1000}","greyware_tool_keyword","Turbo VPN for PC","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","50062"
"*jljopmgdobloagejpohpldgkiellmfnc*",".{0,1000}jljopmgdobloagejpohpldgkiellmfnc.{0,1000}","greyware_tool_keyword","PP VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","50063"
"*joeware_default_adfind.cf*",".{0,1000}joeware_default_adfind\.cf.{0,1000}","greyware_tool_keyword","adfind","adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers are abusing it to gather valuable information about the network environment","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://www.virustotal.com/gui/file/484dd00e85c033fbfd506b956ac0acd29b30f239755ed753a2788a842425b384/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","50080"
"*Join-AADIntAzureAD*",".{0,1000}Join\-AADIntAzureAD.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","50122"
"*Join-AADIntDeviceToAzureAD*",".{0,1000}Join\-AADIntDeviceToAzureAD.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","50123"
"*Join-AADIntDeviceToAzureAD.*",".{0,1000}Join\-AADIntDeviceToAzureAD\..{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","50124"
"*Join-AADIntDeviceToIntune*",".{0,1000}Join\-AADIntDeviceToIntune.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","50125"
"*Join-AADIntLocalDeviceToAzureAD*",".{0,1000}Join\-AADIntLocalDeviceToAzureAD.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","50126"
"*Join-AADIntOnPremDeviceToAzureAD*",".{0,1000}Join\-AADIntOnPremDeviceToAzureAD.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","50127"
"*jpgljfpmoofbmlieejglhonfofmahini*",".{0,1000}jpgljfpmoofbmlieejglhonfofmahini.{0,1000}","greyware_tool_keyword","Free Residential VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","50141"
"*jplnlifepflhkbkgonidnobkakhmpnmh*",".{0,1000}jplnlifepflhkbkgonidnobkakhmpnmh.{0,1000}","greyware_tool_keyword","Private Internet Access","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","50144"
"*JPRQ - The Tunneling Service*",".{0,1000}JPRQ\s\-\sThe\sTunneling\sService.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","50145"
"*jprq is successfully installed*",".{0,1000}jprq\sis\ssuccessfully\sinstalled.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","50146"
"*JPRQ_DOMAIN=*",".{0,1000}JPRQ_DOMAIN\=.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","N/A","N/A","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","50147"
"*jzelinskie/duckdns*",".{0,1000}jzelinskie\/duckdns.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","1","N/A","N/A","5","10","N/A","N/A","N/A","N/A","50185"
"*kaichaosun/rlt*",".{0,1000}kaichaosun\/rlt.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","1","N/A","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","50199"
"*KASEYA HOLDINGS INC.*",".{0,1000}KASEYA\sHOLDINGS\sINC\..{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","50227"
"*kavika13/RemCom*",".{0,1000}kavika13\/RemCom.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","1","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","50233"
"*kcdahmgmaagjhocpipbodaokikjkampi*",".{0,1000}kcdahmgmaagjhocpipbodaokikjkampi.{0,1000}","greyware_tool_keyword","Hola VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","50242"
"*kchocjcihdgkoplngjemhpplmmloanja*",".{0,1000}kchocjcihdgkoplngjemhpplmmloanja.{0,1000}","greyware_tool_keyword","IPBurger Proxy & VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","50243"
"*kcndmbbelllkmioekdagahekgimemejo*",".{0,1000}kcndmbbelllkmioekdagahekgimemejo.{0,1000}","greyware_tool_keyword","VPN.AC","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","50245"
"*keodbianoliadkoelloecbhllnpiocoi*",".{0,1000}keodbianoliadkoelloecbhllnpiocoi.{0,1000}","greyware_tool_keyword","Hide My IP VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","50297"
"*killall mega-cmd*",".{0,1000}killall\smega\-cmd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","50456"
"*killall mega-cmd-server*",".{0,1000}killall\smega\-cmd\-server.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","50457"
"*killall xmrig*",".{0,1000}killall\sxmrig.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","50458"
"*KimiNewt/pyshark*",".{0,1000}KimiNewt\/pyshark.{0,1000}","greyware_tool_keyword","pyshark","Python wrapper for tshark allowing python packet parsing using wireshark dissectors","T1040 - T1213 - T1105 - T1572","TA0009 - TA0007","N/A","N/A","Discovery","https://github.com/KimiNewt/pyshark","1","1","N/A","N/A","6","10","2355","439","2024-12-04T15:41:20Z","2013-12-28T14:38:22Z","50478"
"*kindloader.exe* --extract kindlocker*",".{0,1000}kindloader\.exe.{0,1000}\s\-\-extract\skindlocker.{0,1000}","greyware_tool_keyword","tir_blanc_holiseum","Ransomware simulation","T1486 - T1204 - T1027 - T1059","TA0040 - TA0002 - TA0005","N/A","N/A","Ransomware","https://www.holiseum.com/services/auditer/tir-a-blanc-ransomware","1","0","N/A","N/A","4","6","N/A","N/A","N/A","N/A","50479"
"*kitename.pagekite.me*",".{0,1000}kitename\.pagekite\.me.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","50494"
"*klnkiajpmpkkkgpgbogmcgfjhdoljacg*",".{0,1000}klnkiajpmpkkkgpgbogmcgfjhdoljacg.{0,1000}","greyware_tool_keyword","Free VPN for Chrome","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","50521"
"*knajdeaocbpmfghhmijicidfcmdgbdpm*",".{0,1000}knajdeaocbpmfghhmijicidfcmdgbdpm.{0,1000}","greyware_tool_keyword","Guru VPN & Proxy","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","50524"
"*knmmpciebaoojcpjjoeonlcjacjopcpf*",".{0,1000}knmmpciebaoojcpjjoeonlcjacjopcpf.{0,1000}","greyware_tool_keyword","Thunder Proxy","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","50528"
"*kpiecbcckbofpmkkkdibbllpinceiihk*",".{0,1000}kpiecbcckbofpmkkkdibbllpinceiihk.{0,1000}","greyware_tool_keyword","DotVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","50554"
"*-l:NimScanToC.a *",".{0,1000}\-l\:NimScanToC\.a\s.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","N/A","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","50672"
"*lansearch.exe *",".{0,1000}lansearch\.exe\s.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","50790"
"*lansearchpro_portable.zip*",".{0,1000}lansearchpro_portable\.zip.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","50791"
"*lansearchpro_setup.exe*",".{0,1000}lansearchpro_setup\.exe.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","50792"
"*Launch the client, exposing a local service to the internet*",".{0,1000}Launch\sthe\sclient,\sexposing\sa\slocal\sservice\sto\sthe\sinternet.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","N/A","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","50835"
"*launcher-rest-new.live.corecollab.ucc-prod.eva.goto.com*",".{0,1000}launcher\-rest\-new\.live\.corecollab\.ucc\-prod\.eva\.goto\.com.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","50837"
"*lcmammnjlbmlbcaniggmlejfjpjagiia*",".{0,1000}lcmammnjlbmlbcaniggmlejfjpjagiia.{0,1000}","greyware_tool_keyword","Adblock Office VPN Proxy Server","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","50858"
"*L-codes/LTProxy*",".{0,1000}L\-codes\/LTProxy.{0,1000}","greyware_tool_keyword","LTProxy","Linux Transparent Proxy (Similar to Proxifiter)","T1090 - T1573.001 - T1571 - T1071.001","TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://github.com/L-codes/LTProxy","1","1","#linux","N/A","10","1","31","5","2024-11-27T05:09:47Z","2021-11-11T15:17:54Z","50859"
"*L-codes/Neo-reGeorg*",".{0,1000}L\-codes\/Neo\-reGeorg.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","1","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","50860"
"*ldapsearch * ldap://*",".{0,1000}ldapsearch\s.{0,1000}\sldap\:\/\/.{0,1000}","greyware_tool_keyword","ldapsearch","ldapsearch to enumerate ldap","T1018 - T1087 - T1069","TA0007 - TA0002 - TA0008","N/A","N/A","Reconnaissance","https://man7.org/linux/man-pages/man1/ldapsearch.1.html","1","0","#linux","greyware tool - risks of False positive !","6","10","N/A","N/A","N/A","N/A","50893"
"*ldapsearch -x -h * -s base*",".{0,1000}ldapsearch\s\-x\s\-h\s.{0,1000}\s\-s\sbase.{0,1000}","greyware_tool_keyword","ldapsearch","ldapsearch to enumerate ldap","T1018 - T1087 - T1069","TA0007 - TA0002 - TA0008","N/A","N/A","Reconnaissance","https://man7.org/linux/man-pages/man1/ldapsearch.1.html","1","0","#linux","greyware tool - risks of False positive !","6","10","N/A","N/A","N/A","N/A","50894"
"*ldifde.exe -f *\temp\*.txt -p subtree*",".{0,1000}ldifde\.exe\s\-f\s.{0,1000}\\temp\\.{0,1000}\.txt\s\-p\ssubtree.{0,1000}","greyware_tool_keyword","ldifde","using ldifde.exe to export data from Active Directory to a .txt file in the Temp directory","T1018 - T1005 - T1077.001","TA0007 - TA0005 - TA0002","N/A","Volt Typhoon","Reconnaissance","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","greyware_tools high risks of false positives","5","5","N/A","N/A","N/A","N/A","50917"
"*lejgfmmlngaigdmmikblappdafcmkndb*",".{0,1000}lejgfmmlngaigdmmikblappdafcmkndb.{0,1000}","greyware_tool_keyword","uVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","50956"
"*LEVEL_API_KEY=* bash -c ""$(curl -L *",".{0,1000}LEVEL_API_KEY\=.{0,1000}\sbash\s\-c\s\""\$\(curl\s\-L\s.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","50980"
"*LHOST=0.tcp.ngrok.io*",".{0,1000}LHOST\=0\.tcp\.ngrok\.io.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","50990"
"*libwireshark16*",".{0,1000}libwireshark16.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","51011"
"*libwireshark-data*",".{0,1000}libwireshark\-data.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","51012"
"*libwireshark-dev*",".{0,1000}libwireshark\-dev.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","51013"
"*libwiretap13*",".{0,1000}libwiretap13.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","51014"
"*license.bomgar.com*",".{0,1000}license\.bomgar\.com.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51018"
"*Linux ITSM Agent/* -e /tmp/install.sh *",".{0,1000}Linux\sITSM\sAgent\/.{0,1000}\s\-e\s\/tmp\/install\.sh\s.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","51055"
"*linux@mega.co.nz*",".{0,1000}linux\@mega\.co\.nz.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#email","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","51068"
"*linux-amd64-client -local http://127.0.0.1*",".{0,1000}linux\-amd64\-client\s\-local\shttp\:\/\/127\.0\.0\.1.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#linux","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","51075"
"*linux-amd64-server -addr *",".{0,1000}linux\-amd64\-server\s\-addr\s.{0,1000}","greyware_tool_keyword","gt","Fast WebSocket(s)/HTTP(s)/TCP relay proxy for making tunnels to localhost.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ao-space/gt","1","0","#linux","N/A","10","10","132","36","2024-10-30T00:37:47Z","2021-11-29T03:09:56Z","51076"
"*linuxfw.TailscaleSubnetRouteMark*",".{0,1000}linuxfw\.TailscaleSubnetRouteMark.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","#linux","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","51082"
"*lklekjodgannjcccdlbicoamibgbdnmi*",".{0,1000}lklekjodgannjcccdlbicoamibgbdnmi.{0,1000}","greyware_tool_keyword","Anonymous Proxy Vpn Browser","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","51133"
"*llawerifvda hsten*",".{0,1000}llawerifvda\shsten.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51136"
"*llbhddikeonkpbhpncnhialfbpnilcnc*",".{0,1000}llbhddikeonkpbhpncnhialfbpnilcnc.{0,1000}","greyware_tool_keyword","ProxyFlow","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","51137"
"*LMI_RescueRC.exe*",".{0,1000}LMI_RescueRC\.exe.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51148"
"*LMIGuardianDll.dll*",".{0,1000}LMIGuardianDll\.dll.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51149"
"*LMIGuardianSvc.exe*",".{0,1000}LMIGuardianSvc\.exe.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51150"
"*ln /dev/null -/.bash_history -sf*",".{0,1000}ln\s\/dev\/null\s\-\/\.bash_history\s\-sf.{0,1000}","greyware_tool_keyword","ln","covering history tracks on linux system","T1070 - T1070.001 - T1070.004 - T1070.003 - T1070.002","TA0005 - TA0043","N/A","N/A","Defense Evasion","https://rosesecurity.gitbook.io/red-teaming-ttps/linux","1","0","#linux","risk of False positive","10","10","N/A","N/A","N/A","N/A","51151"
"*ln -sf /dev/null *bash_history*",".{0,1000}ln\s\-sf\s\/dev\/null\s.{0,1000}bash_history.{0,1000}","greyware_tool_keyword","bash","Clear command history in linux which is used for defense evasion. ","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml","1","0","#linux","greyware tool - risks of False positive !","10","10","10466","2904","2025-04-21T13:09:54Z","2017-10-11T17:23:32Z","51153"
"*lneaocagcijjdpkcabeanfpdbmapcjjg*",".{0,1000}lneaocagcijjdpkcabeanfpdbmapcjjg.{0,1000}","greyware_tool_keyword","Hub VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","51155"
"*lnfdmdhmfbimhhpaeocncdlhiodoblbd*",".{0,1000}lnfdmdhmfbimhhpaeocncdlhiodoblbd.{0,1000}","greyware_tool_keyword","VPN PROXY MASTER","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","51156"
"*local.hypertunnel.lvh.me*",".{0,1000}local\.hypertunnel\.lvh\.me.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","0","N/A","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","51192"
"*Local: crc32 compensation attack*",".{0,1000}Local\:\scrc32\scompensation\sattack.{0,1000}","greyware_tool_keyword","ssh","Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts","T1071.004 - T1078.004","TA0011 - TA0006","N/A","N/A","Exploitation tool","https://github.com/ossec/ossec-hids/blob/master/etc/rules/sshd_rules.xml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","4692","1051","2025-01-22T01:58:36Z","2013-09-17T17:07:58Z","51193"
"*localhost:4782*",".{0,1000}localhost\:4782.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","1","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","51218"
"*local-tailscaled.sock*",".{0,1000}local\-tailscaled\.sock.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","51239"
"*localtunnel client --host *",".{0,1000}localtunnel\sclient\s\-\-host\s.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","N/A","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","51241"
"*localtunnel server --domain *",".{0,1000}localtunnel\sserver\s\-\-domain\s.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","N/A","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","51242"
"*localtunnel.github.io/www/*",".{0,1000}localtunnel\.github\.io\/www\/.{0,1000}","greyware_tool_keyword","localtunnels","server for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/server","1","1","N/A","N/A","8","10","3163","1033","2024-03-20T09:14:46Z","2013-06-16T22:30:48Z","51243"
"*localtunnel/go-localtunnel*",".{0,1000}localtunnel\/go\-localtunnel.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/NoahShen/gotunnelme","1","1","N/A","N/A","10","10","171","45","2018-01-06T04:41:15Z","2013-10-18T02:46:51Z","51244"
"*localtunnel/localtunnel*",".{0,1000}localtunnel\/localtunnel.{0,1000}","greyware_tool_keyword","localtunnels","client for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/localtunnel","1","1","N/A","N/A","8","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","51245"
"*localtunnel/nginx*",".{0,1000}localtunnel\/nginx.{0,1000}","greyware_tool_keyword","localtunnels","server for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/server","1","1","N/A","N/A","8","10","3163","1033","2024-03-20T09:14:46Z","2013-06-16T22:30:48Z","51246"
"*localtunnel/server*",".{0,1000}localtunnel\/server.{0,1000}","greyware_tool_keyword","localtunnels","server for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/server","1","1","N/A","N/A","8","10","3163","1033","2024-03-20T09:14:46Z","2013-06-16T22:30:48Z","51247"
"*localtunnel/server.git*",".{0,1000}localtunnel\/server\.git.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/NoahShen/gotunnelme","1","1","N/A","N/A","10","10","171","45","2018-01-06T04:41:15Z","2013-10-18T02:46:51Z","51248"
"*localtunnel-server:latest*",".{0,1000}localtunnel\-server\:latest.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/NoahShen/gotunnelme","1","1","N/A","N/A","10","10","171","45","2018-01-06T04:41:15Z","2013-10-18T02:46:51Z","51249"
"*localxpose/localxpose*",".{0,1000}localxpose\/localxpose.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","1","N/A","N/A","10","1","N/A","N/A","N/A","N/A","51250"
"*locate password | more*",".{0,1000}locate\spassword\s\|\smore.{0,1000}","greyware_tool_keyword","locate","Find sensitive files","T1083 - T1213.002 - T1005","TA0007 - TA0010","N/A","N/A","discovery","N/A","1","0","N/A","greyware_tools high risks of false positives","6","4","N/A","N/A","N/A","N/A","51251"
"*location:\\*.trycloudfare.com*",".{0,1000}location\:\\\\.{0,1000}\.trycloudfare\.com.{0,1000}","greyware_tool_keyword","trycloudflare.com","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","0","#email","N/A","10","10","N/A","N/A","N/A","N/A","51253"
"*lochiccbgeohimldjooaakjllnafhaid*",".{0,1000}lochiccbgeohimldjooaakjllnafhaid.{0,1000}","greyware_tool_keyword","IP Unblock","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","51255"
"*loclx tunnel config *",".{0,1000}loclx\stunnel\sconfig\s.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","51304"
"*loclx tunnel http *",".{0,1000}loclx\stunnel\shttp\s.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","51305"
"*loclx tunnel tcp *",".{0,1000}loclx\stunnel\stcp\s.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","51306"
"*loclx tunnel tls *",".{0,1000}loclx\stunnel\stls\s.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","51307"
"*loclx tunnel udp *",".{0,1000}loclx\stunnel\sudp\s.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","51308"
"*loclx.exe tunnel http *",".{0,1000}loclx\.exe\stunnel\shttp\s.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","51309"
"*loclx.exe tunnel tcp *",".{0,1000}loclx\.exe\stunnel\stcp\s.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","51310"
"*loclx.exe tunnel tls *",".{0,1000}loclx\.exe\stunnel\stls\s.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","51311"
"*loclx.exe tunnel udp *",".{0,1000}loclx\.exe\stunnel\sudp\s.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","51312"
"*loclx-client.s3.amazonaws.com*",".{0,1000}loclx\-client\.s3\.amazonaws\.com.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","1","N/A","N/A","10","1","N/A","N/A","N/A","N/A","51313"
"*login.remotepc.com*",".{0,1000}login\.remotepc\.com.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","network","10","10","N/A","N/A","N/A","N/A","51327"
"*login.swi-dre.com*",".{0,1000}login\.swi\-dre\.com.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51328"
"*login.tailscale.com*",".{0,1000}login\.tailscale\.com.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","51329"
"*LogMeIn Rescue Technician Console.lnk*",".{0,1000}LogMeIn\sRescue\sTechnician\sConsole\.lnk.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51336"
"*LogMeInRescueTechnicianConsoleApp.msi*",".{0,1000}LogMeInRescueTechnicianConsoleApp\.msi.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51337"
"*logs.logdna.com*",".{0,1000}logs\.logdna\.com.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","#logfile","N/A","10","10","N/A","N/A","N/A","N/A","51341"
"*logsave /dev/null /bin/sh -i -p*",".{0,1000}logsave\s\/dev\/null\s\/bin\/sh\s\-i\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","51347"
"*ls \\1*.*.*.*\IPC$\*",".{0,1000}ls\s\\\\1.{0,1000}\..{0,1000}\..{0,1000}\..{0,1000}\\IPC\$\\.{0,1000}","greyware_tool_keyword","ls","list remote pipename ","T1047 - T1021.006","TA0008 - TA0002","N/A","N/A","Discovery","https://outflank.nl/blog/2023/10/19/listing-remote-named-pipes/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","51372"
"*ls env:USERNAME*",".{0,1000}ls\senv\:USERNAME.{0,1000}","greyware_tool_keyword","powershell","alternativeto whoami","T1033 ","TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","3","6","N/A","N/A","N/A","N/A","51373"
"*LS1kb25hdGUtbGV2ZWw9*",".{0,1000}LS1kb25hdGUtbGV2ZWw9.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","#linux","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","51377"
"*lsass*rundll32.exe *comsvcs.dll, MiniDump *.dmp full*",".{0,1000}lsass.{0,1000}rundll32\.exe\s.{0,1000}comsvcs\.dll,\sMiniDump\s.{0,1000}\.dmp\sfull.{0,1000}","greyware_tool_keyword","rundll32","dumping lsass","T1003 - T1055.011 - T1564.002","TA0005 - TA0006","N/A","Black Basta","Credential Access","N/A","1","0","N/A","observed in exploitations by mthcht","10","10","N/A","N/A","N/A","N/A","51419"
"*ltproxy restart*",".{0,1000}ltproxy\srestart.{0,1000}","greyware_tool_keyword","LTProxy","Linux Transparent Proxy (Similar to Proxifiter)","T1090 - T1573.001 - T1571 - T1071.001","TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://github.com/L-codes/LTProxy","1","0","#linux","N/A","10","1","31","5","2024-11-27T05:09:47Z","2021-11-11T15:17:54Z","51457"
"*ltproxy start*",".{0,1000}ltproxy\sstart.{0,1000}","greyware_tool_keyword","LTProxy","Linux Transparent Proxy (Similar to Proxifiter)","T1090 - T1573.001 - T1571 - T1071.001","TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://github.com/L-codes/LTProxy","1","0","#linux","N/A","10","1","31","5","2024-11-27T05:09:47Z","2021-11-11T15:17:54Z","51458"
"*ltproxy stop*",".{0,1000}ltproxy\sstop.{0,1000}","greyware_tool_keyword","LTProxy","Linux Transparent Proxy (Similar to Proxifiter)","T1090 - T1573.001 - T1571 - T1071.001","TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://github.com/L-codes/LTProxy","1","0","#linux","N/A","10","1","31","5","2024-11-27T05:09:47Z","2021-11-11T15:17:54Z","51459"
"*m2m.dataplicity.com*",".{0,1000}m2m\.dataplicity\.com.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","1","N/A","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","51510"
"*macchanger -r *",".{0,1000}macchanger\s\-r\s.{0,1000}","greyware_tool_keyword","macchanger","changing mac address with macchanger","T1497.001 - T1036.004 - T1059.001","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","51524"
"*macdlemfnignjhclfcfichcdhiomgjjb*",".{0,1000}macdlemfnignjhclfcfichcdhiomgjjb.{0,1000}","greyware_tool_keyword","Free Fast VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","51526"
"*MacOS/ipscan -*",".{0,1000}MacOS\/ipscan\s\-.{0,1000}","greyware_tool_keyword","ipscan","Angry IP Scanner - fast and friendly network scanner - abused by a lot ransomware actors","T1046 - T1040 - T1018","TA0007 - TA0009","N/A","Phobos - BERSERK BEAR","Discovery","https://github.com/angryip/ipscan","1","0","N/A","N/A","7","10","4401","744","2024-11-23T19:03:47Z","2011-06-28T20:58:48Z","51529"
"*majdfhpaihoncoakbjgbdhglocklcgno*",".{0,1000}majdfhpaihoncoakbjgbdhglocklcgno.{0,1000}","greyware_tool_keyword","Free VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","51560"
"*MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection*",".{0,1000}MaLDAPtive\sis\sa\sframework\sfor\sLDAP\sSearchFilter\sparsing,\sobfuscation,\sdeobfuscation\sand\sdetection.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","0","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","51591"
"*Maldaptive.pd1*",".{0,1000}Maldaptive\.pd1.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","1","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","51592"
"*Maldaptive.psm1*",".{0,1000}Maldaptive\.psm1.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","1","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","51593"
"*MaLDAPtive/Invoke-Maldaptive*",".{0,1000}MaLDAPtive\/Invoke\-Maldaptive.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","1","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","51594"
"*Manage Remote Access Service.exe*",".{0,1000}Manage\sRemote\sAccess\sService\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51626"
"*managedsupport.kaseya.net*",".{0,1000}managedsupport\.kaseya\.net.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51629"
"*mantvydasb/RedTeaming-Tactics-and-Techniques*",".{0,1000}mantvydasb\/RedTeaming\-Tactics\-and\-Techniques.{0,1000}","greyware_tool_keyword","ired.team","Red Teaming Tactics and Techniques","T1593.003","TA0043","N/A","N/A","Reconnaissance","https://github.com/mantvydasb/RedTeaming-Tactics-and-Techniques","1","1","N/A","N/A","7","10","4234","1071","2024-08-22T07:17:31Z","2019-03-02T13:33:33Z","51653"
"*MATCH (c:Computer {unconsraineddelegation:true}) RETURN c*",".{0,1000}MATCH\s\(c\:Computer\s\{unconsraineddelegation\:true\}\)\sRETURN\sc.{0,1000}","greyware_tool_keyword","Neo4j","Neo4j queries - Computers in Unconstrained Delegations","T1210.002 - T1078.003 - T1046","TA0001 - TA0007 - TA0040","N/A","N/A","Reconnaissance","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","greyware tool - risks of False positive !","5","10","N/A","N/A","N/A","N/A","51673"
"*MATCH (c:Computer)*(t:Computer)* *-[:AllowedToDelegate]* return p*",".{0,1000}MATCH\s\(c\:Computer\).{0,1000}\(t\:Computer\).{0,1000}\s.{0,1000}\-\[\:AllowedToDelegate\].{0,1000}\sreturn\sp.{0,1000}","greyware_tool_keyword","Neo4j","Neo4j queries - Computers AllowedToDelegate to other computers","T1210.002 - T1078.003 - T1046","TA0001 - TA0007 - TA0040","N/A","N/A","Reconnaissance","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","51674"
"*MATCH p=(u:User)-[:SQLAdmin]*(c:Computer) return p*",".{0,1000}MATCH\sp\=\(u\:User\)\-\[\:SQLAdmin\].{0,1000}\(c\:Computer\)\sreturn\sp.{0,1000}","greyware_tool_keyword","Neo4j","Neo4j queries - Potential SQL Admins","T1210.002 - T1078.003 - T1046","TA0001 - TA0007 - TA0040","N/A","N/A","Reconnaissance","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","51675"
"*matiboy/SirTunnel*",".{0,1000}matiboy\/SirTunnel.{0,1000}","greyware_tool_keyword","SirTunnel","SirTunnel enables you to securely expose a webserver running on your computer to a public URL using HTTPS.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/anderspitman/SirTunnel","1","1","N/A","N/A","10","10","1436","119","2024-03-24T20:15:50Z","2020-09-23T00:15:26Z","51677"
"*Mazars-Tech/AD_Miner*",".{0,1000}Mazars\-Tech\/AD_Miner.{0,1000}","greyware_tool_keyword","AD_Miner","AD Miner is an Active Directory audit tool that leverages cypher queries to crunch data from the #Bloodhound graph database to uncover security weaknesses","T1482 - T1069 - T1087","TA0007 ","N/A","EMBER BEAR","Discovery","https://github.com/Mazars-Tech/AD_Miner","1","1","N/A","N/A","6","10","1290","131","2025-03-12T10:53:09Z","2023-09-26T12:36:59Z","51685"
"*md *.::$index_allocation*",".{0,1000}md\s.{0,1000}\.\:\:\$index_allocation.{0,1000}","greyware_tool_keyword","$index_allocation","creation of hidden folders (and file) via ...$.......::$index_allocation","T1027.001 - T1564.001","TA0005 ","N/A","N/A","Defense Evasion","https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","51692"
"*mdmsupport.comodo.com*",".{0,1000}mdmsupport\.comodo\.com.{0,1000}","greyware_tool_keyword","ComodoRMM (Itarian RMM)","Comodo offers IT Remote Management tools includes RMM Software - Remote Access - Service Desk - Patch Management and Network Assessment (Itarian RMM)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://one.comodo.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51701"
"*mediator.goodsync.com*",".{0,1000}mediator\.goodsync\.com.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","1","#filehostingservice","N/A","9","10","N/A","N/A","N/A","N/A","51717"
"*MEGA/MEGAcmdUpdaterTask*",".{0,1000}MEGA\/MEGAcmdUpdaterTask.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#useragent","https://github.com/meganz/MEGAcmd/blob/d0a1e8e2c7d70fd951ef47d2d92243a65f0bb6eb/src/updater/Preferences.h#L6","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","51722"
"*MEGAcmd/* MegaClient/*",".{0,1000}MEGAcmd\/.{0,1000}\sMegaClient\/.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","#useragent","https://github.com/meganz/MEGAcmd/blob/d0a1e8e2c7d70fd951ef47d2d92243a65f0bb6eb/UserGuide.md?plain=1#L374","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","51724"
"*MEGAsync Update Task*",".{0,1000}MEGAsync\sUpdate\sTask.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51729"
"*MEGAsync.exe /*",".{0,1000}MEGAsync\.exe\s\/.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51730"
"*MEGASYNC.EXE-*.pf*",".{0,1000}MEGASYNC\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51731"
"*MEGAsync\ShellExtX64.dll*",".{0,1000}MEGAsync\\ShellExtX64\.dll.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51732"
"*megasync-CentOS_*.x86_64.rpm*",".{0,1000}megasync\-CentOS_.{0,1000}\.x86_64\.rpm.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51733"
"*megasync-CentOS_*.x86_64.rpm*",".{0,1000}megasync\-CentOS_.{0,1000}\.x86_64\.rpm.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51734"
"*megasync-Debian_*_amd64.deb*",".{0,1000}megasync\-Debian_.{0,1000}_amd64\.deb.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51735"
"*megasync-Fedora_*.x86_64.rpm*",".{0,1000}megasync\-Fedora_.{0,1000}\.x86_64\.rpm.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51736"
"*megasync-openSUSE_Leap_*.x86_64.rpm*",".{0,1000}megasync\-openSUSE_Leap_.{0,1000}\.x86_64\.rpm.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51737"
"*megasync-Raspbian_*_armhf.deb*",".{0,1000}megasync\-Raspbian_.{0,1000}_armhf\.deb.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51738"
"*MEGAsyncSetup32_*_RC3.exe*",".{0,1000}MEGAsyncSetup32_.{0,1000}_RC3\.exe.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51739"
"*MEGASYNCSETUP64.EXE-*.pf*",".{0,1000}MEGASYNCSETUP64\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51740"
"*MEGAsyncSetup64_*_RC3.exe*",".{0,1000}MEGAsyncSetup64_.{0,1000}_RC3\.exe.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51741"
"*MEGAsyncSetupArm64.dmg*",".{0,1000}MEGAsyncSetupArm64\.dmg.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","51742"
"*megasync-x86_64.pkg*",".{0,1000}megasync\-x86_64\.pkg.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51743"
"*megasync-xUbuntu_*_amd64.deb*",".{0,1000}megasync\-xUbuntu_.{0,1000}_amd64\.deb.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","51744"
"*megatools copy -l * -r *",".{0,1000}megatools\scopy\s\-l\s.{0,1000}\s\-r\s.{0,1000}","greyware_tool_keyword","megatools","Megatools is a collection of free and open source programs for accessing Mega service from a command line. Abused by attackers for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/megous/megatools","1","0","N/A","N/A","9","","N/A","","","","51745"
"*megatools put *",".{0,1000}megatools\sput\s.{0,1000}","greyware_tool_keyword","megatools","Megatools is a collection of free and open source programs for accessing Mega service from a command line. Abused by attackers for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/megous/megatools","1","0","N/A","N/A","9","","N/A","","","","51746"
"*MESH_AGENT_PORT*",".{0,1000}MESH_AGENT_PORT.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","51811"
"*MESH_AGENT_STUN_PORT*",".{0,1000}MESH_AGENT_STUN_PORT.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","51812"
"*MeshAgent Crash Dumps*",".{0,1000}MeshAgent\sCrash\sDumps.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51813"
"*meshagent.exe*",".{0,1000}meshagent\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51814"
"*meshagent.js*",".{0,1000}meshagent\.js.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51815"
"*MeshAgent.mpkg*",".{0,1000}MeshAgent\.mpkg.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51816"
"*meshagent.pid*",".{0,1000}meshagent\.pid.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51817"
"*meshagent.service*",".{0,1000}meshagent\.service.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51818"
"*meshagent.zip*",".{0,1000}meshagent\.zip.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51819"
"*meshagent_aarch64*",".{0,1000}meshagent_aarch64.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51820"
"*meshagent_aarch64-cortex-a53*",".{0,1000}meshagent_aarch64\-cortex\-a53.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51821"
"*meshagent_alpine-x86-64*",".{0,1000}meshagent_alpine\-x86\-64.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51822"
"*meshagent_android.apk*",".{0,1000}meshagent_android\.apk.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51823"
"*meshagent_arm*",".{0,1000}meshagent_arm.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51824"
"*meshagent_arm64*",".{0,1000}meshagent_arm64.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51825"
"*meshagent_armhf*",".{0,1000}meshagent_armhf.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51826"
"*meshagent_freebsd_x86-64*",".{0,1000}meshagent_freebsd_x86\-64.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51827"
"*meshagent_mips*",".{0,1000}meshagent_mips.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51828"
"*meshagent_mips24kc*",".{0,1000}meshagent_mips24kc.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51829"
"*meshagent_mipsel24kc*",".{0,1000}meshagent_mipsel24kc.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51830"
"*meshagent_openbsd_x86-64*",".{0,1000}meshagent_openbsd_x86\-64.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51831"
"*meshagent_openwrt_x86_64*",".{0,1000}meshagent_openwrt_x86_64.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51832"
"*meshagent_osx64.msh*",".{0,1000}meshagent_osx64\.msh.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51833"
"*meshagent_osx64_LaunchDaemon*",".{0,1000}meshagent_osx64_LaunchDaemon.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51834"
"*meshagent_osx-arm-64*",".{0,1000}meshagent_osx\-arm\-64.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51835"
"*meshagent_osx-universal-64*",".{0,1000}meshagent_osx\-universal\-64.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51836"
"*meshagent_osx-x86-32*",".{0,1000}meshagent_osx\-x86\-32.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51837"
"*meshagent_osx-x86-64*",".{0,1000}meshagent_osx\-x86\-64.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51838"
"*meshagent_pogo*",".{0,1000}meshagent_pogo.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51839"
"*meshagent_poky*",".{0,1000}meshagent_poky.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51840"
"*meshagent_poky64*",".{0,1000}meshagent_poky64.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51841"
"*meshagent_x86*",".{0,1000}meshagent_x86.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51842"
"*meshagent_x86-64*",".{0,1000}meshagent_x86\-64.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51843"
"*meshagent32.exe*",".{0,1000}meshagent32\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51844"
"*meshagent64.exe*",".{0,1000}meshagent64\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51845"
"*MeshAgent-Android-x86*",".{0,1000}MeshAgent\-Android\-x86.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51846"
"*meshagentarm64.exe*",".{0,1000}meshagentarm64\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51847"
"*MeshAgent-ChromeOS*",".{0,1000}MeshAgent\-ChromeOS.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51848"
"*MeshAgent-Linux-ARM-PlugPC*",".{0,1000}MeshAgent\-Linux\-ARM\-PlugPC.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","#linux","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51849"
"*MeshAgent-Linux-XEN-x86-32*",".{0,1000}MeshAgent\-Linux\-XEN\-x86\-32.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","#linux","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51850"
"*MeshAgent-NodeJS*",".{0,1000}MeshAgent\-NodeJS.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51851"
"*MeshAgentOSXPackager.zip*",".{0,1000}MeshAgentOSXPackager\.zip.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51852"
"*MeshAgent-WinMinCore-Console-x86-32.exe*",".{0,1000}MeshAgent\-WinMinCore\-Console\-x86\-32\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51853"
"*MeshAgent-WinMinCore-Service-x86-64.exe*",".{0,1000}MeshAgent\-WinMinCore\-Service\-x86\-64\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51854"
"*Meshcentral - WebRTC Sample Server*",".{0,1000}Meshcentral\s\-\sWebRTC\sSample\sServer.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","51855"
"*MeshCentral HTTP server port *",".{0,1000}MeshCentral\sHTTP\sserver\sport\s.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51856"
"*MeshCentral Satellite could not create a 802.1x profile for this device*",".{0,1000}MeshCentral\sSatellite\scould\snot\screate\sa\s802\.1x\sprofile\sfor\sthis\sdevice.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51857"
"*MeshCentral Server TCP ports*",".{0,1000}MeshCentral\sServer\sTCP\sports.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51858"
"*MeshCentral Server UDP ports*",".{0,1000}MeshCentral\sServer\sUDP\sports.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51859"
"*meshcentral.exe*",".{0,1000}meshcentral\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51860"
"*meshcentral.serverstats*",".{0,1000}meshcentral\.serverstats.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51861"
"*MeshCentralAssistant.exe*",".{0,1000}MeshCentralAssistant\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51862"
"*MeshCentralInstaller.exe*",".{0,1000}MeshCentralInstaller\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51863"
"*meshcentralinstaller.exe*",".{0,1000}meshcentralinstaller\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51864"
"*meshcentral-plugins.db*",".{0,1000}meshcentral\-plugins\.db.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51865"
"*MeshCentralRoot-*",".{0,1000}MeshCentralRoot\-.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51866"
"*MeshCentralRoot-a*",".{0,1000}MeshCentralRoot\-a.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","#certificate","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51867"
"*MeshCentralRouter.exe*",".{0,1000}MeshCentralRouter\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51868"
"*MeshCentralServer.njsproj*",".{0,1000}MeshCentralServer\.njsproj.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51869"
"*meshcentral-smbios.db*",".{0,1000}meshcentral\-smbios\.db.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51870"
"*MeshCmd64.exe*",".{0,1000}MeshCmd64\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51871"
"*meshcmdService.run*",".{0,1000}meshcmdService\.run.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","51872"
"*MeshCmd-signed.exe*",".{0,1000}MeshCmd\-signed\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51873"
"*meshcommander install*",".{0,1000}meshcommander\sinstall.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51874"
"*meshcommander start*",".{0,1000}meshcommander\sstart.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51875"
"*meshcommander stop*",".{0,1000}meshcommander\sstop.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51876"
"*meshcommander uninstall*",".{0,1000}meshcommander\suninstall.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","0","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51877"
"*MeshConsole64.exe*",".{0,1000}MeshConsole64\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51878"
"*MeshConsoleARM64.exe*",".{0,1000}MeshConsoleARM64\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51879"
"*meshinstall-initd.sh*",".{0,1000}meshinstall\-initd\.sh.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51880"
"*meshinstall-linux.sh*",".{0,1000}meshinstall\-linux\.sh.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","#linux","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51881"
"*MeshService.exe*",".{0,1000}MeshService\.exe.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","51882"
"*mhngpdlhojliikfknhfaglpnddniijfh*",".{0,1000}mhngpdlhojliikfknhfaglpnddniijfh.{0,1000}","greyware_tool_keyword","WorkingVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","51941"
"*Microsoft Azure Storage Explorer.app/Contents/*",".{0,1000}Microsoft\sAzure\sStorage\sExplorer\.app\/Contents\/.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","51965"
"*Microsoft.DevTunnels.Connections.dll*",".{0,1000}Microsoft\.DevTunnels\.Connections\.dll.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","51966"
"*Microsoft.DevTunnels.Contracts.dll*",".{0,1000}Microsoft\.DevTunnels\.Contracts\.dll.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","51967"
"*Microsoft.DevTunnels.Management.dll*",".{0,1000}Microsoft\.DevTunnels\.Management\.dll.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","51968"
"*Microsoft.DevTunnels.Ssh.dll*",".{0,1000}Microsoft\.DevTunnels\.Ssh\.dll.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","51969"
"*Microsoft.DevTunnels.Ssh.Tcp.dll*",".{0,1000}Microsoft\.DevTunnels\.Ssh\.Tcp\.dll.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","51970"
"*MIIEpQIBAAKCAQEAuIGT1C2uPwb62IT/5IJdFioVAB/r3Pa885n4z+xEtGIm6XmD*",".{0,1000}MIIEpQIBAAKCAQEAuIGT1C2uPwb62IT\/5IJdFioVAB\/r3Pa885n4z\+xEtGIm6XmD.{0,1000}","greyware_tool_keyword","jprq","expose TCP protocols such as HTTP - SSH etc. Any server!","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/azimjohn/jprq","1","0","N/A","ssh privkey","10","10","1301","178","2025-03-24T21:45:09Z","2020-04-18T10:12:42Z","51993"
"*MIIJKgIBAAKCAgEAuvAs1YNtpCaqyG3Rkyutst3uIjzYLQTPWf1v+OLi3GgzshUB*",".{0,1000}MIIJKgIBAAKCAgEAuvAs1YNtpCaqyG3Rkyutst3uIjzYLQTPWf1v\+OLi3GgzshUB.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","0","N/A","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","51997"
"*mining in background will be started using your startup directory script and only work when your are logged in this host*",".{0,1000}mining\sin\sbackground\swill\sbe\sstarted\susing\syour\sstartup\sdirectory\sscript\sand\sonly\swork\swhen\syour\sare\slogged\sin\sthis\shost.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","52092"
"*Mining will happen to * wallet*",".{0,1000}Mining\swill\shappen\sto\s.{0,1000}\swallet.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","52093"
"*MITMServerHijacking/MITMPluginLocalList*",".{0,1000}MITMServerHijacking\/MITMPluginLocalList.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","52161"
"*Mitre-T1202.ps1*",".{0,1000}Mitre\-T1202\.ps1.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","52165"
"*mjnbclmflcpookeapghfhapeffmpodij*",".{0,1000}mjnbclmflcpookeapghfhapeffmpodij.{0,1000}","greyware_tool_keyword","Ultrareach VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","52166"
"*mjolnodfokkkaichkcjipfgblbfgojpa*",".{0,1000}mjolnodfokkkaichkcjipfgblbfgojpa.{0,1000}","greyware_tool_keyword","DotVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","52167"
"*mkdir ~/.bash_history*",".{0,1000}mkdir\s\~\/\.bash_history.{0,1000}","greyware_tool_keyword","mkdir","delete bash history","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","52168"
"*mkj/dropbear*",".{0,1000}mkj\/dropbear.{0,1000}","greyware_tool_keyword","dropbear","A smallish SSH server and client","T1021.004 - T1570","TA0003","N/A","COZY BEAR","Persistence","https://github.com/mkj/dropbear","1","1","N/A","N/A","8","10","1851","411","2025-03-16T12:50:35Z","2013-03-19T11:15:36Z","52171"
"*mmatczuk/go-http-tunnel.git*",".{0,1000}mmatczuk\/go\-http\-tunnel\.git.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","1","N/A","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","52177"
"*modprobe -r*",".{0,1000}modprobe\s\-r.{0,1000}","greyware_tool_keyword","modproble","Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.","T1547.006 - T1070.006","TA0005 - TA0003","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_kernel_module_removal.toml","1","0","N/A","greyware tool - risks of False positive !","5","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","52231"
"*modprobe --remove*",".{0,1000}modprobe\s\-\-remove.{0,1000}","greyware_tool_keyword","modproble","Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.","T1547.006 - T1070.006","TA0005 - TA0003","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_kernel_module_removal.toml","1","0","N/A","greyware tool - risks of False positive !","5","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","52232"
"*modprobe rmmod -r*",".{0,1000}modprobe\srmmod\s\-r.{0,1000}","greyware_tool_keyword","modproble","Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.","T1547.006 - T1070.006","TA0005 - TA0003","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_kernel_module_removal.toml","1","0","N/A","greyware tool - risks of False positive !","5","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","52233"
"*Monero miner is already running in the background*",".{0,1000}Monero\sminer\sis\salready\srunning\sin\sthe\sbackground.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","52253"
"*Monitoring & Management Agent by ATERA*",".{0,1000}Monitoring\s\&\sManagement\sAgent\sby\sATERA.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52259"
"*movefile64.exe /nobanner *.dll C:\Windows\System32\amsi.dll*",".{0,1000}movefile64\.exe\s\/nobanner\s.{0,1000}\.dll\sC\:\\Windows\\System32\\amsi\.dll.{0,1000}","greyware_tool_keyword","movefile64.exe","Spartacus DLL/COM Hijacking Toolkit","T1574.001 - T1055.001 - T1027.002","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://www.pavel.gr/blog/neutralising-amsi-system-wide-as-an-admin","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","52291"
"*Mozilla/5.0 (compatible; ngrok)*",".{0,1000}Mozilla\/5\.0\s\(compatible\;\sngrok\).{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","#useragent","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","52301"
"*mpcaainmfjjigeicjnlkdfajbioopjko*",".{0,1000}mpcaainmfjjigeicjnlkdfajbioopjko.{0,1000}","greyware_tool_keyword","VPN Unlimited Free","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","52306"
"*MpCmdRun.exe -DownloadFile -url http://*.exe -path *",".{0,1000}MpCmdRun\.exe\s\-DownloadFile\s\-url\shttp\:\/\/.{0,1000}\.exe\s\-path\s.{0,1000}","greyware_tool_keyword","MpCmdRun","MpCmdRun LOLBAS exploitation observed used by threat actors","T1105","TA0009 ","N/A","N/A","Collection","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52307"
"*MpCmdRun.exe* -disable*",".{0,1000}MpCmdRun\.exe.{0,1000}\s\-disable.{0,1000}","greyware_tool_keyword","MpCmdRun","Defense evasion technique disable windows defender","T1562.001 - T1562.002 - T1070.004","TA0007 - TA0040 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","52309"
"*MpCmdRun.exe* -RemoveDefinitions -All*",".{0,1000}MpCmdRun\.exe\s\-RemoveDefinitions\s\-All.{0,1000}","greyware_tool_keyword","MpCmdRun","Wipe currently stored definitions","T1562.004 - T1070.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","52311"
"*MRU\RemoteSupport\127.0.0.1.tvc*",".{0,1000}MRU\\RemoteSupport\\127\.0\.0\.1\.tvc.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","52323"
"*msedge* --headless * --dump-dom http*",".{0,1000}msedge.{0,1000}\s\-\-headless\s.{0,1000}\s\-\-dump\-dom\shttp.{0,1000}","greyware_tool_keyword","chromium","Headless Chromium allows running Chromium in a headless/server environment - downloading a file - abused by attackers","T1553.002 - T1059.005 - T1071.001 - T1561","TA0002","N/A","N/A","Defense Evasion","https://redcanary.com/blog/intelligence-insights-june-2023/","1","0","N/A","N/A","4","5","N/A","N/A","N/A","N/A","52342"
"*msedge* --headless --disable-gpu --remote-debugging-port=*",".{0,1000}msedge.{0,1000}\s\-\-headless\s\-\-disable\-gpu\s\-\-remote\-debugging\-port\=.{0,1000}","greyware_tool_keyword","chromium","Headless Chromium allows running Chromium in a headless/server environment -  abused by attackers","T1553.002 - T1059.005 - T1071.001 - T1561","TA0002","N/A","N/A","Defense Evasion","https://www.splunk.com/en_us/blog/security/mockbin-and-the-art-of-deception-tracing-adversaries-going-headless-and-mocking-apis.html","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","52343"
"*msedge.exe* --load-extension=""*\Users\*\Appdata\Local\Temp\*",".{0,1000}msedge\.exe.{0,1000}\s\-\-load\-extension\=\"".{0,1000}\\Users\\.{0,1000}\\Appdata\\Local\\Temp\\.{0,1000}","greyware_tool_keyword","chromium","The --load-extension switch allows the source to specify a target directory to load as an extension. This gives malware the opportunity to start a new browser window with their malicious extension loaded.","T1136.001 - T1176 - T1059.007","TA0003 - TA0004 - TA0005","N/A","N/A","Exploitation tool","https://www.mandiant.com/resources/blog/lnk-between-browsers","1","0","N/A","risk of false positives","7","10","N/A","N/A","N/A","N/A","52344"
"*msgfilter -P /bin/sh -p -c '/bin/sh*",".{0,1000}msgfilter\s\-P\s\/bin\/sh\s\-p\s\-c\s\'\/bin\/sh.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","52397"
"*mshta ""C:\Users\Public\*",".{0,1000}mshta\s\""C\:\\Users\\Public\\.{0,1000}","greyware_tool_keyword","mshta","executing from public folder","T1218.005 - T1059.003 - T1216","TA0002 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","52400"
"*mshta http*.hta*",".{0,1000}mshta\shttp.{0,1000}\.hta.{0,1000}","greyware_tool_keyword","mshta","mshta abused by attackers","T1218.005 - T1105","TA0005 - TA0009","N/A","N/A","Defense Evasion","https://lolbas-project.github.io/lolbas/Binaries/Mshta/","1","0","N/A","FP risks","10","10","N/A","N/A","N/A","N/A","52401"
"*mshta https://tinyurl.com/*",".{0,1000}mshta\shttps\:\/\/tinyurl\.com\/.{0,1000}","greyware_tool_keyword","mshta","downloading from tinyurl","T1204.002 - T1105 - T1071.001 - T1102.003","TA0009 ","N/A","N/A","Collection","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52402"
"*mshta javascript:*script:https:*",".{0,1000}mshta\sjavascript\:.{0,1000}script\:https\:.{0,1000}","greyware_tool_keyword","mshta","mshta abused by attackers","T1218.005 - T1105","TA0005 - TA0009","N/A","N/A","Defense Evasion","https://lolbas-project.github.io/lolbas/Binaries/Mshta/","1","0","N/A","FP risks","10","10","N/A","N/A","N/A","N/A","52403"
"*mshta javascript:a=(GetObject(""script:http*.sct*)).Exec();close();*",".{0,1000}mshta\sjavascript\:a\=\(GetObject\(\""script\:http.{0,1000}\.sct.{0,1000}\)\)\.Exec\(\)\;close\(\)\;.{0,1000}","greyware_tool_keyword","mshta","Invoking a scriptlet file hosted remotely","T1218.005 - T1059.001 - T1105","TA0002 - TA0009","N/A","N/A","Collection","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","52404"
"*mshta vbscript:Close(Execute(*script:https://*.sct*",".{0,1000}mshta\svbscript\:Close\(Execute\(.{0,1000}script\:https\:\/\/.{0,1000}\.sct.{0,1000}","greyware_tool_keyword","mshta","mshta abused by attackers","T1218.005 - T1105","TA0005 - TA0009","N/A","N/A","Defense Evasion","https://lolbas-project.github.io/lolbas/Binaries/Mshta/","1","0","N/A","FP risks","10","10","N/A","N/A","N/A","N/A","52405"
"*mshta.exe https://tinyurl.com/*",".{0,1000}mshta\.exe\shttps\:\/\/tinyurl\.com\/.{0,1000}","greyware_tool_keyword","mshta","downloading from tinyurl","T1204.002 - T1105 - T1071.001 - T1102.003","TA0009 ","N/A","N/A","Collection","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52407"
"*mshta.exe javascript:a=(GetObject(""script:http*.sct*)).Exec();close();*",".{0,1000}mshta\.exe\sjavascript\:a\=\(GetObject\(\""script\:http.{0,1000}\.sct.{0,1000}\)\)\.Exec\(\)\;close\(\)\;.{0,1000}","greyware_tool_keyword","mshta","Invoking a scriptlet file hosted remotely","T1218.005 - T1059.001 - T1105","TA0002 - TA0009","N/A","N/A","Collection","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","52408"
"*mshta.exe* ""C:\Users\Public\*",".{0,1000}mshta\.exe.{0,1000}\s\""C\:\\Users\\Public\\.{0,1000}","greyware_tool_keyword","mshta","executing from public folder","T1218.005 - T1059.003 - T1216","TA0002 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","52410"
"*mshta.exe* http://*",".{0,1000}mshta\.exe.{0,1000}\shttp\:\/\/.{0,1000}","greyware_tool_keyword","mshta","mshta abused by attackers","T1218.005 - T1105","TA0005 - TA0009","N/A","N/A","Defense Evasion","https://lolbas-project.github.io/lolbas/Binaries/Mshta/","1","0","N/A","FP risks","10","10","N/A","N/A","N/A","N/A","52411"
"*mshta.exe* https://*",".{0,1000}mshta\.exe.{0,1000}\shttps\:\/\/.{0,1000}","greyware_tool_keyword","mshta","mshta abused by attackers","T1218.005 - T1105","TA0005 - TA0009","N/A","N/A","Defense Evasion","https://lolbas-project.github.io/lolbas/Binaries/Mshta/","1","0","N/A","FP risks","10","10","N/A","N/A","N/A","N/A","52412"
"*mshta.exe* javascript:*script:https:*",".{0,1000}mshta\.exe.{0,1000}\sjavascript\:.{0,1000}script\:https\:.{0,1000}","greyware_tool_keyword","mshta","mshta abused by attackers","T1218.005 - T1105","TA0005 - TA0009","N/A","N/A","Defense Evasion","https://lolbas-project.github.io/lolbas/Binaries/Mshta/","1","0","N/A","FP risks","10","10","N/A","N/A","N/A","N/A","52413"
"*mshta.exe* vbscript:Close(Execute(*script:https://*.sct*",".{0,1000}mshta\.exe.{0,1000}\svbscript\:Close\(Execute\(.{0,1000}script\:https\:\/\/.{0,1000}\.sct.{0,1000}","greyware_tool_keyword","mshta","mshta abused by attackers","T1218.005 - T1105","TA0005 - TA0009","N/A","N/A","Defense Evasion","https://lolbas-project.github.io/lolbas/Binaries/Mshta/","1","0","N/A","FP risks","10","10","N/A","N/A","N/A","N/A","52414"
"*mshta.exe*I am not a robot - reCAPTCHA Verification ID: *",".{0,1000}mshta\.exe.{0,1000}I\sam\snot\sa\srobot\s\-\sreCAPTCHA\sVerification\sID\:\s.{0,1000}","greyware_tool_keyword","mshta","Phishing with a fake reCAPTCHA","T1566.001 - T1204.002 - T1071.003","TA0001 - TA0002","Lumma Stealer","N/A","Phishing","https://github.com/JohnHammond/recaptcha-phish","1","0","N/A","N/A","10","6","534","104","2024-09-13T11:18:29Z","2024-09-13T07:00:40Z","52415"
"*MsiExec.exe /qn /X{01423865-551B-4C59-B44A-CC604BC21AF3} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{01423865\-551B\-4C59\-B44A\-CC604BC21AF3\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52420"
"*MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{1093B57D\-A613\-47F3\-90CF\-0FD5C5DCFFE6\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52421"
"*MsiExec.exe /qn /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{1FFD3F20\-5D24\-4C9A\-B9F6\-A207A53CF179\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52422"
"*MsiExec.exe /qn /X{2519A41E-5D7C-429B-B2DB-1E943927CB3D} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{2519A41E\-5D7C\-429B\-B2DB\-1E943927CB3D\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52423"
"*MsiExec.exe /qn /X{2831282D-8519-4910-B339-2302840ABEF3} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{2831282D\-8519\-4910\-B339\-2302840ABEF3\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52424"
"*MsiExec.exe /qn /X{2C14E1A2-C4EB-466E-8374-81286D723D3A} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{2C14E1A2\-C4EB\-466E\-8374\-81286D723D3A\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52425"
"*MsiExec.exe /qn /X{36333618-1CE1-4EF2-8FFD-7F17394891CE} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{36333618\-1CE1\-4EF2\-8FFD\-7F17394891CE\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52426"
"*MsiExec.exe /qn /X{3B998572-90A5-4D61-9022-00B288DD755D} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{3B998572\-90A5\-4D61\-9022\-00B288DD755D\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52427"
"*MsiExec.exe /qn /X{425063CE-9566-43B8-AC61-F8D182828634} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{425063CE\-9566\-43B8\-AC61\-F8D182828634\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52428"
"*MsiExec.exe /qn /X{4627F5A1-E85A-4394-9DB3-875DF83AF6C2} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{4627F5A1\-E85A\-4394\-9DB3\-875DF83AF6C2\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52429"
"*MsiExec.exe /qn /X{4BAF6F55-FFE4-4A3A-8367-CC2EBB0F11C3} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{4BAF6F55\-FFE4\-4A3A\-8367\-CC2EBB0F11C3\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52430"
"*MsiExec.exe /qn /X{4EFCDD15-24A2-4D89-84A4-857D1BF68FA8} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{4EFCDD15\-24A2\-4D89\-84A4\-857D1BF68FA8\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52431"
"*MsiExec.exe /qn /X{604350BF-BE9A-4F79-B0EB-B1C22D889E2D} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{604350BF\-BE9A\-4F79\-B0EB\-B1C22D889E2D\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52432"
"*MsiExec.exe /qn /X{6654537D-935E-41C0-A18A-C55C2BF77B7E} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{6654537D\-935E\-41C0\-A18A\-C55C2BF77B7E\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52433"
"*MsiExec.exe /qn /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{66967E5F\-43E8\-4402\-87A4\-04685EE5C2CB\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52434"
"*MsiExec.exe /qn /X{72E136F7-3751-422E-AC7A-1B2E46391909} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{72E136F7\-3751\-422E\-AC7A\-1B2E46391909\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52435"
"*MsiExec.exe /qn /X{72E30858-FC95-4C87-A697-670081EBF065} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{72E30858\-FC95\-4C87\-A697\-670081EBF065\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52436"
"*MsiExec.exe /qn /X{77F92E90-ED4F-4CFF-8F60-3E3E4AEB705C} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{77F92E90\-ED4F\-4CFF\-8F60\-3E3E4AEB705C\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52437"
"*MsiExec.exe /qn /X{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{7CD26A0C\-9B59\-4E84\-B5EE\-B386B2F7AA16\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52438"
"*MsiExec.exe /qn /X{80D18B7B-8DF1-4BCA-901F-BEC86BAE2774} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{80D18B7B\-8DF1\-4BCA\-901F\-BEC86BAE2774\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52439"
"*MsiExec.exe /qn /X{8123193C-9000-4EEB-B28A-E74E779759FA} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{8123193C\-9000\-4EEB\-B28A\-E74E779759FA\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52440"
"*MsiExec.exe /qn /X{85F78DA7-8E8E-49C9-969F-A62D2B43C046} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{85F78DA7\-8E8E\-49C9\-969F\-A62D2B43C046\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52441"
"*MsiExec.exe /qn /X{934BEF80-B9D1-4A86-8B42-D8A6716A8D27} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{934BEF80\-B9D1\-4A86\-8B42\-D8A6716A8D27\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52442"
"*MsiExec.exe /qn /X{9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{9D1B8594\-5DD2\-4CDC\-A5BD\-98E7E9D75520\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52443"
"*MsiExec.exe /qn /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{A1DC5EF8\-DD20\-45E8\-ABBD\-F529A24D477B\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52444"
"*MsiExec.exe /qn /X{A5CCEEF1-B6A7-4EB4-A826-267996A62A9E} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{A5CCEEF1\-B6A7\-4EB4\-A826\-267996A62A9E\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52445"
"*MsiExec.exe /qn /X{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{AFBCA1B9\-496C\-4AE6\-98AE\-3EA1CFF65C54\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52446"
"*MsiExec.exe /qn /X{B9C2F07D-1137-4E3D-B22B-05144293EF42} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{B9C2F07D\-1137\-4E3D\-B22B\-05144293EF42\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52447"
"*MsiExec.exe /qn /X{BA8752FE-75E5-43DD-9913-23509EFEB409} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{BA8752FE\-75E5\-43DD\-9913\-23509EFEB409\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52448"
"*MsiExec.exe /qn /X{BB36D9C2-6AE5-4AB2-BC91-ECD247092BD8} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{BB36D9C2\-6AE5\-4AB2\-BC91\-ECD247092BD8\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52449"
"*MsiExec.exe /qn /X{BCF53039-A7FC-4C79-A3E3-437AE28FD918} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{BCF53039\-A7FC\-4C79\-A3E3\-437AE28FD918\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52450"
"*MsiExec.exe /qn /X{CA3CE456-B2D9-4812-8C69-17D6980432EF} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{CA3CE456\-B2D9\-4812\-8C69\-17D6980432EF\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52451"
"*MsiExec.exe /qn /X{CA524364-D9C5-4804-92DE-2800BDAC1AA4} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{CA524364\-D9C5\-4804\-92DE\-2800BDAC1AA4\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52452"
"*MsiExec.exe /qn /X{D29542AE-287C-42E4-AB28-3858E13C1A3E} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{D29542AE\-287C\-42E4\-AB28\-3858E13C1A3E\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52453"
"*MsiExec.exe /qn /X{D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{D5BC54B8\-1DA1\-44F4\-AE6F\-86E05CDB0B44\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52454"
"*MsiExec.exe /qn /X{D875F30C-B469-4998-9A08-FE145DD5DC1A} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{D875F30C\-B469\-4998\-9A08\-FE145DD5DC1A\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52455"
"*MsiExec.exe /qn /X{DFDA2077-95D0-4C5F-ACE7-41DA16639255} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{DFDA2077\-95D0\-4C5F\-ACE7\-41DA16639255\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52456"
"*MsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{DFFA9361\-3625\-4219\-82C2\-9EF011E433B1\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52457"
"*MsiExec.exe /qn /X{E44AF5E6-7D11-4BDF-BEA8-AA7AE5FE6745} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{E44AF5E6\-7D11\-4BDF\-BEA8\-AA7AE5FE6745\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52458"
"*MsiExec.exe /qn /X{E82DD0A8-0E5C-4D72-8DDE-41BB0FC06B3E} REBOOT=ReallySuppress*",".{0,1000}MsiExec\.exe\s\/qn\s\/X\{E82DD0A8\-0E5C\-4D72\-8DDE\-41BB0FC06B3E\}\sREBOOT\=ReallySuppress.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52459"
"*MsiExec.exe /X{1AC3C833-D493-460C-816F-D26F30F79DC3} /qn*",".{0,1000}MsiExec\.exe\s\/X\{1AC3C833\-D493\-460C\-816F\-D26F30F79DC3\}\s\/qn.{0,1000}","greyware_tool_keyword","msiexec","Uninstall Sophos products","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52460"
"*msi-installs.swi-rc.com/*",".{0,1000}msi\-installs\.swi\-rc\.com\/.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52461"
"*mv /var/log/*",".{0,1000}mv\s\/var\/log\/.{0,1000}","greyware_tool_keyword","mv","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","52521"
"*MZCookiesView*cookies.sqlite*",".{0,1000}MZCookiesView.{0,1000}cookies\.sqlite.{0,1000}","greyware_tool_keyword","MozillaCookiesView","nirsoft utility that displays the details of all cookies stored inside the cookies file (cookies.txt or cookies.sqlite) - abused by threat actors","T1070 - T1552.001 - T1125 - T1005","TA0009 - TA0005","N/A","MuddyWater","Credential Access","https://www.nirsoft.net/utils/mzcv.html","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","52557"
"*nabbmpekekjknlbkgpodfndbodhijjem*",".{0,1000}nabbmpekekjknlbkgpodfndbodhijjem.{0,1000}","greyware_tool_keyword","Earth VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","52572"
"*name=""RustDesk Service""*",".{0,1000}name\=\""RustDesk\sService\"".{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","52583"
"*namespace Quasar.Client*",".{0,1000}namespace\sQuasar\.Client.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","#content","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","52614"
"*namespace Quasar.Server*",".{0,1000}namespace\sQuasar\.Server.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","#content","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","52615"
"*namfblliamklmeodpcelkokjbffgmeoo*",".{0,1000}namfblliamklmeodpcelkokjbffgmeoo.{0,1000}","greyware_tool_keyword","Daily VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","52626"
"*nano /etc/ssh/sshd_config*",".{0,1000}nano\s\/etc\/ssh\/sshd_config.{0,1000}","greyware_tool_keyword","ssh","modification of the sshd configuration file - couldbe an attacker establishing persistence or a legitimate admin behavior","T1059.004 - T1078 - T1053","TA0005 - TA0003 - TA0006","N/A","N/A","Persistence","https://x.com/mthcht/status/1827714529687658796","1","0","#linux","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","52629"
"*nbcojefnccbanplpoffopkoepjmhgdgh*",".{0,1000}nbcojefnccbanplpoffopkoepjmhgdgh.{0,1000}","greyware_tool_keyword","Hoxx VPN Proxy","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","52680"
"*nbtscan *.*/24",".{0,1000}nbtscan\s.{0,1000}\..{0,1000}\/24","greyware_tool_keyword","nbtscan","Scan for Active Machines and Gather NetBIOS Information","T1135 - T1046","TA0007 - TA0009","N/A","Dagon Locker - Worok - APT39 - MUSTANG PANDA - Turla - APT15 - Calypso - Earth Lusca - GALLIUM - GOBLIN PANDA - LOTUS PANDA","Discovery","N/A","1","0","N/A","N/A","5","2","N/A","N/A","N/A","N/A","52689"
"*nbtscan -r */24*",".{0,1000}nbtscan\s\-r\s.{0,1000}\/24.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","52690"
"*nbtscan -r */24*",".{0,1000}nbtscan\s\-r\s.{0,1000}\/24.{0,1000}","greyware_tool_keyword","nbtscan","smb enumeration","T1135 - T1046","TA0007 - TA0009","N/A","Dagon Locker - Worok - APT39 - MUSTANG PANDA - Turla - APT15 - Calypso - Earth Lusca - GALLIUM - GOBLIN PANDA - LOTUS PANDA","Discovery","https://github.com/charlesroelli/nbtscan","1","0","N/A","N/A","5","2","140","27","2016-05-26T20:16:52Z","2016-05-26T20:16:33Z","52691"
"*nbtscan -s : *",".{0,1000}nbtscan\s\-s\s\:\s.{0,1000}","greyware_tool_keyword","nbtscan","Identify Potential Points for Man-in-the-Middle Attacks","T1135 - T1046","TA0007 - TA0009","N/A","Dagon Locker - Worok - APT39 - MUSTANG PANDA - Turla - APT15 - Calypso - Earth Lusca - GALLIUM - GOBLIN PANDA - LOTUS PANDA","Discovery","N/A","1","0","N/A","N/A","5","2","N/A","N/A","N/A","N/A","52692"
"*nbtstat -n*",".{0,1000}nbtstat\s\-n.{0,1000}","greyware_tool_keyword","nbtstat","Displays the NetBIOS name table of the local computer. The status of registered indicates that the name is registered either by broadcast or with a WINS server.","T1049 - T1018 - T1046 - T1016 - T1049","TA0007 - TA0009","N/A","Turla","Discovery","https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nbtstat","1","0","N/A","N/A","4","10","N/A","N/A","N/A","N/A","52693"
"*nc * -e /bin/bash*",".{0,1000}nc\s.{0,1000}\s\-e\s\/bin\/bash.{0,1000}","greyware_tool_keyword","netcat","netcat shell","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","APT15 - Calypso - EMBER BEAR - Black Basta","C2","https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","1","0","#linux","greyware tool - risks of False positive !","10","10","64862","15261","2025-04-09T09:16:20Z","2016-10-18T07:29:07Z","52695"
"*nc -l -p * -e *.bat*",".{0,1000}nc\s\-l\s\-p\s.{0,1000}\s\-e\s.{0,1000}\.bat.{0,1000}","greyware_tool_keyword","nc","Netcat Realy on windows - create a relay that sends packets from the local port to a netcat client connecte to the target ip on the targeted port","T1090.001 - T1021.001","TA0011 - TA0040","N/A","Calypso - GALLIUM","Data Exfiltration","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/NetcatCheatSheet.pdf","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","52699"
"*nc -l -p * -e /bin/bash*",".{0,1000}nc\s\-l\s\-p\s.{0,1000}\s\-e\s\/bin\/bash.{0,1000}","greyware_tool_keyword","nc","Netcat Backdoor on Linux - create a relay that sends packets from the local port to a netcat client connecte to the target ip on the targeted port","T1090.001 - T1021.001","TA0011 - TA0040","N/A","Calypso - GALLIUM","Data Exfiltration","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/NetcatCheatSheet.pdf","1","0","#linux","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","52700"
"*nc -l -p * -e cmd.exe*",".{0,1000}nc\s\-l\s\-p\s.{0,1000}\s\-e\scmd\.exe.{0,1000}","greyware_tool_keyword","nc","Netcat Backdoor on Windows - create a relay that sends packets from the local port to a netcat client connecte to the target ip on the targeted port","T1090.001 - T1021.001","TA0011 - TA0040","N/A","Calypso - GALLIUM","Data Exfiltration","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/NetcatCheatSheet.pdf","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","52701"
"*nc -N nopaste.net *",".{0,1000}nc\s\-N\snopaste\.net\s.{0,1000}","greyware_tool_keyword","nopaste.net","nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration","T1567.002 - T1036.005 - T1102 - T1071.001","TA0005 - TA0009 - TA0010","N/A","N/A","Data Exfiltration","https://www.shellhub.io/","1","0","#Pastebinlike  #filehostingservice #linux","N/A","8","10","N/A","N/A","N/A","N/A","52702"
"*nc -u -lvp *",".{0,1000}nc\s\-u\s\-lvp\s.{0,1000}","greyware_tool_keyword","netcat","netcat shell listener","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","APT15 - Calypso - EMBER BEAR - Black Basta","C2","https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","1","0","N/A","greyware tool - risks of False positive !","10","10","64862","15261","2025-04-09T09:16:20Z","2016-10-18T07:29:07Z","52704"
"*nc -v -n -z -w1 *-*",".{0,1000}nc\s\-v\s\-n\s\-z\s\-w1\s.{0,1000}\-.{0,1000}","greyware_tool_keyword","nc","Port scanner with netcat","T1046","TA0007","N/A","Calypso - GALLIUM","Discovery","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/NetcatCheatSheet.pdf","1","0","N/A","N/A","7","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","52705"
"*nc -z -v * *",".{0,1000}nc\s\-z\s\-v\s.{0,1000}\s.{0,1000}","greyware_tool_keyword","nc","netcat common arguments","T1090.001 - T1021.001","TA0011 - TA0040","N/A","Calypso - GALLIUM","C2","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","52708"
"*nc.exe * -e cmd.exe"" /sc ONCE *",".{0,1000}nc\.exe\s.{0,1000}\s\-e\scmd\.exe\""\s\/sc\sONCE\s.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52709"
"*nc.exe -e \windows\system32\cmd.exe * start= auto*",".{0,1000}nc\.exe\s\-e\s\\windows\\system32\\cmd\.exe\s.{0,1000}\sstart\=\sauto.{0,1000}","greyware_tool_keyword","nc","backdoor with netcat - used by the Ransomware group Dispossessor","T1547.001 - T1059.003 - T1105","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52711"
"*ncat * -e /bin/bash*",".{0,1000}ncat\s.{0,1000}\s\-e\s\/bin\/bash.{0,1000}","greyware_tool_keyword","netcat","ncat reverse shell","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","APT15 - Calypso - EMBER BEAR - Black Basta","C2","https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","1","0","#linux","greyware tool - risks of False positive !","10","10","64862","15261","2025-04-09T09:16:20Z","2016-10-18T07:29:07Z","52719"
"*ncat * -p 4444*",".{0,1000}ncat\s.{0,1000}\s\-p\s4444.{0,1000}","greyware_tool_keyword","ncat","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0011","N/A","Calypso - GALLIUM","C2","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","52720"
"*ncat --udp * -e /bin/bash*",".{0,1000}ncat\s\-\-udp\s.{0,1000}\s\-e\s\/bin\/bash.{0,1000}","greyware_tool_keyword","netcat","ncat reverse shell","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","APT15 - Calypso - EMBER BEAR - Black Basta","C2","https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","1","0","#linux","greyware tool - risks of False positive !","10","10","64862","15261","2025-04-09T09:16:20Z","2016-10-18T07:29:07Z","52721"
"*neo4j console*",".{0,1000}neo4j\sconsole.{0,1000}","greyware_tool_keyword","BloodHound","he neo4j console command is used to start the Neo4j server in console mode. While it is not directly associated with a specific attack technique - it is often used in combination with tools like BloodHound to analyze and visualize data collected from Active Directory environments.","T1482 - T1087 - T1069 - T1018","TA0007 - TA0008 - TA0004","N/A","APT29 - MAZE - LockBit - Conti - XingLocker - Revil - Hive - Black Basta - Wizard Spider - TA2101 - TRAVELING SPIDER - Chimera - TA505 - APT20 - COZY BEAR - EMBER BEAR - Dispossessor","Discovery","https://github.com/fox-it/BloodHound.py","1","0","N/A","greyware tool - risks of False positive !","10","10","2088","343","2025-03-28T11:19:13Z","2018-02-26T14:44:20Z","52752"
"*neo4j start*",".{0,1000}neo4j\sstart.{0,1000}","greyware_tool_keyword","Neo4j","Neo4j queries - Computers AllowedToDelegate to other computers","T1210.002 - T1078.003 - T1046","TA0001 - TA0007 - TA0040","N/A","N/A","Reconnaissance","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","52753"
"*NeoGeorg says, 'All seems fine'*",".{0,1000}NeoGeorg\ssays,\s\'All\sseems\sfine\'.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","52755"
"*neoreg.py generate*",".{0,1000}neoreg\.py\sgenerate.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","52756"
"*neoreg.py -k * -u http*.php*",".{0,1000}neoreg\.py\s\-k\s.{0,1000}\s\-u\shttp.{0,1000}\.php.{0,1000}","greyware_tool_keyword","Neo-reGeorg","Neo-reGeorg is a project that seeks to aggressively refactor reGeorg","T1090 - T1095 - T1572","TA0003 - TA0011 - TA0005 - TA0010","N/A","IRIDIUM","Data Exfiltration","https://github.com/L-codes/Neo-reGeorg","1","0","N/A","N/A","10","10","3049","455","2025-02-18T07:26:54Z","2019-07-08T14:25:42Z","52757"
"*net  group ""domain admins"" /domain*",".{0,1000}net\s\sgroup\s\""domain\sadmins\""\s\/domain.{0,1000}","greyware_tool_keyword","net","Query users from domain admins in current domain","T1069.002 - T1087.002","TA0007 - TA0006","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER - Black Basta","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52769"
"*net  group ""Domain Computers"" /domain*",".{0,1000}net\s\sgroup\s\""Domain\sComputers\""\s\/domain.{0,1000}","greyware_tool_keyword","net","Query users from domain admins in current domain","T1069.002 - T1087.002","TA0007 - TA0006","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER - Black Basta","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52770"
"*net  group ""domain computers"" /domain*",".{0,1000}net\s\sgroup\s\""domain\scomputers\""\s\/domain.{0,1000}","greyware_tool_keyword","net","Query users from domain admins in current domain","T1069.002 - T1087.002","TA0007 - TA0006","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER - Black Basta","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52771"
"*net  group ""enterprise admins"" /domain*",".{0,1000}net\s\sgroup\s\""enterprise\sadmins\""\s\/domain.{0,1000}","greyware_tool_keyword","net","Query users from domain admins in current domain","T1069.002 - T1087.002","TA0007 - TA0006","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER - Black Basta","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52772"
"*net  group ""ESX Admins"" /domain /add*",".{0,1000}net\s\sgroup\s\""ESX\sAdmins\""\s\/domain\s\/add.{0,1000}","greyware_tool_keyword","net","potential CVE-2024-37085 exploitation","T1098","TA0003 - TA0004","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER - Black Basta","Privilege Escalation","https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","52773"
"*net  group ""ESX Admins""*",".{0,1000}net\s\sgroup\s\""ESX\sAdmins\"".{0,1000}","greyware_tool_keyword","net","potential CVE-2024-37085 exploitation","T1098","TA0003 - TA0004","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER - Black Basta","Privilege Escalation","https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","52774"
"*net  user admin P@ssw0rd!*",".{0,1000}net\s\suser\sadmin\sP\@ssw0rd!.{0,1000}","greyware_tool_keyword","net","potential CVE-2024-37085 exploitation","T1098","TA0003 - TA0004","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER - Black Basta","Privilege Escalation","https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","52775"
"*net .exe* group ""ESX Admins""*",".{0,1000}net\s\.exe.{0,1000}\sgroup\s\""ESX\sAdmins\"".{0,1000}","greyware_tool_keyword","net","potential CVE-2024-37085 exploitation","T1098","TA0003 - TA0004","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER - Black Basta","Privilege Escalation","https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","52776"
"*net accounts /maxpwage:unlimited*",".{0,1000}net\saccounts\s\/maxpwage\:unlimited.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1098 - T1068 - T1112 - T1088 - T1546.015 - T1059","TA0001 - TA0002 - TA0003 - TA0004 - TA0008","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52777"
"*net group ""Admins. del dominio"" /domain*",".{0,1000}net\sgroup\s\""Admins\.\sdel\sdominio\""\s\/domain.{0,1000}","greyware_tool_keyword","net","discovery commands used by Dispossessor ransomware group and many others","T1069 - T1003","TA0007 - TA0040","N/A","Dispossessor - Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52779"
"*net group ""Dom*nen-Admins"" /domain*",".{0,1000}net\sgroup\s\""Dom.{0,1000}nen\-Admins\""\s\/domain.{0,1000}","greyware_tool_keyword","net","discovery commands used by Dispossessor ransomware group and many others","T1069 - T1003","TA0007 - TA0040","N/A","Dispossessor - Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52780"
"*net group ""Domain Administrateurs"" /domain*",".{0,1000}net\sgroup\s\""Domain\sAdministrateurs\""\s\/domain.{0,1000}","greyware_tool_keyword","net","discovery commands used by Dispossessor ransomware group and many others","T1069 - T1003","TA0007 - TA0040","N/A","Dispossessor - Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52781"
"*net group ""Domain Admins"" /domain*",".{0,1000}net\sgroup\s\""Domain\sAdmins\""\s\/domain.{0,1000}","greyware_tool_keyword","net","discovery commands used by Dispossessor ransomware group and many others","T1069 - T1003","TA0007 - TA0040","N/A","Dispossessor - Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52782"
"*net group ""Domain Admins"" /domain*",".{0,1000}net\sgroup\s\""Domain\sAdmins\""\s\/domain.{0,1000}","greyware_tool_keyword","net","Query users from domain admins in current domain","T1069.002 - T1087.002","TA0007 - TA0006","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52783"
"*net group ""Domain Admins"" support /add*",".{0,1000}net\sgroup\s\""Domain\sAdmins\""\ssupport\s\/add.{0,1000}","greyware_tool_keyword","net","discovery commands used by Dispossessor ransomware group","T1069 - T1003","TA0007 - TA0040","N/A","Dispossessor","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52784"
"*net group ""domain computers"" /domain*",".{0,1000}net\sgroup\s\""domain\scomputers\""\s\/domain.{0,1000}","greyware_tool_keyword","net","List PCs connected to the domain","T1069.002 - T1087.002","TA0007 - TA0006","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","https://github.com/alperenugurlu/AD_Enumeration_Hunt/blob/alperen_ugurlu_hack/AD_Enumeration_Hunt.ps1","1","0","N/A","N/A","6","1","93","18","2023-08-05T06:10:26Z","2023-08-05T05:16:57Z","52785"
"*net group ""Enterprise admins"" /domain*",".{0,1000}net\sgroup\s\""Enterprise\sadmins\""\s\/domain.{0,1000}","greyware_tool_keyword","net","discovery commands used by Dispossessor ransomware group and many others","T1069 - T1003","TA0007 - TA0040","N/A","Dispossessor - Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52786"
"*net group ""SQL Admins"" /domain*",".{0,1000}net\sgroup\s\""SQL\sAdmins\""\s\/domain.{0,1000}","greyware_tool_keyword","net","Enumerate SQL Admin group membership on the domain","T1087","TA0008 - TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","52787"
"*net group *Account Operators* /domain*",".{0,1000}net\sgroup\s.{0,1000}Account\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","52788"
"*net group *Backup Operators* /domain*",".{0,1000}net\sgroup\s.{0,1000}Backup\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","52789"
"*net group *Domain Computers* /domain*",".{0,1000}net\sgroup\s.{0,1000}Domain\sComputers.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","52791"
"*net group *Domain Controllers* /domain*",".{0,1000}net\sgroup\s.{0,1000}Domain\sControllers.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","52792"
"*net group *Domain Controllers*/domain*",".{0,1000}net\sgroup\s.{0,1000}Domain\sControllers.{0,1000}\/domain.{0,1000}","greyware_tool_keyword","net","Query Domain Comtrollers Computers in the current domain","T1069.002 - T1087.002","TA0007 - TA0006","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Reconnaissance","https://github.com/RoseSecurity/Red-Teaming-TTPs","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","52793"
"*net group *Enterprise Admins* /domain*",".{0,1000}net\sgroup\s.{0,1000}Enterprise\sAdmins.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","52795"
"*net group *Exchange Trusted Subsystem* /domain*",".{0,1000}net\sgroup\s.{0,1000}Exchange\sTrusted\sSubsystem.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","52796"
"*net group *Microsoft Exchange Servers* /domain*",".{0,1000}net\sgroup\s.{0,1000}Microsoft\sExchange\sServers.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","52797"
"*net group *Print Operators* /domain*",".{0,1000}net\sgroup\s.{0,1000}Print\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","52798"
"*net group *Schema Admins* /domain*",".{0,1000}net\sgroup\s.{0,1000}Schema\sAdmins.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","52799"
"*net group *Server Operators* /domain*",".{0,1000}net\sgroup\s.{0,1000}Server\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","N/A","10","N/A","N/A","N/A","N/A","52800"
"*net group /domain *Domain Admins*",".{0,1000}net\sgroup\s\/domain\s.{0,1000}Domain\sAdmins.{0,1000}","greyware_tool_keyword","net","Query users from domain admins in current domain","T1069.002 - T1087.002","TA0007 - TA0006","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Reconnaissance","https://github.com/RoseSecurity/Red-Teaming-TTPs","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","52802"
"*net group administrators /domain*",".{0,1000}net\sgroup\sadministrators\s\/domain.{0,1000}","greyware_tool_keyword","net","showing users in a privileged group. ","T1069 - T1003","TA0007 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","52803"
"*net group Admins. del dominio /domain*",".{0,1000}net\sgroup\sAdmins\.\sdel\sdominio\s\/domain.{0,1000}","greyware_tool_keyword","net","discovery commands used by Dispossessor ransomware group and many others","T1069 - T1003","TA0007 - TA0040","N/A","Dispossessor - Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52804"
"*net localgroup ""Cert Publishers"" /domain*",".{0,1000}net\slocalgroup\s\""Cert\sPublishers\""\s\/domain.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1098 - T1068 - T1112 - T1088 - T1546.015 - T1059","TA0001 - TA0002 - TA0003 - TA0004 - TA0008","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52807"
"*net localgroup ""Remote Desktop Users"" * /add*",".{0,1000}net\slocalgroup\s\""Remote\sDesktop\sUsers\""\s.{0,1000}\s\/add.{0,1000}","greyware_tool_keyword","net","Adds a user account to the local Remote","T1035 - T1078 - T1087","TA0003 ","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","52808"
"*net localgroup *Backup Operators*",".{0,1000}net\slocalgroup\s.{0,1000}Backup\sOperators.{0,1000}","greyware_tool_keyword","net","discover local admins group","T1069.001 - T1087.002","TA0007 - TA0004","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","52810"
"*net localgroup \""Remote Desktop Users\"" Support /add*",".{0,1000}net\slocalgroup\s\\\""Remote\sDesktop\sUsers\\\""\sSupport\s\/add.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1098 - T1068 - T1112 - T1088 - T1546.015 - T1059","TA0001 - TA0002 - TA0003 - TA0004 - TA0008","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52811"
"*net localgroup admin*",".{0,1000}net\slocalgroup\sadmin.{0,1000}","greyware_tool_keyword","net","discover local admins group","T1069.001 - T1087.002","TA0007 - TA0004","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","52812"
"*net localgroup Administrators support /add*",".{0,1000}net\slocalgroup\sAdministrators\ssupport\s\/add.{0,1000}","greyware_tool_keyword","net","discovery commands used by Dispossessor ransomware group","T1069 - T1003","TA0007 - TA0040","N/A","Dispossessor","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52820"
"*net localgroup Administrators Support /add*",".{0,1000}net\slocalgroup\sAdministrators\sSupport\s\/add.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1098 - T1068 - T1112 - T1088 - T1546.015 - T1059","TA0001 - TA0002 - TA0003 - TA0004 - TA0008","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52821"
"*net rpc group addmem 'Domain admins' *",".{0,1000}net\srpc\sgroup\saddmem\s\'Domain\sadmins\'\s.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","52824"
"*net rpc group members 'Domain admins' -U *",".{0,1000}net\srpc\sgroup\smembers\s\'Domain\sadmins\'\s\-U\s.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","52825"
"*net rpc group members 'Domain Users' -W *",".{0,1000}net\srpc\sgroup\smembers\s\'Domain\sUsers\'\s\-W\s.{0,1000}","greyware_tool_keyword","samba","The net command is one of the new features of Samba-3 and is an attempt to provide a useful tool for the majority of remote management operations necessary for common tasks. It is used by attackers to find users list","T1087.002 - T1003.002","TA0007 - TA0006","N/A","N/A","Reconnaissance","https://www.samba.org/samba/docs/old/Samba3-HOWTO/NetCommand.html","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","52826"
"*net share c=c:\ /GRANT:Everyone,FULL*",".{0,1000}net\sshare\sc\=c\:\\\s\/GRANT\:Everyone,FULL.{0,1000}","greyware_tool_keyword","net","create shared folders for various drive letters","T1105 - T1543","TA0003 - TA0008 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Lateral Movement","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52827"
"*net share d=d:\ /GRANT:Everyone,FULL*",".{0,1000}net\sshare\sd\=d\:\\\s\/GRANT\:Everyone,FULL.{0,1000}","greyware_tool_keyword","net","create shared folders for various drive letters","T1105 - T1543","TA0003 - TA0008 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Lateral Movement","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52828"
"*net share e=e:\ /GRANT:Everyone,FULL*",".{0,1000}net\sshare\se\=e\:\\\s\/GRANT\:Everyone,FULL.{0,1000}","greyware_tool_keyword","net","create shared folders for various drive letters","T1105 - T1543","TA0003 - TA0008 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Lateral Movement","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52829"
"*net share e=e:\ /GRANT:Everyone,FULL*",".{0,1000}net\sshare\se\=e\:\\\s\/GRANT\:Everyone,FULL.{0,1000}","greyware_tool_keyword","net","create shared folders for various drive letters","T1105 - T1543","TA0003 - TA0008 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Lateral Movement","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52830"
"*net share f=f:\ /GRANT:Everyone,FULL*",".{0,1000}net\sshare\sf\=f\:\\\s\/GRANT\:Everyone,FULL.{0,1000}","greyware_tool_keyword","net","create shared folders for various drive letters","T1105 - T1543","TA0003 - TA0008 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Lateral Movement","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52831"
"*net share g=g:\ /GRANT:Everyone,FULL*",".{0,1000}net\sshare\sg\=g\:\\\s\/GRANT\:Everyone,FULL.{0,1000}","greyware_tool_keyword","net","create shared folders for various drive letters","T1105 - T1543","TA0003 - TA0008 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Lateral Movement","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52832"
"*net share h=h:\ /GRANT:Everyone,FULL*",".{0,1000}net\sshare\sh\=h\:\\\s\/GRANT\:Everyone,FULL.{0,1000}","greyware_tool_keyword","net","create shared folders for various drive letters","T1105 - T1543","TA0003 - TA0008 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Lateral Movement","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52833"
"*net share i=i:\ /GRANT:Everyone,FULL*",".{0,1000}net\sshare\si\=i\:\\\s\/GRANT\:Everyone,FULL.{0,1000}","greyware_tool_keyword","net","create shared folders for various drive letters","T1105 - T1543","TA0003 - TA0008 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Lateral Movement","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52834"
"*net share j=j:\ /GRANT:Everyone,FULL*",".{0,1000}net\sshare\sj\=j\:\\\s\/GRANT\:Everyone,FULL.{0,1000}","greyware_tool_keyword","net","create shared folders for various drive letters","T1105 - T1543","TA0003 - TA0008 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Lateral Movement","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52835"
"*net share k=k:\ /GRANT:Everyone,FULL*",".{0,1000}net\sshare\sk\=k\:\\\s\/GRANT\:Everyone,FULL.{0,1000}","greyware_tool_keyword","net","create shared folders for various drive letters","T1105 - T1543","TA0003 - TA0008 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Lateral Movement","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52836"
"*net start RPCPerformanceService*",".{0,1000}net\sstart\sRPCPerformanceService.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52837"
"*net start ssh-agent*",".{0,1000}net\sstart\sssh\-agent.{0,1000}","greyware_tool_keyword","openssh-portable","monitoring openssh usage","T1098.003 - T1562.004 - T1021.004","TA0006 - TA0002 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider*","C2","https://github.com/PowerShell/openssh-portable","1","0","N/A","N/A","10","10","1859","333","2025-04-18T17:52:43Z","2016-11-02T04:18:48Z","52838"
"*net stop "".NET Runtime Optimization Service""*",".{0,1000}net\sstop\s\""\.NET\sRuntime\sOptimization\sService\"".{0,1000}","greyware_tool_keyword","net","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52840"
"*net stop ""IBM Domino Diagnostics (CProgramFilesIBMDomino)""*",".{0,1000}net\sstop\s\""IBM\sDomino\sDiagnostics\s\(CProgramFilesIBMDomino\)\"".{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52841"
"*net stop ""IBM Domino Server (CProgramFilesIBMDominodata)""*",".{0,1000}net\sstop\s\""IBM\sDomino\sServer\s\(CProgramFilesIBMDominodata\)\"".{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52842"
"*net stop ""SAVAdminService""*",".{0,1000}net\sstop\s\""SAVAdminService\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52843"
"*net stop ""SAVService""*",".{0,1000}net\sstop\s\""SAVService\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52844"
"*net stop ""SAVService""*",".{0,1000}net\sstop\s\""SAVService\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52845"
"*net stop ""Simply Accounting Database Connection Manager""*",".{0,1000}net\sstop\s\""Simply\sAccounting\sDatabase\sConnection\sManager\"".{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52846"
"*net stop ""SntpService""*",".{0,1000}net\sstop\s\""SntpService\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52847"
"*net stop ""Sophos *",".{0,1000}net\sstop\s\""Sophos\s.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52848"
"*net stop ""Sophos Agent""*",".{0,1000}net\sstop\s\""Sophos\sAgent\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52849"
"*net stop ""Sophos Anti-Virus""*",".{0,1000}net\sstop\s\""Sophos\sAnti\-Virus\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52850"
"*net stop ""Sophos AutoUpdate Service""*",".{0,1000}net\sstop\s\""Sophos\sAutoUpdate\sService\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52851"
"*net stop ""Sophos AutoUpdate Service""*",".{0,1000}net\sstop\s\""Sophos\sAutoUpdate\sService\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52852"
"*net stop ""Sophos Endpoint Defense Service""*",".{0,1000}net\sstop\s\""Sophos\sEndpoint\sDefense\sService\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52853"
"*net stop ""Sophos Message Router""*",".{0,1000}net\sstop\s\""Sophos\sMessage\sRouter\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52854"
"*net stop ""Sophos System Protection Service""*",".{0,1000}net\sstop\s\""Sophos\sSystem\sProtection\sService\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52855"
"*net stop ""Sophos Web Control Service""*",".{0,1000}net\sstop\s\""Sophos\sWeb\sControl\sService\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52856"
"*net stop ""Sophos Web Control Service""*",".{0,1000}net\sstop\s\""Sophos\sWeb\sControl\sService\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52857"
"*net stop ""SQL Backups""*",".{0,1000}net\sstop\s\""SQL\sBackups\"".{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52858"
"*net stop ""SQLsafe Backup Service""*",".{0,1000}net\sstop\s\""SQLsafe\sBackup\sService\"".{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52859"
"*net stop ""storagecraft imagemanager*""",".{0,1000}net\sstop\s\""storagecraft\simagemanager.{0,1000}\""","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52860"
"*net stop ""swi_service""*",".{0,1000}net\sstop\s\""swi_service\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52861"
"*net stop ""swi_update""*",".{0,1000}net\sstop\s\""swi_update\"".{0,1000}","greyware_tool_keyword","net","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52862"
"*net stop ""Symantec System Recovery""*",".{0,1000}net\sstop\s\""Symantec\sSystem\sRecovery\"".{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52863"
"*net stop ""Veeam Backup Catalog Data Service""*",".{0,1000}net\sstop\s\""Veeam\sBackup\sCatalog\sData\sService\"".{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52864"
"*net stop ""Zoolz 2 Service""*",".{0,1000}net\sstop\s\""Zoolz\s2\sService\"".{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52865"
"*net stop acronisagent*",".{0,1000}net\sstop\sacronisagent.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52867"
"*net stop AcronisAgent*",".{0,1000}net\sstop\sAcronisAgent.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52868"
"*net stop acrsch2svc*",".{0,1000}net\sstop\sacrsch2svc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52869"
"*net stop AcrSch2Svc*",".{0,1000}net\sstop\sAcrSch2Svc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52870"
"*net stop agntsvc*",".{0,1000}net\sstop\sagntsvc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52871"
"*net stop Antivirus*",".{0,1000}net\sstop\sAntivirus.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52872"
"*net stop ARSM /y*",".{0,1000}net\sstop\sARSM\s\/y.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52873"
"*net stop arsm*",".{0,1000}net\sstop\sarsm.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52874"
"*net stop AVP*",".{0,1000}net\sstop\sAVP.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52875"
"*net stop backp*",".{0,1000}net\sstop\sbackp.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52876"
"*net stop backup*",".{0,1000}net\sstop\sbackup.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52877"
"*net stop BackupExec*",".{0,1000}net\sstop\sBackupExec.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52878"
"*net stop BackupExecAgent*",".{0,1000}net\sstop\sBackupExecAgent.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52879"
"*net stop badrv*",".{0,1000}net\sstop\sbadrv.{0,1000}","greyware_tool_keyword","net","Wannacry Ransomware & NOODLERAT behavior","T1486 - T1490","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Malware","https://www.virustotal.com/gui/file/cde4ca499282045eecd4fc15ac80a232294556a59b3c8c8a7a593e8333cfd3c7/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52881"
"*net stop bedbg /y*",".{0,1000}net\sstop\sbedbg\s\/y.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52882"
"*net stop cbservi*",".{0,1000}net\sstop\scbservi.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52883"
"*net stop cbvscserv*",".{0,1000}net\sstop\scbvscserv.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52884"
"*net stop DCAgent*",".{0,1000}net\sstop\sDCAgent.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52885"
"*net stop dnscache*",".{0,1000}net\sstop\sdnscache.{0,1000}","greyware_tool_keyword","net","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52886"
"*net stop DPS*",".{0,1000}net\sstop\sDPS.{0,1000}","greyware_tool_keyword","net","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52887"
"*net stop EhttpSrv*",".{0,1000}net\sstop\sEhttpSrv.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52888"
"*net stop ekrn*",".{0,1000}net\sstop\sekrn.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52889"
"*net stop EPSecurityService*",".{0,1000}net\sstop\sEPSecurityService.{0,1000}\s\s\s\s","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52890"
"*net stop EPUpdateService*",".{0,1000}net\sstop\sEPUpdateService.{0,1000}\s\s\s\s\s\s\s","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52891"
"*net stop EsgShKernel*",".{0,1000}net\sstop\sEsgShKernel.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52892"
"*net stop ESHASRV*",".{0,1000}net\sstop\sESHASRV.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52893"
"*net stop FA_Scheduler*",".{0,1000}net\sstop\sFA_Scheduler.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52894"
"*net stop firebirdguardiandefaultinstance*",".{0,1000}net\sstop\sfirebirdguardiandefaultinstance.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52895"
"*net stop gupdatem*",".{0,1000}net\sstop\sgupdatem.{0,1000}","greyware_tool_keyword","net","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52896"
"*net stop ibmiasrw*",".{0,1000}net\sstop\sibmiasrw.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52897"
"*net stop IISADMIN*",".{0,1000}net\sstop\sIISADMIN.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52898"
"*net stop IISADMIN*",".{0,1000}net\sstop\sIISADMIN.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52899"
"*net stop IMAP4Svc*",".{0,1000}net\sstop\sIMAP4Svc.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52901"
"*net stop KAVFS*",".{0,1000}net\sstop\sKAVFS.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52902"
"*net stop KAVFSGT*",".{0,1000}net\sstop\sKAVFSGT.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52903"
"*net stop kavfsslp*",".{0,1000}net\sstop\skavfsslp.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52904"
"*net stop klnagent*",".{0,1000}net\sstop\sklnagent.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52905"
"*net stop macmnsvc*",".{0,1000}net\sstop\smacmnsvc.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52906"
"*net stop masvc*",".{0,1000}net\sstop\smasvc.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52907"
"*net stop MBAMService*",".{0,1000}net\sstop\sMBAMService.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52908"
"*net stop MBEndpointAgent*",".{0,1000}net\sstop\sMBEndpointAgent.{0,1000}\s\s\s\s","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52909"
"*net stop McAfeeEngineService*",".{0,1000}net\sstop\sMcAfeeEngineService.{0,1000}\s\s\s\s","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52910"
"*net stop McAfeeFramework*",".{0,1000}net\sstop\sMcAfeeFramework.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52911"
"*net stop McAfeeFrameworkMcAfeeFramework*",".{0,1000}net\sstop\sMcAfeeFrameworkMcAfeeFramework.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52912"
"*net stop McShield*",".{0,1000}net\sstop\sMcShield.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52913"
"*net stop mfefire*",".{0,1000}net\sstop\smfefire.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52914"
"*net stop mfemms*",".{0,1000}net\sstop\smfemms.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52915"
"*net stop mfevtp*",".{0,1000}net\sstop\smfevtp.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52916"
"*net stop mozyprobackup*",".{0,1000}net\sstop\smozyprobackup.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52917"
"*net stop mr2kserv*",".{0,1000}net\sstop\smr2kserv.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52918"
"*net stop MsDtsServer*",".{0,1000}net\sstop\sMsDtsServer.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52919"
"*net stop MsDtsServer100*",".{0,1000}net\sstop\sMsDtsServer100.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52920"
"*net stop MsDtsServer110*",".{0,1000}net\sstop\sMsDtsServer110.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52921"
"*net stop MSExchangeADTopology*",".{0,1000}net\sstop\sMSExchangeADTopology.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52922"
"*net stop MSExchangeFBA*",".{0,1000}net\sstop\sMSExchangeFBA.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52923"
"*net stop MSExchangeIS*",".{0,1000}net\sstop\sMSExchangeIS.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52924"
"*net stop MSExchangeSA*",".{0,1000}net\sstop\sMSExchangeSA.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52925"
"*net stop MSExchangeUM*",".{0,1000}net\sstop\sMSExchangeUM.{0,1000}","greyware_tool_keyword","net","stop running processes associated with Exchange","T1489","TA0040","N/A","LockBit","Defense Evasion","https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A","52926"
"*net stop msftesql$PROD*",".{0,1000}net\sstop\smsftesql\$PROD.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52927"
"*net stop msiserver*",".{0,1000}net\sstop\smsiserver.{0,1000}","greyware_tool_keyword","net","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52928"
"*net stop MSOLAP$SQL_2008*",".{0,1000}net\sstop\sMSOLAP\$SQL_2008.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52929"
"*net stop MSOLAP$SYSTEM_BGC*",".{0,1000}net\sstop\sMSOLAP\$SYSTEM_BGC.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52930"
"*net stop MSOLAP$TPS*",".{0,1000}net\sstop\sMSOLAP\$TPS.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52931"
"*net stop MSOLAP$TPSAMA*",".{0,1000}net\sstop\sMSOLAP\$TPSAMA.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52932"
"*net stop MSSQL$BKUPEXEC*",".{0,1000}net\sstop\sMSSQL\$BKUPEXEC.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52933"
"*net stop MSSQL$CONTOSO1*",".{0,1000}net\sstop\sMSSQL\$CONTOSO1.{0,1000}","greyware_tool_keyword","net","VoidCrypt ransomware","T1486 - T1490","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Ransomware","https://github.com/rivitna/Malware","1","0","#content","N/A","10","4","357","52","2025-04-22T10:00:56Z","2021-07-28T21:00:52Z","52934"
"*net stop MSSQL$ECWDB2*",".{0,1000}net\sstop\sMSSQL\$ECWDB2.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52935"
"*net stop MSSQL$ISARS*",".{0,1000}net\sstop\sMSSQL\$ISARS.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52936"
"*net stop MSSQL$MSFW*",".{0,1000}net\sstop\sMSSQL\$MSFW.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52937"
"*net stop MSSQL$PRACTICEMGT*",".{0,1000}net\sstop\sMSSQL\$PRACTICEMGT.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52938"
"*net stop MSSQL$PRACTTICEBGC*",".{0,1000}net\sstop\sMSSQL\$PRACTTICEBGC.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52939"
"*net stop MSSQL$PROD*",".{0,1000}net\sstop\sMSSQL\$PROD.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52940"
"*net stop MSSQL$PROFXENGAGEMENT*",".{0,1000}net\sstop\sMSSQL\$PROFXENGAGEMENT.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52941"
"*net stop MSSQL$SBSMONITORING*",".{0,1000}net\sstop\sMSSQL\$SBSMONITORING.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52942"
"*net stop MSSQL$SHAREPOINT*",".{0,1000}net\sstop\sMSSQL\$SHAREPOINT.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52943"
"*net stop MSSQL$SOPHOS*",".{0,1000}net\sstop\sMSSQL\$SOPHOS.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52944"
"*net stop MSSQL$SQL_2008*",".{0,1000}net\sstop\sMSSQL\$SQL_2008.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52945"
"*net stop MSSQL$SQLEXPRESS*",".{0,1000}net\sstop\sMSSQL\$SQLEXPRESS.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52946"
"*net stop MSSQL$SYSTEM_BGC*",".{0,1000}net\sstop\sMSSQL\$SYSTEM_BGC.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52947"
"*net stop MSSQL$TPS*",".{0,1000}net\sstop\sMSSQL\$TPS.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52948"
"*net stop MSSQL$TPSAMA*",".{0,1000}net\sstop\sMSSQL\$TPSAMA.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52949"
"*net stop MSSQL$VEEAMSQL*",".{0,1000}net\sstop\sMSSQL\$VEEAMSQL.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52950"
"*net stop MSSQL$VEEAMSQL*",".{0,1000}net\sstop\sMSSQL\$VEEAMSQL.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52951"
"*net stop MSSQLServerADHelper100*",".{0,1000}net\sstop\sMSSQLServerADHelper100.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52952"
"*net stop MSSQLServerADHelper100*",".{0,1000}net\sstop\sMSSQLServerADHelper100.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52953"
"*net stop OfficeClickToRun*",".{0,1000}net\sstop\sOfficeClickToRun.{0,1000}","greyware_tool_keyword","net","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52954"
"*net stop PcaSvc*",".{0,1000}net\sstop\sPcaSvc.{0,1000}","greyware_tool_keyword","net","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52955"
"*net stop QBCFMonitorService*",".{0,1000}net\sstop\sQBCFMonitorService.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52956"
"*net stop QBPOSDBServiceV12*",".{0,1000}net\sstop\sQBPOSDBServiceV12.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52957"
"*net stop QBVSS*",".{0,1000}net\sstop\sQBVSS.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52958"
"*net stop QuickBooksDB1*",".{0,1000}net\sstop\sQuickBooksDB1.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52959"
"*net stop QuickBooksDB2*",".{0,1000}net\sstop\sQuickBooksDB2.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52960"
"*net stop QuickBooksDB3*",".{0,1000}net\sstop\sQuickBooksDB3.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52961"
"*net stop QuickBooksDB4*",".{0,1000}net\sstop\sQuickBooksDB4.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52962"
"*net stop QuickBooksDB5*",".{0,1000}net\sstop\sQuickBooksDB5.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52963"
"*net stop ReportServer$ISARS*",".{0,1000}net\sstop\sReportServer\$ISARS.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52964"
"*net stop sacsvr*",".{0,1000}net\sstop\ssacsvr.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52965"
"*net stop SAVAdminService*",".{0,1000}net\sstop\sSAVAdminService.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52966"
"*net stop SAVService*",".{0,1000}net\sstop\sSAVService.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52967"
"*net stop sedsvc*",".{0,1000}net\sstop\ssedsvc.{0,1000}","greyware_tool_keyword","net","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52968"
"*net stop shadowprotectsvc*",".{0,1000}net\sstop\sshadowprotectsvc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52969"
"*net stop ShadowProtectSvc*",".{0,1000}net\sstop\sShadowProtectSvc.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52970"
"*net stop sharedaccess*",".{0,1000}net\sstop\ssharedaccess.{0,1000}","greyware_tool_keyword","net","stopping shared access","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","52971"
"*net stop ShMonitor*",".{0,1000}net\sstop\sShMonitor.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52972"
"*net stop Smcinst*",".{0,1000}net\sstop\sSmcinst.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52973"
"*net stop SmcService*",".{0,1000}net\sstop\sSmcService.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52974"
"*net stop sms_site_sql_backup*",".{0,1000}net\sstop\ssms_site_sql_backup.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52975"
"*net stop SntpService*",".{0,1000}net\sstop\sSntpService.{0,1000}\s\s\s\s","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52976"
"*net stop sophossps*",".{0,1000}net\sstop\ssophossps.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52977"
"*net stop SPAdminV4*",".{0,1000}net\sstop\sSPAdminV4.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52978"
"*net stop sppsvc*",".{0,1000}net\sstop\ssppsvc.{0,1000}","greyware_tool_keyword","net","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52979"
"*net stop SPSearch4*",".{0,1000}net\sstop\sSPSearch4.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52980"
"*net stop SPTimerV4*",".{0,1000}net\sstop\sSPTimerV4.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52981"
"*net stop SPTraceV4*",".{0,1000}net\sstop\sSPTraceV4.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52982"
"*net stop SPUserCodeV4*",".{0,1000}net\sstop\sSPUserCodeV4.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52983"
"*net stop SPWriterV4*",".{0,1000}net\sstop\sSPWriterV4.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52984"
"*net stop spxservice*",".{0,1000}net\sstop\sspxservice.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52985"
"*net stop sqbcoreservice*",".{0,1000}net\sstop\ssqbcoreservice.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52986"
"*net stop SQLAgent$ISARS*",".{0,1000}net\sstop\sSQLAgent\$ISARS.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52987"
"*net stop SQLAgent$MSFW*",".{0,1000}net\sstop\sSQLAgent\$MSFW.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52988"
"*net stop SQLAgent$SOPH",".{0,1000}net\sstop\sSQLAgent\$SOPH","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52989"
"*net stop SQLAgent$VEEAMSQL*",".{0,1000}net\sstop\sSQLAgent\$VEEAMSQL.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52990"
"*net stop SQLAgent$VEEAMSQL*",".{0,1000}net\sstop\sSQLAgent\$VEEAMSQL.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52991"
"*net stop SQLBrowser*",".{0,1000}net\sstop\sSQLBrowser.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52992"
"*net stop SQLWriter*",".{0,1000}net\sstop\sSQLWriter.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","52993"
"*net stop stc_endpt_svc*",".{0,1000}net\sstop\sstc_endpt_svc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52994"
"*net stop stop SepMasterService*",".{0,1000}net\sstop\sstop\sSepMasterService.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52995"
"*net stop svcGenericHost*",".{0,1000}net\sstop\ssvcGenericHost.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52996"
"*net stop swi_filter*",".{0,1000}net\sstop\sswi_filter.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52997"
"*net stop swi_service*",".{0,1000}net\sstop\sswi_service.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52998"
"*net stop swi_update*",".{0,1000}net\sstop\sswi_update.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","52999"
"*net stop swi_update_64*",".{0,1000}net\sstop\sswi_update_64.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53000"
"*net stop SysMain*",".{0,1000}net\sstop\sSysMain.{0,1000}","greyware_tool_keyword","net","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53001"
"*net stop tacticalrmm*",".{0,1000}net\sstop\stacticalrmm.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","53002"
"*net stop TmCCSF*",".{0,1000}net\sstop\sTmCCSF.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53003"
"*net stop tmlisten*",".{0,1000}net\sstop\stmlisten.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53004"
"*net stop TrueKey*",".{0,1000}net\sstop\sTrueKey.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53005"
"*net stop TrueKeyScheduler*",".{0,1000}net\sstop\sTrueKeyScheduler.{0,1000}\s\s\s\s","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53006"
"*net stop TrueKeyServiceHel",".{0,1000}net\sstop\sTrueKeyServiceHel","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53007"
"*net stop TrustedInstaller*",".{0,1000}net\sstop\sTrustedInstaller.{0,1000}","greyware_tool_keyword","net","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53008"
"*net stop vapiendpoint*",".{0,1000}net\sstop\svapiendpoint.{0,1000}\s\s\s\s\s\s\s","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53009"
"*net stop VeeamBackupSvc*",".{0,1000}net\sstop\sVeeamBackupSvc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53010"
"*net stop VeeamBrokerSvc *",".{0,1000}net\sstop\sVeeamBrokerSvc\s.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53011"
"*net stop VeeamCatalogSvc*",".{0,1000}net\sstop\sVeeamCatalogSvc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53012"
"*net stop VeeamCloudSvc*",".{0,1000}net\sstop\sVeeamCloudSvc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53013"
"*net stop VeeamDeploymentService*",".{0,1000}net\sstop\sVeeamDeploymentService.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53014"
"*net stop VeeamDeploySvc*",".{0,1000}net\sstop\sVeeamDeploySvc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53015"
"*net stop VeeamDeploySvc*",".{0,1000}net\sstop\sVeeamDeploySvc.{0,1000}\s\s\s\s","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53016"
"*net stop VeeamEnterpriseManagerSvc*",".{0,1000}net\sstop\sVeeamEnterpriseManagerSvc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53017"
"*net stop VeeamHvIntegrationSvc*",".{0,1000}net\sstop\sVeeamHvIntegrationSvc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53018"
"*net stop VeeamMountSvc*",".{0,1000}net\sstop\sVeeamMountSvc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53019"
"*net stop VeeamNFSSvc*",".{0,1000}net\sstop\sVeeamNFSSvc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53020"
"*net stop VeeamRESTSvc*",".{0,1000}net\sstop\sVeeamRESTSvc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53021"
"*net stop VeeamTransportSvc*",".{0,1000}net\sstop\sVeeamTransportSvc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53022"
"*net stop vsnapvss*",".{0,1000}net\sstop\svsnapvss.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53023"
"*net stop vssvc*",".{0,1000}net\sstop\svssvc.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53024"
"*net stop wbengine*",".{0,1000}net\sstop\swbengine.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53025"
"*net stop wbengine*",".{0,1000}net\sstop\swbengine.{0,1000}","greyware_tool_keyword","net","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53026"
"*net stop WinDefend*",".{0,1000}net\sstop\sWinDefend.{0,1000}","greyware_tool_keyword","net","stop critical services","T1489","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53027"
"*net stop WinDefend*",".{0,1000}net\sstop\sWinDefend.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53028"
"*net stop WRSVC*",".{0,1000}net\sstop\sWRSVC.{0,1000}","greyware_tool_keyword","net","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","53029"
"*net use \\*\IPC$ /user:*",".{0,1000}net\suse\s\\\\.{0,1000}\\IPC\$\s\/user\:.{0,1000}","greyware_tool_keyword","net","connect to the ""IPC$"" share on a remote system often for lateral movement or remote administration purposes","T1021 - T1078 - T1033","TA0006 - TA0008 - TA0009","N/A","N/A","Lateral Movement","N/A","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A","53032"
"*net user *$* /*",".{0,1000}net\suser\s.{0,1000}\$.{0,1000}\s\/.{0,1000}","greyware_tool_keyword","net","manipulation of an hidden local account with the net command","T1564 - T1078 - T1136.001","TA0003 - TA0004","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53033"
"*net user /domain >*",".{0,1000}net\suser\s\/domain\s\>.{0,1000}","greyware_tool_keyword","net","Create list of domain users","T1087 - T1033 - T1016","TA0005 - TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","53035"
"*net user BitdefenderBounty *",".{0,1000}net\suser\sBitdefenderBounty\s.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53041"
"*NET USER GUEST /ACTIVE:YES*",".{0,1000}NET\sUSER\sGUEST\s\/ACTIVE\:YES.{0,1000}","greyware_tool_keyword","net","activate the guest account in Windows","T1078 - T1087.001 - T1136.001","TA0006 - TA0007 - TA0003","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53046"
"*net user localadm *",".{0,1000}net\suser\slocaladm\s.{0,1000}","greyware_tool_keyword","net","adding the user localadm - observed used by the Dispossessor Ransomware group ","T1547.001","TA0003","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53054"
"*net user localadm *",".{0,1000}net\suser\slocaladm\s.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53055"
"*net user Support * /add *",".{0,1000}net\suser\sSupport\s.{0,1000}\s\/add\s.{0,1000}","greyware_tool_keyword","net","command used in the Dispossessor ransomware group notes","T1098 - T1068 - T1112 - T1088 - T1546.015 - T1059","TA0001 - TA0002 - TA0003 - TA0004 - TA0008","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53056"
"*net user support /active:yes*",".{0,1000}net\suser\ssupport\s\/active\:yes.{0,1000}","greyware_tool_keyword","net","discovery commands used by Dispossessor ransomware group","T1069 - T1003","TA0007 - TA0040","N/A","Dispossessor","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53057"
"*net user support Pa$$wo0rd /add*",".{0,1000}net\suser\ssupport\sPa\$\$wo0rd\s\/add.{0,1000}","greyware_tool_keyword","net","discovery commands used by Dispossessor ransomware group","T1069 - T1003","TA0007 - TA0040","N/A","Dispossessor","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53058"
"*net view /all /domain*",".{0,1000}net\sview\s\/all\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53061"
"*net view /domain*",".{0,1000}net\sview\s\/all\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","https://github.com/alperenugurlu/AD_Enumeration_Hunt/blob/alperen_ugurlu_hack/AD_Enumeration_Hunt.ps1","1","0","N/A","N/A","10","1","93","18","2023-08-05T06:10:26Z","2023-08-05T05:16:57Z","53062"
"*net view \\* /all*",".{0,1000}net\sview\s\\\\.{0,1000}\s\/all.{0,1000}","greyware_tool_keyword","net","retrieves a list of shared resources on a remote machine","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","53063"
"*net* group Administrator* /add /domain*",".{0,1000}net.{0,1000}\sgroup\sAdministrator.{0,1000}\s\/add\s\/domain.{0,1000}","greyware_tool_keyword","net","adding a user to a privileged group. This action can be used by adversaries to maintain unauthorized access or escalate privileges within the targeted environment.","T1098","TA0003","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","53064"
"*net.exe localgroup ""Remote Desktop Users"" * /add*",".{0,1000}net\.exe\slocalgroup\s\""Remote\sDesktop\sUsers\""\s.{0,1000}\s\/add.{0,1000}","greyware_tool_keyword","net","Adds a user account to the local Remote","T1035 - T1078 - T1087","TA0003 ","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","53065"
"*net.exe localgroup *Backup Operators*",".{0,1000}net\.exe\slocalgroup\s.{0,1000}Backup\sOperators.{0,1000}","greyware_tool_keyword","net","discover local admins group","T1069.001 - T1087.002","TA0007 - TA0004","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","53066"
"*net.exe"" localgroup *Backup Operators*",".{0,1000}net\.exe\""\slocalgroup\s.{0,1000}Backup\sOperators.{0,1000}","greyware_tool_keyword","net","discover local admins group","T1069.001 - T1087.002","TA0007 - TA0004","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","53067"
"*net.exe* group *Account Operators* /domain*",".{0,1000}net\.exe.{0,1000}\sgroup\s.{0,1000}Account\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53068"
"*net.exe* group *Backup Operators* /domain*",".{0,1000}net\.exe.{0,1000}\sgroup\s.{0,1000}Backup\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53069"
"*net.exe* group *Domain Computers* /domain*",".{0,1000}net\.exe.{0,1000}\sgroup\s.{0,1000}Domain\sComputers.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53070"
"*net.exe* group *Domain Controllers* /domain*",".{0,1000}net\.exe.{0,1000}\sgroup\s.{0,1000}Domain\sControllers.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53071"
"*net.exe* group *Enterprise Admins* /domain*",".{0,1000}net\.exe.{0,1000}\sgroup\s.{0,1000}Enterprise\sAdmins.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53072"
"*net.exe* group *Exchange Trusted Subsystem* /domain*",".{0,1000}net\.exe.{0,1000}\sgroup\s.{0,1000}Exchange\sTrusted\sSubsystem.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53073"
"*net.exe* group *Microsoft Exchange Servers* /domain*",".{0,1000}net\.exe.{0,1000}\sgroup\s.{0,1000}Microsoft\sExchange\sServers.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53074"
"*net.exe* group *Print Operators* /domain*",".{0,1000}net\.exe.{0,1000}\sgroup\s.{0,1000}Print\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53075"
"*net.exe* group *Schema Admins* /domain*",".{0,1000}net\.exe.{0,1000}\sgroup\s.{0,1000}Schema\sAdmins.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53076"
"*net.exe* group *Server Operators* /domain*",".{0,1000}net\.exe.{0,1000}\sgroup\s.{0,1000}Server\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53077"
"*net1  group ""domain admins"" /domain*",".{0,1000}net1\s\sgroup\s\""domain\sadmins\""\s\/domain.{0,1000}","greyware_tool_keyword","net","Query users from domain admins in current domain","T1069.002 - T1087.002","TA0007 - TA0006","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53104"
"*net1  group ""Domain Computers"" /domain*",".{0,1000}net1\s\sgroup\s\""Domain\sComputers\""\s\/domain.{0,1000}","greyware_tool_keyword","net","Query users from domain admins in current domain","T1069.002 - T1087.002","TA0007 - TA0006","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53105"
"*net1  group ""domain computers"" /domain*",".{0,1000}net1\s\sgroup\s\""domain\scomputers\""\s\/domain.{0,1000}","greyware_tool_keyword","net","Query users from domain admins in current domain","T1069.002 - T1087.002","TA0007 - TA0006","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53106"
"*net1  group ""enterprise admins"" /domain*",".{0,1000}net1\s\sgroup\s\""enterprise\sadmins\""\s\/domain.{0,1000}","greyware_tool_keyword","net","Query users from domain admins in current domain","T1069.002 - T1087.002","TA0007 - TA0006","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53107"
"*net1 group ""Domain Admins"" /domain*",".{0,1000}net1\sgroup\s\""Domain\sAdmins\""\s\/domain.{0,1000}","greyware_tool_keyword","net","Query users from domain admins in current domain","T1069.002 - T1087.002","TA0007 - TA0006","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53108"
"*net1 group ""SQL Admins"" /domain*",".{0,1000}net1\sgroup\s\""SQL\sAdmins\""\s\/domain.{0,1000}","greyware_tool_keyword","net","Enumerate SQL Admin group membership on the domain","T1087","TA0008 - TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","53109"
"*net1 group *Account Operators* /domain*",".{0,1000}net1\sgroup\s.{0,1000}Account\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53110"
"*net1 group *Backup Operators* /domain*",".{0,1000}net1\sgroup\s.{0,1000}Backup\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53111"
"*net1 group *Domain Computers* /domain*",".{0,1000}net1\sgroup\s.{0,1000}Domain\sComputers.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53112"
"*net1 group *Domain Controllers* /domain*",".{0,1000}net1\sgroup\s.{0,1000}Domain\sControllers.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53113"
"*net1 group *Enterprise Admins* /domain*",".{0,1000}net1\sgroup\s.{0,1000}Enterprise\sAdmins.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53114"
"*net1 group *Exchange Trusted Subsystem* /domain*",".{0,1000}net1\sgroup\s.{0,1000}Exchange\sTrusted\sSubsystem.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53115"
"*net1 group *Microsoft Exchange Servers* /domain*",".{0,1000}net1\sgroup\s.{0,1000}Microsoft\sExchange\sServers.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53116"
"*net1 group *Print Operators* /domain*",".{0,1000}net1\sgroup\s.{0,1000}Print\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53117"
"*net1 group *Schema Admins* /domain*",".{0,1000}net1\sgroup\s.{0,1000}Schema\sAdmins.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53118"
"*net1 group *Server Operators* /domain*",".{0,1000}net1\sgroup\s.{0,1000}Server\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53119"
"*net1 localgroup ""Remote Desktop Users"" * /add*",".{0,1000}net1\slocalgroup\s\""Remote\sDesktop\sUsers\""\s.{0,1000}\s\/add.{0,1000}","greyware_tool_keyword","net","Adds a user account to the local Remote","T1035 - T1078 - T1087","TA0003 ","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Persistence","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","53120"
"*net1 localgroup *Backup Operators*",".{0,1000}net1\slocalgroup\s.{0,1000}Backup\sOperators.{0,1000}","greyware_tool_keyword","net","discover local admins group","T1069.001 - T1087.002","TA0007 - TA0004","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","53121"
"*net1 localgroup admin*",".{0,1000}net1\slocalgroup\sadmin.{0,1000}","greyware_tool_keyword","net","showing users in a privileged group. ","T1069 - T1003","TA0007 - TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","53122"
"*net1 stop badrv*",".{0,1000}net1\sstop\sbadrv.{0,1000}","greyware_tool_keyword","net","Wannacry Ransomware & NOODLERAT behavior","T1486 - T1490","TA0040","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Malware","https://www.virustotal.com/gui/file/cde4ca499282045eecd4fc15ac80a232294556a59b3c8c8a7a593e8333cfd3c7/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53124"
"*net1 stop gupdatem*",".{0,1000}net1\sstop\sgupdatem.{0,1000}","greyware_tool_keyword","net","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53125"
"*net1.exe* group *Account Operators* /domain*",".{0,1000}net1\.exe.{0,1000}\sgroup\s.{0,1000}Account\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53126"
"*net1.exe* group *Backup Operators* /domain*",".{0,1000}net1\.exe.{0,1000}\sgroup\s.{0,1000}Backup\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53127"
"*net1.exe* group *Domain Computers* /domain*",".{0,1000}net1\.exe.{0,1000}\sgroup\s.{0,1000}Domain\sComputers.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53128"
"*net1.exe* group *Domain Controllers* /domain*",".{0,1000}net1\.exe.{0,1000}\sgroup\s.{0,1000}Domain\sControllers.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53129"
"*net1.exe* group *Enterprise Admins* /domain*",".{0,1000}net1\.exe.{0,1000}\sgroup\s.{0,1000}Enterprise\sAdmins.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53130"
"*net1.exe* group *Exchange Trusted Subsystem* /domain*",".{0,1000}net1\.exe.{0,1000}\sgroup\s.{0,1000}Exchange\sTrusted\sSubsystem.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53131"
"*net1.exe* group *Microsoft Exchange Servers* /domain*",".{0,1000}net1\.exe.{0,1000}\sgroup\s.{0,1000}Microsoft\sExchange\sServers.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53132"
"*net1.exe* group *Print Operators* /domain*",".{0,1000}net1\.exe.{0,1000}\sgroup\s.{0,1000}Print\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53133"
"*net1.exe* group *Schema Admins* /domain*",".{0,1000}net1\.exe.{0,1000}\sgroup\s.{0,1000}Schema\sAdmins.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53134"
"*net1.exe* group *Server Operators* /domain*",".{0,1000}net1\.exe.{0,1000}\sgroup\s.{0,1000}Server\sOperators.{0,1000}\s\/domain.{0,1000}","greyware_tool_keyword","net","display all domain names on the network","T1016 - T1046","TA0007 - TA0009","N/A","Naikon - Magic Hound - APT38 - Dragonfly - Deep Panda - Threat Group-3390 - OilRig - Threat Group-1314 - APT28 - APT41 - menuPass - Ke3chang - Leviathan - APT5 - Orangeworm - GALLIUM - admin@338 - Chimera - APT1 - FIN8 - TA505 - ToddyCat - Turla - APT33 - Wizard Spider - Sandworm Team - APT29 - APT32 - Volt Typhoon - BRONZE BUTLER","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53135"
"*netcat *.telebit.io*",".{0,1000}netcat\s.{0,1000}\.telebit\.io.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53137"
"*netcat.exe*",".{0,1000}netcat\.exe.{0,1000}","greyware_tool_keyword","netcat","ncat reverse shell","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","APT15 - Calypso - EMBER BEAR - Black Basta","C2","https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","1","0","N/A","greyware tool - risks of False positive !","10","10","64862","15261","2025-04-09T09:16:20Z","2016-10-18T07:29:07Z","53138"
"*netdiscover -i * -r */24*",".{0,1000}netdiscover\s\-i\s.{0,1000}\s\-r\s.{0,1000}\/24.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","53139"
"*net-proxy/sshuttle*",".{0,1000}net\-proxy\/sshuttle.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","1","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","53175"
"*netsat -naop*",".{0,1000}netsat\s\-naop.{0,1000}","greyware_tool_keyword","netstat","Adversaries may attempt to execute recon commands","T1049","TA0007","N/A","HEXANE - Ke3chang - Turla - Orangeworm - APT41 - OilRig - Threat Group-3390 - ToddyCat - admin@338 - Volt Typhoon - APT5","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","5","8","N/A","N/A","N/A","N/A","53178"
"*netscan.exe /*",".{0,1000}netscan\.exe\s\/.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","53179"
"*netscan_portable.zip*",".{0,1000}netscan_portable\.zip.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","53180"
"*netscan_setup.exe*",".{0,1000}netscan_setup\.exe.{0,1000}","greyware_tool_keyword","netscan","SoftPerfect Network Scanner abused by threat actor","T1040 - T1046 - T1018","TA0007 - TA0010 - TA0001","N/A","BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - AvosLocker - FiveHands - Yanluowang - MONTI - DarkSide - Everest - Cicada3301 - MedusaLocker - DragonForce - Phobos - Lynx","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","network exploitation tool","6","10","N/A","N/A","N/A","N/A","53181"
"*netsh  advfirewall firewall * rule name=""AweSun*",".{0,1000}netsh\s\sadvfirewall\sfirewall\s.{0,1000}\srule\sname\=\""AweSun.{0,1000}","greyware_tool_keyword","aweray","all-in-one secure remote access control and support solution","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","sun.aweray.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53182"
"*netsh  advfirewall firewall add rule name=\""Level Agent\""*",".{0,1000}netsh\s\sadvfirewall\sfirewall\sadd\srule\sname\=\\\""Level\sAgent\\\"".{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53183"
"*netsh advfirewall firewall add rule name=""allow RDP"" dir=in protocol=TCP localport=3389 action=allow*",".{0,1000}netsh\sadvfirewall\sfirewall\sadd\srule\sname\=\""allow\sRDP\""\sdir\=in\sprotocol\=TCP\slocalport\=3389\saction\=allow.{0,1000}","greyware_tool_keyword","netsh","allow rdp incoming connection - used by ransomware groups","T1059.007","TA0002 - TA0007","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53186"
"*netsh advfirewall firewall add rule name=""Radmin Server *",".{0,1000}netsh\sadvfirewall\sfirewall\sadd\srule\sname\=\""Radmin\sServer\s.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53187"
"*netsh advfirewall firewall add rule name='NimScan'*",".{0,1000}netsh\sadvfirewall\sfirewall\sadd\srule\sname\=\'NimScan\'.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","N/A","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","53188"
"*netsh advfirewall firewall show rule name=all*",".{0,1000}netsh\sadvfirewall\sfirewall\sshow\srule\sname\=all.{0,1000}","greyware_tool_keyword","netsh","gathering information about network configurations","T1016 - T1089","TA0007 - TA0009","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Discovery","N/A","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","53189"
"*netsh advfirewall set allprofiles state off*",".{0,1000}netsh\sadvfirewall\sset\sallprofiles\sstate\soff.{0,1000}","greyware_tool_keyword","netsh","script to dismantle complete windows defender protection and even bypass tamper protection  - Disable Windows-Defender Permanently.","T1562.001","TA0005","N/A","Dispossessor - Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Defense Evasion","https://github.com/swagkarna/Defeat-Defender-V1.2.0","1","0","N/A","N/A","10","10","1530","316","2023-10-20T17:55:09Z","2020-12-10T07:22:06Z","53190"
"*NetSh Advfirewall set allprofiles state off*",".{0,1000}NetSh\sAdvfirewall\sset\sallprofiles\sstate\soff.{0,1000}","greyware_tool_keyword","netsh","Disable Windows Firewall","T1562.004 - T1055.001","TA0005","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53191"
"*netsh firewall add allowedprogram ""C:\Users\*\AppData\*.exe"" ""*.exe"" ENABLE*",".{0,1000}netsh\sfirewall\sadd\sallowedprogram\s\""C\:\\Users\\.{0,1000}\\AppData\\.{0,1000}\.exe\""\s\"".{0,1000}\.exe\""\sENABLE.{0,1000}","greyware_tool_keyword","netsh","adding a executable in user appdata folder to the allowed programs","T1562.004","TA0005 ","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Defense Evasion","https://tria.ge/231006-ydmxjsfe5s/behavioral1/analog?proc=66","1","0","N/A","N/A","3","8","N/A","N/A","N/A","N/A","53192"
"*netsh firewall delete allowedprogram *",".{0,1000}netsh\sfirewall\sdelete\sallowedprogram\s.{0,1000}","greyware_tool_keyword","netsh","delete a item from firewall allowedprogram Whitelist","T1562 - T1489 - T1070","TA0005 - TA0040","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Defense Evasion","N/A","1","0","N/A","N/A","8","8","N/A","N/A","N/A","N/A","53193"
"*netsh firewall set opmode disable*",".{0,1000}netsh\sfirewall\sset\sopmode\sdisable.{0,1000}","greyware_tool_keyword","netsh","Disable Windows Firewall","T1562.004 - T1059.005","TA0005 - TA0040","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Defense Evasion","N/A","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","53194"
"*netsh firewall show all*",".{0,1000}netsh\sfirewall\sshow\sall.{0,1000}","greyware_tool_keyword","netsh","Enumeration with netsh","T1016 - T1069.002 - T1069.001 - T1082","TA0007 - TA0009","N/A","APT41","Discovery","https://medium.com/detect-fyi/playbook-hunting-chinese-apt-379a6b950492","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A","53196"
"*netsh firewall show config*",".{0,1000}netsh\sfirewall\sshow\sconfig.{0,1000}","greyware_tool_keyword","netsh","show all firewall rules config","T1016 - T1049","TA0007 - TA0009","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Discovery","N/A","1","0","N/A","https://github.com/alperenugurlu/AD_Enumeration_Hunt/blob/alperen_ugurlu_hack/AD_Enumeration_Hunt.ps1","6","8","N/A","N/A","N/A","N/A","53197"
"*netsh interface firewall show all*",".{0,1000}netsh\sinterface\sfirewall\sshow\sall.{0,1000}","greyware_tool_keyword","netsh","Enumeration with netsh","T1016 - T1069.002 - T1069.001 - T1082","TA0007 - TA0009","N/A","APT41","Discovery","https://medium.com/detect-fyi/playbook-hunting-chinese-apt-379a6b950492","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A","53198"
"*netsh interface portproxy add v4tov4 listenport=* connectaddress=*",".{0,1000}netsh\sinterface\sportproxy\sadd\sv4tov4\slistenport\=.{0,1000}\sconnectport\=.{0,1000}\sconnectaddress\=.{0,1000}","greyware_tool_keyword","netsh","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Defense Evasion","https://github.com/ice-wzl/wmiexec2","1","0","N/A","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","53199"
"*netsh interface portproxy add v4tov4*listenaddress=* listenport=*connectaddress=*connectport*",".{0,1000}netsh\sinterface\sportproxy\sadd\sv4tov4.{0,1000}listenaddress\=.{0,1000}\slistenport\=.{0,1000}connectaddress\=.{0,1000}connectport.{0,1000}","greyware_tool_keyword","netsh","The actor has used the following commands to enable port forwarding [T1090] on the host","T1090.003 - T1123","TA0005 - TA0002","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Credential Access","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53200"
"*netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=*",".{0,1000}netsh\sinterface\sportproxy\sdelete\sv4tov4\slistenaddress\=0\.0\.0\.0\slistenport\=.{0,1000}","greyware_tool_keyword","netsh","attempt to remove port proxy configurations","T1562.004","TA0005 ","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Defense Evasion","https://media.defense.gov/2024/Feb/07/2003389936/-1/-1/0/JOINT-GUIDANCE-IDENTIFYING-AND-MITIGATING-LOTL.PDF","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53201"
"*netsh interface portproxy delete v4tov4 listenport=*",".{0,1000}netsh\sinterface\sportproxy\sdelete\sv4tov4\slistenport\=.{0,1000}","greyware_tool_keyword","netsh","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Defense Evasion","https://github.com/ice-wzl/wmiexec2","1","0","N/A","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","53202"
"*netsh interface portproxy show all*",".{0,1000}netsh\sinterface\sportproxy\sshow\sall.{0,1000}","greyware_tool_keyword","netsh","display all current TCP port redirections configured on the system","T1059.007","TA0002 - TA0007","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","6","8","N/A","N/A","N/A","N/A","53203"
"*netsh interface portproxy show v4tov4*",".{0,1000}netsh\sinterface\sportproxy\sshow\sv4tov4.{0,1000}","greyware_tool_keyword","netsh","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Defense Evasion","https://github.com/ice-wzl/wmiexec2","1","0","N/A","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","53204"
"*netsh portproxy show v4tov4*",".{0,1000}netsh\sportproxy\sshow\sv4tov4.{0,1000}","greyware_tool_keyword","netsh","Enumeration with netsh","T1016 - T1069.002 - T1069.001 - T1082","TA0007 - TA0009","N/A","APT41","Discovery","https://medium.com/detect-fyi/playbook-hunting-chinese-apt-379a6b950492","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A","53205"
"*netsh wlan show profiles *key=clear*",".{0,1000}netsh\swlan\sshow\sprofiles\skey\=clear.{0,1000}","greyware_tool_keyword","netsh","display saved Wi-Fi profiles including plaintext passwords on a Windows system","T1003 - T1552.001","TA0006 - TA0009","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53207"
"*netsh.exe add helper *\temp\*.dll*",".{0,1000}netsh\.exe\sadd\shelper\s.{0,1000}\\temp\\.{0,1000}\.dll.{0,1000}","greyware_tool_keyword","NetshRun","Netsh.exe relies on extensions taken from Registry which means it may be used as a persistence and you go one step further extending netsh with a DLL allowing you to do whatever you want","T1546.008 - T1112 - T1037 - T1055 - T1218.001","TA0003 - TA0002 - TA0008","N/A","N/A","Exploitation tool","https://github.com/gtworek/PSBits/blob/master/NetShRun","1","0","N/A","N/A","N/A","10","3337","542","2025-03-12T19:59:23Z","2019-06-29T13:22:36Z","53209"
"*netsh.exe advfirewall firewall add rule ""name=allow RemoteDesktop"" dir=in * localport=* action=allow*",".{0,1000}netsh\.exe\sadvfirewall\sfirewall\sadd\srule\s\""name\=allow\sRemoteDesktop\""\sdir\=in\s.{0,1000}\slocalport\=.{0,1000}\saction\=allow.{0,1000}","greyware_tool_keyword","netsh","Adds a new rule to the Windows firewall that allows incoming RDP traffic.","T1562.004 - T1021.001","TA0005 - TA0008","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Lateral Movement","https://www.cisa.gov/sites/default/files/2023-05/aa23-136a_stopransomware_bianlian_ransomware_group_1.pdf","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53210"
"*netsh.exe advfirewall firewall set rule ""group=remote desktop"" new enable=Yes*",".{0,1000}netsh\.exe\sadvfirewall\sfirewall\sset\srule\s\""group\=remote\sdesktop\""\snew\senable\=Yes.{0,1000}","greyware_tool_keyword","netsh","Enables the pre-existing Windows firewall rule group named Remote Desktop. This rule group allows incoming RDP traffic.","T1562.004 - T1078 - T1021.001","TA0005 - TA0008","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Lateral Movement","https://www.cisa.gov/sites/default/files/2023-05/aa23-136a_stopransomware_bianlian_ransomware_group_1.pdf","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53211"
"*netsh.exe trace start maxSize=1 fileMode=single capture=yes traceFile=*\TEMP*.etl*",".{0,1000}netsh\.exe\strace\sstart\smaxSize\=1\sfileMode\=single\scapture\=yes\straceFile\=.{0,1000}\\TEMP.{0,1000}\.etl.{0,1000}","greyware_tool_keyword","netsh","capturing a network trace with netsh","T1049 - T1119","TA0007 - TA0009","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Discovery","N/A","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","53213"
"*netsh.exe wlan show profiles key=clear*",".{0,1000}netsh\.exe\swlan\sshow\sprofiles\skey\=clear.{0,1000}","greyware_tool_keyword","netsh","display saved Wi-Fi profiles including plaintext passwords on a Windows system","T1003 - T1552.001","TA0006 - TA0009","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53214"
"*netsh.exe* interface portproxy show all*",".{0,1000}netsh\.exe.{0,1000}\sinterface\sportproxy\sshow\sall.{0,1000}","greyware_tool_keyword","netsh","display all current TCP port redirections configured on the system","T1059.007","TA0002 - TA0007","N/A","Volt Typhoon - Naikon - APT32 - Magic Hound - Lazarus Group - Carbanak - Dragonfly","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","6","8","N/A","N/A","N/A","N/A","53215"
"*netshrun.dll*",".{0,1000}netshrun\.dll.{0,1000}","greyware_tool_keyword","NetshRun","Netsh.exe relies on extensions taken from Registry which means it may be used as a persistence and you go one step further extending netsh with a DLL allowing you to do whatever you want","T1546.008 - T1112 - T1037 - T1055 - T1218.001","TA0003 - TA0002 - TA0008","N/A","N/A","Exploitation tool","https://github.com/gtworek/PSBits/blob/master/NetShRun","1","1","N/A","N/A","N/A","10","3337","542","2025-03-12T19:59:23Z","2019-06-29T13:22:36Z","53217"
"*netstat -ano*",".{0,1000}netstat\s\-ano.{0,1000}","greyware_tool_keyword","netstat","Adversaries may attempt to execute recon commands","T1049","TA0007","N/A","HEXANE - Ke3chang - Turla - Orangeworm - APT41 - OilRig - Threat Group-3390 - ToddyCat - admin@338 - Volt Typhoon - APT5","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","5","8","N/A","N/A","N/A","N/A","53220"
"*netstat -ant*",".{0,1000}netstat\s\-ant.{0,1000}","greyware_tool_keyword","netstat","View all active TCP connections and the TCP and UDP ports the host is listening on.","T1049","TA0007","N/A","HEXANE - Ke3chang - Turla - Orangeworm - APT41 - OilRig - Threat Group-3390 - ToddyCat - admin@338 - Volt Typhoon - APT5","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","5","8","N/A","N/A","N/A","N/A","53221"
"*NETSTAT.EXE* -ano*",".{0,1000}NETSTAT\.EXE.{0,1000}\s\-ano.{0,1000}","greyware_tool_keyword","netstat","Adversaries may attempt to execute recon commands","T1049","TA0007","N/A","HEXANE - Ke3chang - Turla - Orangeworm - APT41 - OilRig - Threat Group-3390 - ToddyCat - admin@338 - Volt Typhoon - APT5","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","5","8","N/A","N/A","N/A","N/A","53224"
"*NetSupport Audio Sample Source Filter*",".{0,1000}NetSupport\sAudio\sSample\sSource\sFilter.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","53225"
"*NetSupport Bitmap Source Filter*",".{0,1000}NetSupport\sBitmap\sSource\sFilter.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","53226"
"*NetSupport Manager -- Installation *",".{0,1000}NetSupport\sManager\s\-\-\sInstallation\s.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53227"
"*NetSupport Manager (1).msi*",".{0,1000}NetSupport\sManager\s\(1\)\.msi.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53228"
"*NetSupport Manager.msi*",".{0,1000}NetSupport\sManager\.msi.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53229"
"*NetSupport%20Manager.msi*",".{0,1000}NetSupport\%20Manager\.msi.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53230"
"*netsupport*\PCISA.exe*",".{0,1000}netsupport.{0,1000}\\PCISA\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53231"
"*netsupport*\runscrip.exe*",".{0,1000}netsupport.{0,1000}\\runscrip\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53232"
"*netsupport*\supporttool.exe*",".{0,1000}netsupport.{0,1000}\\supporttool\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53233"
"*NetSupport_Client_machine.adml*",".{0,1000}NetSupport_Client_machine\.adml.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53234"
"*NetSupport_Control_Machine.adml*",".{0,1000}NetSupport_Control_Machine\.adml.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53235"
"*netwrix/pingcastle*",".{0,1000}netwrix\/pingcastle.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","1","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","53248"
"*New-AADIntADFSRefreshToken*",".{0,1000}New\-AADIntADFSRefreshToken.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53258"
"*New-AADIntADFSSelfSignedCertificates*",".{0,1000}New\-AADIntADFSSelfSignedCertificates.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53259"
"*New-AADIntB2CAuthorizationCode*",".{0,1000}New\-AADIntB2CAuthorizationCode.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53260"
"*New-AADIntB2CRefreshToken*",".{0,1000}New\-AADIntB2CRefreshToken.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53261"
"*New-AADIntBackdoor*",".{0,1000}New\-AADIntBackdoor.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53262"
"*New-AADIntBulkPRTToken*",".{0,1000}New\-AADIntBulkPRTToken.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53263"
"*New-AADIntCertificate*",".{0,1000}New\-AADIntCertificate.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53264"
"*New-AADIntGuestInvitation*",".{0,1000}New\-AADIntGuestInvitation.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53265"
"*New-AADIntHybridHealthService*",".{0,1000}New\-AADIntHybridHealthService.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53266"
"*New-AADIntHybridHealthServiceMember*",".{0,1000}New\-AADIntHybridHealthServiceMember.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53267"
"*New-AADIntHybridHealtServiceEvent*",".{0,1000}New\-AADIntHybridHealtServiceEvent.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53268"
"*New-AADIntInvitationVBA*",".{0,1000}New\-AADIntInvitationVBA.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53269"
"*New-AADIntMOERADomain*",".{0,1000}New\-AADIntMOERADomain.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53270"
"*New-AADIntMSPartnerDelegatedAdminRequest*",".{0,1000}New\-AADIntMSPartnerDelegatedAdminRequest.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53271"
"*New-AADIntOneDriveSettings*",".{0,1000}New\-AADIntOneDriveSettings.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53272"
"*New-AADIntOTP*",".{0,1000}New\-AADIntOTP.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53273"
"*New-AADIntOTPSecret*",".{0,1000}New\-AADIntOTPSecret.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53274"
"*New-AADIntP2PDeviceCertificate*",".{0,1000}New\-AADIntP2PDeviceCertificate.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53275"
"*New-AADIntSAML2Token*",".{0,1000}New\-AADIntSAML2Token.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53276"
"*New-AADIntSAMLToken*",".{0,1000}New\-AADIntSAMLToken.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53277"
"*New-AADIntUserPRTToken*",".{0,1000}New\-AADIntUserPRTToken.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53278"
"*New-ADGroup -Name ""ESX Admins""*",".{0,1000}New\-ADGroup\s\-Name\s\""ESX\sAdmins\"".{0,1000}","greyware_tool_keyword","powershell","ESX treats all members of an Active Directory group named ""ESX Admins"" as administrators by default. Attackers have exploited this misconfiguration to escalate privileges and gain administrative access.","T1078 - T1069 - T1078.003","TA0001 - TA0004 - TA0002","N/A","Dispossessor ","Privilege Escalation","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53279"
"*New-ItemProperty -Path ""HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist"" -Name * -Value 0 -PropertyType Dword*",".{0,1000}New\-ItemProperty\s\-Path\s\""HKLM\:\\Software\\Microsoft\\Windows\sNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\""\s\-Name\s.{0,1000}\s\-Value\s0\s\-PropertyType\sDword.{0,1000}","greyware_tool_keyword","powershell","hiding a user from the login screen by modifying a specific registry key","T1112 - T1564.001","TA0005 - TA0003","N/A","N/A","Defense Evasion","N/A","1","0","#registry","N/A","9","10","N/A","N/A","N/A","N/A","53293"
"*New-ItemProperty -Path ""HKLM:\SOFTWARE\Policies\Microsoft\VisualStudio\Devtunnels"" -Name ""DisableDevTunnelsInVisualStudio"" -PropertyType DWORD -Value 0*",".{0,1000}New\-ItemProperty\s\-Path\s\""HKLM\:\\SOFTWARE\\Policies\\Microsoft\\VisualStudio\\Devtunnels\""\s\-Name\s\""DisableDevTunnelsInVisualStudio\""\s\-PropertyType\sDWORD\s\-Value\s0.{0,1000}","greyware_tool_keyword","powershell","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","53294"
"*New-ItemProperty -Path ""HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force *",".{0,1000}New\-ItemProperty\s\-Path\s\""HKLM\:\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\""\s\-Name\sDisableAntiSpyware\s\-Value\s1\s\-PropertyType\sDWORD\s\-Force\s.{0,1000}","greyware_tool_keyword","powershell","completely disable Windows Defender on your computer by adding a registry key","T1112 - T1089 - T1547.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","53295"
"*New-NetFirewallRule * -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22*",".{0,1000}New\-NetFirewallRule\s.{0,1000}\s\-Enabled\sTrue\s\-Direction\sInbound\s\-Protocol\sTCP\s\-Action\sAllow\s\-LocalPort\s22.{0,1000}","greyware_tool_keyword","powershell","allowing SSH incoming connections (critical on DC)","T1021.004 - T1133 - T1078.003","TA0008 - TA0005","N/A","N/A","Lateral Movement","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53297"
"*New-ObfuscationContainer -SearchFilter $SearchFilter -SearchRoot:$SearchRoot -AttributeList*",".{0,1000}New\-ObfuscationContainer\s\-SearchFilter\s\$SearchFilter\s\-SearchRoot\:\$SearchRoot\s\-AttributeList.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","0","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","53300"
"*New-Object System.Net.Sockets.TCPClient(*$stream = $client.GetStream()*[byte[]]$bytes = 0..65535*",".{0,1000}New\-Object\sSystem\.Net\.Sockets\.TCPClient\(.{0,1000}\$stream\s\=\s\$client\.GetStream\(\).{0,1000}\[byte\[\]\]\$bytes\s\=\s0\.\.65535.{0,1000}","greyware_tool_keyword","powershell","Powershell reverse shell","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","1","0","N/A","greyware tool - risks of False positive !","10","10","64862","15261","2025-04-09T09:16:20Z","2016-10-18T07:29:07Z","53303"
"*New-Service -Name sshd*",".{0,1000}New\-Service\s\-Name\ssshd.{0,1000}","greyware_tool_keyword","openssh-portable","monitoring openssh usage","T1098.003 - T1562.004 - T1021.004","TA0006 - TA0002 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider*","C2","https://github.com/PowerShell/openssh-portable","1","0","N/A","N/A","10","10","1859","333","2025-04-18T17:52:43Z","2016-11-02T04:18:48Z","53311"
"*ngrok authtoken AUTHTOKEN:::https://dashboard.ngrok.com/get-started/your-authtoken*",".{0,1000}ngrok\sauthtoken\sAUTHTOKEN\:\:\:https\:\/\/dashboard\.ngrok\.com\/get\-started\/your\-authtoken.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","53320"
"*ngrok tcp *",".{0,1000}ngrok\stcp\s.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","53321"
"*ngrok, Inc.*",".{0,1000}ngrok,\sInc\..{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","0","N/A","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","53322"
"*ngrokd.ngrok.com*",".{0,1000}ngrokd\.ngrok\.com.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","N/A","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","53323"
"*nhfjkakglbnnpkpldhjmpmmfefifedcj*",".{0,1000}nhfjkakglbnnpkpldhjmpmmfefifedcj.{0,1000}","greyware_tool_keyword","Pron VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","53327"
"*nhnfcgpcbfclhfafjlooihdfghaeinfc*",".{0,1000}nhnfcgpcbfclhfafjlooihdfghaeinfc.{0,1000}","greyware_tool_keyword","Surf VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","53328"
"*niB.elcyceR$*",".{0,1000}niB\.elcyceR\$.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53330"
"*NimScan * -p:*",".{0,1000}NimScan\s.{0,1000}\s\-p\:.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","N/A","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","53424"
"*NimScan finished in:*",".{0,1000}NimScan\sfinished\sin\:.{0,1000}","greyware_tool_keyword","NimScan","Really fast port scanner (With filtered option - Windows support only)","T1046","TA0007","N/A","N/A","Discovery","https://github.com/elddy/NimScan","1","0","N/A","N/A","8","4","391","38","2022-02-10T13:23:02Z","2020-08-12T14:20:46Z","53425"
"*nircmd.exe *",".{0,1000}nircmd\.exe\s.{0,1000}","greyware_tool_keyword","nircmd","Nirsoft tool - NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface","T1059 - T1036","TA0005 - TA0002 - TA0003","N/A","N/A","Defense Evasion","https://www.nirsoft.net/utils/nircmd.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53431"
"*nircmdc.exe *",".{0,1000}nircmdc\.exe\s.{0,1000}","greyware_tool_keyword","nircmd","Nirsoft tool - NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface","T1059 - T1036","TA0005 - TA0002 - TA0003","N/A","N/A","Defense Evasion","https://www.nirsoft.net/utils/nircmd.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53432"
"*nix-env -i croc*",".{0,1000}nix\-env\s\-i\scroc.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#linux","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","53444"
"*njpmifchgidinihmijhcfpbdmglecdlb*",".{0,1000}njpmifchgidinihmijhcfpbdmglecdlb.{0,1000}","greyware_tool_keyword","Trellonet","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","53451"
"*nlbejmccbhkncgokjcmghpfloaajcffj*",".{0,1000}nlbejmccbhkncgokjcmghpfloaajcffj.{0,1000}","greyware_tool_keyword","Hotspot Shield Free VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","53454"
"*nltest /all_trusts*",".{0,1000}nltest\s\/all_trusts.{0,1000}","greyware_tool_keyword","nltest","enumerate domain trusts with nltest","T1482 - T1018","TA0007","N/A","Black Basta","Discovery","N/A","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53456"
"*nltest /dclist*",".{0,1000}nltest\s\/dclist.{0,1000}","greyware_tool_keyword","nltest","enumerate domain trusts with nltest","T1482 - T1018","TA0007","N/A","Black Basta","Discovery","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53457"
"*nltest /domain_trusts /v*",".{0,1000}nltest\s\/domain_trusts\s\/v.{0,1000}","greyware_tool_keyword","nltest","Dump Domain Trust Information","T1482 - T1018","TA0007","N/A","Black Basta","Discovery","N/A","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53458"
"*nltest /domain_trusts*",".{0,1000}nltest\s\/domain_trusts.{0,1000}","greyware_tool_keyword","nltest","enumerate domain trusts with nltest","T1482 - T1018","TA0007","N/A","Black Basta","Discovery","N/A","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53459"
"*nltest /dsgetdc:* /force*",".{0,1000}nltest\s\/dsgetdc\:.{0,1000}\s\/force.{0,1000}","greyware_tool_keyword","nltest","Force a re-discovery of Domain Controller","T1482 - T1018","TA0007","N/A","Black Basta","Discovery","N/A","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53460"
"*nltest /dsgetdc:* /force*",".{0,1000}nltest\s\/dsgetdc\:.{0,1000}\s\/force.{0,1000}","greyware_tool_keyword","nltest","Force a re-discovery of trusted domains","T1482 - T1018","TA0007","N/A","Black Basta","Discovery","N/A","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53461"
"*nltest /jbc_trusts /all_trusts*",".{0,1000}nltest\s\/jbc_trusts\s\/all_trusts.{0,1000}","greyware_tool_keyword","nltest","used in combinaison with adfind byb threat actors","T1087 - T1016 - T1482","TA0007","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor - Black Basta","Discovery","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53462"
"*nltest /sc_reset /force*",".{0,1000}nltest\s\/sc_reset\s\/force.{0,1000}","greyware_tool_keyword","nltest","Force a re-authentication on the secure channel","T1482 - T1018","TA0007","N/A","Black Basta","Discovery","N/A","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53463"
"*nltest /server:* /domain_trusts*",".{0,1000}nltest\s\/server\:.{0,1000}\s\/domain_trusts.{0,1000}","greyware_tool_keyword","nltest","List information about all trusted domains from a specific server","T1482 - T1018","TA0007","N/A","Black Basta","Discovery","N/A","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53464"
"*nltest /server:* /trusted_domains /v*",".{0,1000}nltest\s\/server\:.{0,1000}\s\/trusted_domains\s\/v.{0,1000}","greyware_tool_keyword","nltest","Check all trusted domains of a specific server (verbose mode)","T1482 - T1018","TA0007","N/A","Black Basta","Discovery","N/A","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53465"
"*nltest -dsgetdc*",".{0,1000}nltest\s\-dsgetdc.{0,1000}","greyware_tool_keyword","nltest","enumerate domain trusts with nltest","T1482 - T1018","TA0007","N/A","Black Basta","Discovery","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53466"
"*nltest*/dclist:*",".{0,1000}nltest\s\/dclist\:.{0,1000}","greyware_tool_keyword","nltest","Get the list of domain controllers for the specified domain","T1482 - T1018","TA0007","N/A","Black Basta","Discovery","N/A","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53467"
"*nmap -*",".{0,1000}nmap\s\-.{0,1000}","greyware_tool_keyword","nmap","A very common tool. Network host vuln and port detector.","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","https://github.com/nmap/nmap","1","0","N/A","greyware tool - risks of False positive !","8","10","10953","2505","2025-04-21T20:45:05Z","2012-03-09T14:47:43Z","53469"
"*nmap * --script=*.nse*",".{0,1000}nmap\s.{0,1000}\s\-\-script\=.{0,1000}\.nse.{0,1000}","greyware_tool_keyword","nmap","check exploit for CVEs with nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://nmap.org/","1","0","N/A","greyware tool - risks of False positive !","8","10","N/A","N/A","N/A","N/A","53470"
"*nmap -p 445 * -sS --script smb-security-mode*",".{0,1000}nmap\s\-p\s445\s.{0,1000}\s\-sS\s\-\-script\ssmb\-security\-mode.{0,1000}","greyware_tool_keyword","nmap","SMB lateral movement with nmap","T1021 - T1078 - T1135 - T1046 - T1105","TA0007 - TA0008","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Discovery","N/A","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","53472"
"*nmap -Pn -v -sS -F*",".{0,1000}nmap\s\-Pn\s\-v\s\-sS\s\-F.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","53474"
"*nmap-*-setup.exe*",".{0,1000}nmap\-.{0,1000}\-setup\.exe.{0,1000}","greyware_tool_keyword","nmap","When Nmap is used on Windows systems. it can perform various types of scans such as TCP SYN scans. UDP scans. and service/version detection. These scans enable the identification of open ports. services running on those ports. and potential vulnerabilities in target systems.","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","N/A","1","0","N/A","greyware tool - risks of False positive !","8","10","N/A","N/A","N/A","N/A","53476"
"*nmap-elasticsearch-nse*",".{0,1000}nmap\-elasticsearch\-nse.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","0","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","53482"
"*NoahShen/gotunnelme*",".{0,1000}NoahShen\/gotunnelme.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/NoahShen/gotunnelme","1","1","N/A","N/A","10","10","171","45","2018-01-06T04:41:15Z","2013-10-18T02:46:51Z","53492"
"*node tunnelmole.js*",".{0,1000}node\stunnelmole\.js.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","53504"
"*nopaste.net*IWR*",".{0,1000}nopaste\.net.{0,1000}IWR.{0,1000}","greyware_tool_keyword","nopaste.net","nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration","T1567.002 - T1036.005 - T1102 - T1071.001","TA0005 - TA0009 - TA0010","N/A","N/A","Collection","https://www.shellhub.io/","1","0","#Pastebinlike  #filehostingservice","N/A","8","10","N/A","N/A","N/A","N/A","53543"
"*--no-promiscuous-mode*",".{0,1000}\-\-no\-promiscuous\-mode.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","53560"
"*notifications.*.swi-rc.com*",".{0,1000}notifications\..{0,1000}\.swi\-rc\.com.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53576"
"*novaPDF11PrinterDriver(x64).msi*",".{0,1000}novaPDF11PrinterDriver\(x64\)\.msi.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53585"
"*npgimkapccfidfkfoklhpkgmhgfejhbj*",".{0,1000}npgimkapccfidfkfoklhpkgmhgfejhbj.{0,1000}","greyware_tool_keyword","BelkaVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","53589"
"*nping* --data *",".{0,1000}nping.{0,1000}\s\-\-data\s.{0,1000}","greyware_tool_keyword","nping","icmp exfiltration with nping (comes with nmap)","T1041 - T1095","TA0010 - TA0011","N/A","N/A","Data Exfiltration","http://nmap.org/nping/","1","0","N/A","N/A","7","9","N/A","N/A","N/A","N/A","53591"
"*nping* --data-string *",".{0,1000}nping.{0,1000}\s\-\-data\-string\s.{0,1000}","greyware_tool_keyword","nping","icmp exfiltration with nping (comes with nmap)","T1041 - T1095","TA0010 - TA0011","N/A","N/A","Data Exfiltration","http://nmap.org/nping/","1","0","N/A","N/A","7","9","N/A","N/A","N/A","N/A","53592"
"*nping* --icmp *",".{0,1000}nping.{0,1000}\s\-\-icmp\s.{0,1000}","greyware_tool_keyword","nping","icmp exfiltration with nping (comes with nmap)","T1041 - T1095","TA0010 - TA0011","N/A","N/A","Data Exfiltration","http://nmap.org/nping/","1","0","N/A","N/A","7","9","N/A","N/A","N/A","N/A","53593"
"*npm install fleetctl*",".{0,1000}npm\sinstall\sfleetctl.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","53595"
"*npm install -g localtunnel*",".{0,1000}npm\sinstall\s\-g\slocaltunnel.{0,1000}","greyware_tool_keyword","localtunnels","client for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/localtunnel","1","0","N/A","N/A","8","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","53596"
"*npm install -g localtunnel*",".{0,1000}npm\sinstall\s\-g\slocaltunnel.{0,1000}","greyware_tool_keyword","localtunnels","client for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/localtunnel","1","0","N/A","N/A","8","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","53597"
"*npm install -g tunnelmole*",".{0,1000}npm\sinstall\s\-g\stunnelmole.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","53598"
"*npm install hypertunnel-server*",".{0,1000}npm\sinstall\shypertunnel\-server.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","0","N/A","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","53599"
"*npm install localxpose*",".{0,1000}npm\sinstall\slocalxpose.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","53600"
"*npm install* tunnelmole*",".{0,1000}npm\sinstall.{0,1000}\stunnelmole.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","53601"
"*npx localtunnel *",".{0,1000}npx\slocaltunnel\s.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/localtunnel/localtunnel","1","0","N/A","N/A","10","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","53607"
"*npx localtunnel --port *",".{0,1000}npx\slocaltunnel\s\-\-port\s.{0,1000}","greyware_tool_keyword","localtunnels","client for localtunnel.me - localtunnel exposes your localhost to the world for easy testing and sharing","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/localtunnel/localtunnel","1","0","N/A","N/A","8","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","53608"
"*nse_install.py*",".{0,1000}nse_install\.py.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","1","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","53612"
"*nse-insall-0.0.1*",".{0,1000}nse\-insall\-0\.0\.1.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","1","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","53613"
"*nse-install *",".{0,1000}nse\-install\s.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","0","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","53614"
"*nse-install-master*",".{0,1000}nse\-install\-master.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","0","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","53615"
"*NSM_Control_Machine.adm*",".{0,1000}NSM_Control_Machine\.adm.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53617"
"*nssm set xmrig AppNoConsole 1*",".{0,1000}nssm\sset\sxmrig\sAppNoConsole\s1.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","53618"
"*ntdsutil ""ac in ntds"" roles*",".{0,1000}ntdsutil\s\""ac\sin\sntds\""\sroles.{0,1000}","greyware_tool_keyword","ntdsutil","Misuse of this command could indicate an attempt to transfer or seize FSMO roles which are critical for Active Directory operations","T1003.001 - T1070.004 - T1059","TA0006","N/A","Rhysida - Conti - Yanluowang - Lapsus$ - APT41","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","53642"
"*ntdsutil ""activate instance ntds"" authoritative restore*",".{0,1000}ntdsutil\s\""activate\sinstance\sntds\""\sauthoritative\srestore.{0,1000}","greyware_tool_keyword","ntdsutil","An attacker could use this to revert changes in AD for persistence","T1003.001 - T1070.004 - T1059","TA0006","N/A","Rhysida - Conti - Yanluowang - Lapsus$ - APT41","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","53643"
"*ntdsutil *activate instance ntds* ifm*",".{0,1000}ntdsutil\s.{0,1000}activate\sinstance\sntds.{0,1000}\sifm.{0,1000}","greyware_tool_keyword","ntdsutil","create an installation media set from the NTDS database (Install From Media). This could be abused to exfiltrate the Active Directory database for offline attacks or manipulation.","T1003.001 - T1070.004 - T1059","TA0006","N/A","Rhysida - Conti - Yanluowang - Lapsus$ - APT41","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","53644"
"*ntdsutil \""ac i ntds\""*",".{0,1000}ntdsutil\s\\\""ac\si\sntds\\\"".{0,1000}","greyware_tool_keyword","ntdsutil","Misuse of this command could indicate an attempt to transfer or seize FSMO roles which are critical for Active Directory operations","T1003.001 - T1070.004 - T1059","TA0006","N/A","Rhysida - Conti - Yanluowang - Lapsus$ - APT41","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","53645"
"*ntdsutil files*",".{0,1000}ntdsutil\sfiles.{0,1000}","greyware_tool_keyword","ntdsutil","An attacker might use this command to manipulate or inspect the AD database files","T1003.001 - T1070.004 - T1059","TA0006","N/A","Rhysida - Conti - Yanluowang - Lapsus$ - APT41","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","53646"
"*ntdsutil metadata cleanup*",".{0,1000}ntdsutil\smetadata\scleanup.{0,1000}","greyware_tool_keyword","ntdsutil","could indicate an attempt to manipulate the directory's metadata","T1003.001 - T1070.004 - T1059","TA0006","N/A","Rhysida - Conti - Yanluowang - Lapsus$ - APT41","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","53647"
"*ntdsutil partition management*",".{0,1000}ntdsutil\spartition\smanagement.{0,1000}","greyware_tool_keyword","ntdsutil","Attackers could abuse this to manipulate directory partitions","T1003.001 - T1070.004 - T1059","TA0006","N/A","Rhysida - Conti - Yanluowang - Lapsus$ - APT41","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","53648"
"*ntdsutil snapshot*",".{0,1000}ntdsutil\ssnapshot.{0,1000}","greyware_tool_keyword","ntdsutil","Snapshots contain a copy of the AD database and attackers may use it to obtain sensitive information","T1003.001 - T1070.004 - T1059","TA0006","N/A","Rhysida - Conti - Yanluowang - Lapsus$ - APT41","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","53649"
"*ntdsutil.exe *ac i ntds* *ifm* *create full *c:\ProgramData*",".{0,1000}ntdsutil\.exe\s.{0,1000}ac\si\sntds.{0,1000}\s.{0,1000}ifm.{0,1000}\s.{0,1000}create\sfull\s.{0,1000}c\:\\ProgramData.{0,1000}","greyware_tool_keyword","ntdsutil","creating a full backup of the Active Directory database and saving it to the \temp directory","T1003.001 - T1070.004 - T1059","TA0006","N/A","Rhysida - Conti - Yanluowang - Lapsus$ - APT41","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","53650"
"*ntdsutil.exe *ac i ntds* *ifm* *create full *users\public*",".{0,1000}ntdsutil\.exe\s.{0,1000}ac\si\sntds.{0,1000}\s.{0,1000}ifm.{0,1000}\s.{0,1000}create\sfull\s.{0,1000}users\\public.{0,1000}","greyware_tool_keyword","ntdsutil","creating a full backup of the Active Directory database and saving it to the \temp directory","T1003.001 - T1070.004 - T1059","TA0006","N/A","Rhysida - Conti - Yanluowang - Lapsus$ - APT41","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","53651"
"*ntdsutil.exe *ac i ntds*ifm*create full *temp*",".{0,1000}ntdsutil\.exe\s.{0,1000}ac\si\sntds.{0,1000}ifm.{0,1000}create\sfull\s.{0,1000}temp.{0,1000}","greyware_tool_keyword","ntdsutil","creating a full backup of the Active Directory database and saving it to the \temp directory","T1003.001 - T1070.004 - T1059","TA0006","N/A","Rhysida - Conti - Yanluowang - Lapsus$ - APT41","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","53652"
"*ntnj/tunwg*",".{0,1000}ntnj\/tunwg.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","1","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","53715"
"*NullSessionScanner.*",".{0,1000}NullSessionScanner\..{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner and Earth Lusca Operations Tools and commands","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/vletoux/pingcastle","1","1","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","53751"
"*objects.githubusercontent.com/github-production-release-asset-*",".{0,1000}objects\.githubusercontent\.com\/github\-production\-release\-asset\-.{0,1000}","greyware_tool_keyword","github","Github executables download initiated - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","53821"
"*OCSAF/freevulnsearch*",".{0,1000}OCSAF\/freevulnsearch.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","1","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","53829"
"*Offline SAM Editing Tool - Changed*",".{0,1000}Offline\sSAM\sEditing\sTool\s\-\sChanged.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53850"
"*Offline SAM Editing Tool*",".{0,1000}Offline\sSAM\sEditing\sTool.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53851"
"*Offline SAM loaded successfully*",".{0,1000}Offline\sSAM\sloaded\ssuccessfully.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53852"
"*Offline SAM Tool\r\nUse with caution!*",".{0,1000}Offline\sSAM\sTool\\r\\nUse\swith\scaution!.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53853"
"*offline_miner_setup.zip*",".{0,1000}offline_miner_setup\.zip.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","53854"
"*oifjbnnafapeiknapihcmpeodaeblbkn*",".{0,1000}oifjbnnafapeiknapihcmpeodaeblbkn.{0,1000}","greyware_tool_keyword","rderzh VPN Proxy","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","53875"
"*omdakjcmkglenbhjadbccaookpfjihpa*",".{0,1000}omdakjcmkglenbhjadbccaookpfjihpa.{0,1000}","greyware_tool_keyword","TunnelBear VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","53885"
"*omghfjlpggmjjaagoclmmobgdodcjboh*",".{0,1000}omghfjlpggmjjaagoclmmobgdodcjboh.{0,1000}","greyware_tool_keyword","Browsec VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","53889"
"*online.level.io*",".{0,1000}online\.level\.io.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53925"
"*oofgbpoabipfcfjapgnbbjjaenockbdp*",".{0,1000}oofgbpoabipfcfjapgnbbjjaenockbdp.{0,1000}","greyware_tool_keyword","SetupVPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","53927"
"*ookhnhpkphagefgdiemllfajmkdkcaim*",".{0,1000}ookhnhpkphagefgdiemllfajmkdkcaim.{0,1000}","greyware_tool_keyword","iNinja VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","53928"
"*Open Source Developer, Grzegorz Tworek*",".{0,1000}Open\sSource\sDeveloper,\sGrzegorz\sTworek.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","53935"
"*Open-AADIntOffice365Portal*",".{0,1000}Open\-AADIntOffice365Portal.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53936"
"*Open-AADIntOWA*",".{0,1000}Open\-AADIntOWA.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","53937"
"*openziti/zrok*",".{0,1000}openziti\/zrok.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","53982"
"*opera* --headless * --dump-dom http*",".{0,1000}opera.{0,1000}\s\-\-headless\s.{0,1000}\s\-\-dump\-dom\shttp.{0,1000}","greyware_tool_keyword","chromium","Headless Chromium allows running Chromium in a headless/server environment - downloading a file - abused by attackers","T1553.002 - T1059.005 - T1071.001 - T1561","TA0002","N/A","N/A","Defense Evasion","https://redcanary.com/blog/intelligence-insights-june-2023/","1","0","N/A","N/A","4","5","N/A","N/A","N/A","N/A","53983"
"*opera.exe* --load-extension=""*\Users\*\Appdata\Local\Temp\*",".{0,1000}opera\.exe.{0,1000}\s\-\-load\-extension\=\"".{0,1000}\\Users\\.{0,1000}\\Appdata\\Local\\Temp\\.{0,1000}","greyware_tool_keyword","chromium","The --load-extension switch allows the source to specify a target directory to load as an extension. This gives malware the opportunity to start a new browser window with their malicious extension loaded.","T1136.001 - T1176 - T1059.007","TA0003 - TA0004 - TA0005","N/A","N/A","Exploitation tool","https://www.mandiant.com/resources/blog/lnk-between-browsers","1","0","N/A","risk of false positives","7","10","N/A","N/A","N/A","N/A","53984"
"*os.execute(*/bin/*nmap --script=$*",".{0,1000}os\.execute\(.{0,1000}\/bin\/.{0,1000}nmap\s\-\-script\=\$.{0,1000}","greyware_tool_keyword","nmap","Nmap Privilege Escalation","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Privilege Escalation","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","54012"
"*oshi.at/onion*",".{0,1000}oshi\.at\/onion.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","1","#filehostingservice #P2P","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","54017"
"*oshiatwowvdbshka.onion*",".{0,1000}oshiatwowvdbshka\.onion.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","1","#filehostingservice #P2P","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","54018"
"*OshiUpload/app*",".{0,1000}OshiUpload\/app.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","0","#filehostingservice","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","54019"
"*OshiUpload-master.zip*",".{0,1000}OshiUpload\-master\.zip.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","1","#filehostingservice #P2P","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","54020"
"*--output tmole.exe*",".{0,1000}\-\-output\stmole\.exe.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","54231"
"*Overwrite by setting TUNNEL_WG_INTERFACE_NAME*",".{0,1000}Overwrite\sby\ssetting\sTUNNEL_WG_INTERFACE_NAME.{0,1000}","greyware_tool_keyword","tunnel.pyjam.as","SSL-terminated ephemeral HTTP tunnels to your local machine - no custom software required (thanks to wireguard)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","54276"
"*packages/hypertunnel/*",".{0,1000}packages\/hypertunnel\/.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","1","N/A","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","54345"
"*packages/hypertunnel-server*",".{0,1000}packages\/hypertunnel\-server.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","1","N/A","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","54346"
"*packages/hypertunnel-tcp-relay*",".{0,1000}packages\/hypertunnel\-tcp\-relay.{0,1000}","greyware_tool_keyword","hypertunnel","Expose any local TCP/IP service on the internet","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/berstend/hypertunnel","1","1","N/A","N/A","10","10","248","47","2022-12-08T19:13:24Z","2018-06-11T05:29:58Z","54347"
"*pacman -S croc*",".{0,1000}pacman\s\-S\scroc.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#linux","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","54354"
"*pacman -S tailscale*",".{0,1000}pacman\s\-S\stailscale.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","54357"
"*pacman -S tmate*",".{0,1000}pacman\s\-S\stmate.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","54358"
"*pacman -U *megacmd*",".{0,1000}pacman\s\-U\s.{0,1000}megacmd.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","54359"
"*padekgcemlokbadohgkifijomclgjgif*",".{0,1000}padekgcemlokbadohgkifijomclgjgif.{0,1000}","greyware_tool_keyword","Proxy SwitchyOmega","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","54371"
"*paexec \\*",".{0,1000}paexec\s\\\\.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","54375"
"*PAExec error waiting for app to exit*",".{0,1000}PAExec\serror\swaiting\sfor\sapp\sto\sexit.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","54376"
"*PAExec service *",".{0,1000}PAExec\sservice\s.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","54377"
"*PAExec starting process*",".{0,1000}PAExec\sstarting\sprocess.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","54378"
"*PAExec timed out waiting for app to exit*",".{0,1000}PAExec\stimed\sout\swaiting\sfor\sapp\sto\sexit.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","54379"
"*paexec.exe \\*",".{0,1000}paexec\.exe\s\\\\.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","54380"
"*PAExec.exe -u *",".{0,1000}PAExec\.exe\s\-u\s.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","0","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","54381"
"*PAExec-master.zip*",".{0,1000}PAExec\-master\.zip.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","1","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","54382"
"*pagekite.httpd*",".{0,1000}pagekite\.httpd.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","54383"
"*pagekite.py /*",".{0,1000}pagekite\.py\s\/.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","54384"
"*pagekite.py 443 https://*",".{0,1000}pagekite\.py\s443\shttps\:\/\/.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","54385"
"*pagekite.py 80 http://*",".{0,1000}pagekite\.py\s80\shttp\:\/\/.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","54386"
"*pagekite.py --add *",".{0,1000}pagekite\.py\s\-\-add\s.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","54387"
"*pagekite.py localhost:*",".{0,1000}pagekite\.py\slocalhost\:.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","0","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","54388"
"*pagekite/PyPagekite*",".{0,1000}pagekite\/PyPagekite.{0,1000}","greyware_tool_keyword","PyPagekite","This is pagekite.py a fast and reliable tool to make localhost servers visible to the public Internet.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pagekite/PyPagekite","1","1","N/A","N/A","10","10","730","123","2025-04-16T15:26:26Z","2010-10-23T00:03:37Z","54389"
"*pahaz/sshtunnel*",".{0,1000}pahaz\/sshtunnel.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","1","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","54390"
"*par-k8s.syncthing.net*",".{0,1000}par\-k8s\.syncthing\.net.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","1","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","54401"
"*par-k8s-v4.syncthing.net*",".{0,1000}par\-k8s\-v4\.syncthing\.net.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","1","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","54402"
"*passwd*john*",".{0,1000}passwd.{0,1000}john.{0,1000}","greyware_tool_keyword","passwd","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","54447"
"*paste.ee/d/*",".{0,1000}paste\.ee\/d\/.{0,1000}","greyware_tool_keyword","paste.ee","fetching data from paste.ee","T1041","TA0009","N/A","N/A","Collection","paste.ee","1","1","#PastebinLike","N/A","8","10","N/A","N/A","N/A","N/A","54489"
"*paste.ee/paste*",".{0,1000}paste\.ee\/paste.{0,1000}","greyware_tool_keyword","paste.ee","posting data on paste.ee","T1041","TA0010","N/A","N/A","Data Exfiltration","paste.ee","1","1","#PastebinLike","N/A","10","10","N/A","N/A","N/A","N/A","54490"
"*pastebin.com*/raw/* ",".{0,1000}pastebin\.com.{0,1000}\/raw\/.{0,1000}\s","greyware_tool_keyword","pastebin","pastebin raw access content - abused by malwares to retrieve payloads","T1119","TA0009","Redline Stealer","Black Basta","Collection","pastebin.com","1","1","#PastebinLike","greyware tool - risks of False positive !","8","10","N/A","N/A","N/A","N/A","54491"
"*pastebin.com*/rw/*",".{0,1000}pastebin\.com.{0,1000}\/rw\/.{0,1000}","greyware_tool_keyword","pastebin","pastebin raw access content - abused by malwares to retrieve payloads","T1119","TA0009","Redline Stealer","Black Basta","Collection","pastebin.com","1","1","#PastebinLike","greyware tool - risks of False positive !","8","10","N/A","N/A","N/A","N/A","54492"
"*pastebin.com*api/api_post.php*",".{0,1000}pastebin\.com.{0,1000}api\/api_post\.php.{0,1000}","greyware_tool_keyword","pastebin","pastebin POST url - abused by malwares to exfiltrate informations","T1102 - T1048 - T1094 - T1608.001","TA0011","N/A","Black Basta","Data Exfiltration","pastebin.com","1","1","#PastebinLike","greyware tool - risks of False positive !","8","10","N/A","N/A","N/A","N/A","54493"
"*pastebin.pl/cdn-cgi/challenge-platform/*",".{0,1000}pastebin\.pl\/cdn\-cgi\/challenge\-platform\/.{0,1000}","greyware_tool_keyword","pastebin.pl","sending data to a pastebin","T1567.002","TA0010","N/A","N/A","Data Exfiltration","https://pastebin.pl/","1","1","#PastebinLike","N/A","8","8","N/A","N/A","N/A","N/A","54494"
"*pastebin.pl/view/raw/*",".{0,1000}pastebin\.pl\/view\/raw\/.{0,1000}","greyware_tool_keyword","pastebin.pl","accessing paste raw content","T1119","TA0009","N/A","N/A","Collection","https://pastebin.pl/","1","1","#PastebinLike","N/A","8","8","N/A","N/A","N/A","N/A","54495"
"*pastefrom b46p9j82z81f*",".{0,1000}pastefrom\sb46p9j82z81f.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","54496"
"*payment.cyberghostvpn.com*",".{0,1000}payment\.cyberghostvpn\.com.{0,1000}","greyware_tool_keyword","CyberGhost VPN","External VPN usage within coporate network","T1567 - T1090","TA0003 - TA0005 - TA0009 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://www.cyberghostvpn.com/","1","1","#VPN","N/A","9","8","N/A","N/A","N/A","N/A","54565"
"*PC Hunter Standard*",".{0,1000}PC\sHunter\sStandard.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","54568"
"*PCHunter32.exe*",".{0,1000}PCHunter32\.exe.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","54574"
"*PCHunter64.exe*",".{0,1000}PCHunter64\.exe.{0,1000}","greyware_tool_keyword","PCHunter","PCHunter is a toolkit offering deep access to kernel setting - processes - network  and startup configurations. It is designed to detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Conti - 8BASE - TargetCompany - Hive - Qilin","Defense Evasion","https://www.majorgeeks.com/files/details/pc_hunter.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","54575"
"*pcicfgui_client.exe*\Client32.ini*",".{0,1000}pcicfgui_client\.exe.{0,1000}\\Client32\.ini.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54576"
"*pcienlhnoficegnepejpfiklggkioccm*",".{0,1000}pcienlhnoficegnepejpfiklggkioccm.{0,1000}","greyware_tool_keyword","Cloud VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","54577"
"*PCMonitorCfg.dll*",".{0,1000}PCMonitorCfg\.dll.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54578"
"*PCMonitorClient.dll*",".{0,1000}PCMonitorClient\.dll.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54579"
"*PCMonitorEng.dll*",".{0,1000}PCMonitorEng\.dll.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54580"
"*PCMonitorManager.exe*",".{0,1000}PCMonitorManager\.exe.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54581"
"*PCMonitorManager.exe*",".{0,1000}PCMonitorManager\.exe.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54582"
"*PCMONITORMANAGER.EXE-*.pf*",".{0,1000}PCMONITORMANAGER\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54583"
"*PCMonitorSrv.exe*",".{0,1000}PCMonitorSrv\.exe.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54584"
"*PCMonitorSrv.exe*",".{0,1000}PCMonitorSrv\.exe.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54585"
"*PCMONITORSRV.EXE-*.pf*",".{0,1000}PCMONITORSRV\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54586"
"*PCMonitorSrv.InstallState*",".{0,1000}PCMonitorSrv\.InstallState.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54587"
"*PCMonitorTypes.dll*",".{0,1000}PCMonitorTypes\.dll.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54588"
"*pcmontask.exe *",".{0,1000}pcmontask\.exe\s.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54589"
"*PCMONTASK.EXE-*.pf*",".{0,1000}PCMONTASK\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54590"
"*pcmrdp-client.dll*",".{0,1000}pcmrdp\-client\.dll.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54591"
"*pcunlocker_ent_trial.zip*",".{0,1000}pcunlocker_ent_trial\.zip.{0,1000}","greyware_tool_keyword","pcunlocker","Reset and unlock forgotten Windows login password","T1078","TA0005 - TA0006 - TA0009","N/A","N/A","Credential Access","https://www.pcunlocker.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54596"
"*pdbedit -L -v*",".{0,1000}pdbedit\s\-L\s\-v.{0,1000}","greyware_tool_keyword","pdbedit","Sets the smbpasswd listing format. It will make pdbedit list the users in the database - printing out the account fields in a format compatible with the smbpasswd file format.","T1003.003 - T1087.001","TA0006 - TA0007","N/A","N/A","Reconnaissance","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","54600"
"*pdbedit -L -w*",".{0,1000}pdbedit\s\-L\s\-w.{0,1000}","greyware_tool_keyword","pdbedit","Enables the verbose listing format. It causes pdbedit to list the users in the database - printing out the account fields in a descriptive format","T1003.003 - T1087.001","TA0006 - TA0007","N/A","N/A","Reconnaissance","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","54601"
"*pgfpignfckbloagkfnamnolkeaecfgfh*",".{0,1000}pgfpignfckbloagkfnamnolkeaecfgfh.{0,1000}","greyware_tool_keyword","Free Proxy VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","54748"
"*pgrok http *",".{0,1000}pgrok\shttp\s.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","54754"
"*pgrok init --*",".{0,1000}pgrok\sinit\s\-\-.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","54755"
"*pgrok tcp *",".{0,1000}pgrok\stcp\s.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","54756"
"*pgrok/pgrok*",".{0,1000}pgrok\/pgrok.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","1","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","54757"
"*pgrokd.exmaple.yml*",".{0,1000}pgrokd\.exmaple\.yml.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","54758"
"*phillips321/adaudit*",".{0,1000}phillips321\/adaudit.{0,1000}","greyware_tool_keyword","adaudit","Powershell script to do domain auditing automation","T1482 - T1087","TA0007","N/A","N/A","Discovery","https://github.com/phillips321/adaudit","1","1","N/A","N/A","8","4","389","106","2025-04-08T06:17:54Z","2018-04-20T11:29:06Z","54773"
"*PhoenixMiner.exe*",".{0,1000}PhoenixMiner\.exe.{0,1000}","greyware_tool_keyword","phoenix miner","Phoenix Miner is a popular. efficient. fast. and cost-effective Ethereum miner with support for both AMD and Nvidia GPUs. It's intended to be used for legitimate cryptocurrency mining purposes.Attackers can secretly install Phoenix Miner on unsuspecting users' computers to mine cryptocurrency for themselves. This is often done by bundling the miner with other software or hiding it within malicious attachments or downloads. The computer then slow down due to the high CPU and GPU usage","T1059.001 - T1057 - T1027 - T1105 - T1064 - T1053.005 - T1089","TA0002 - TA0005 - TA0011 - TA0040 - TA0003","N/A","N/A","Phishing","N/A","1","1","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","54782"
"*PhoenixMiner_*_Windows\*",".{0,1000}PhoenixMiner_.{0,1000}_Windows\\.{0,1000}","greyware_tool_keyword","phoenix miner","Phoenix Miner is a popular. efficient. fast. and cost-effective Ethereum miner with support for both AMD and Nvidia GPUs. It's intended to be used for legitimate cryptocurrency mining purposes.Attackers can secretly install Phoenix Miner on unsuspecting users' computers to mine cryptocurrency for themselves. This is often done by bundling the miner with other software or hiding it within malicious attachments or downloads. The computer then slow down due to the high CPU and GPU usage","T1059.001 - T1057 - T1027 - T1105 - T1064 - T1053.005 - T1089","TA0002 - TA0005 - TA0011 - TA0040 - TA0003","N/A","N/A","Phishing","N/A","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","54783"
"*php -r *$sock=fsockopen(*exec(*/bin/sh -i <&3 >&3 2>&3*",".{0,1000}php\s\-r\s.{0,1000}\$sock\=fsockopen\(.{0,1000}exec\(.{0,1000}\/bin\/sh\s\-i\s\<\&3\s\>\&3\s2\>\&3.{0,1000}","greyware_tool_keyword","php","php reverse shell","T1071 - T1071.004 - T1021","TA0002 - TA0011","N/A","N/A","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","54798"
"*php -r \""pcntl_exec('/bin/sh'*",".{0,1000}php\s\-r\s\\\""pcntl_exec\(\'\/bin\/sh\'.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","54800"
"*ping -n 10 localhost > nul*",".{0,1000}ping\s\-n\s10\slocalhost\s\>\snul.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","54846"
"*pingcastle*",".{0,1000}pingcastle.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://www.pingcastle.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54848"
"*PingCastle.Contact@netwrix.com*",".{0,1000}PingCastle\.Contact\@netwrix\.com.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#email","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","54850"
"*PingCastle.cs*",".{0,1000}PingCastle\.cs.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner and Earth Lusca Operations Tools and commands","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf https://github.com/vletoux/pingcastle","1","0","N/A","N/A","10","","N/A","","","","54851"
"*PingCastle.exe*",".{0,1000}PingCastle\.exe.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner and Earth Lusca Operations Tools and commands","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf https://github.com/vletoux/pingcastle","1","1","N/A","N/A","10","","N/A","","","","54852"
"*PingCastle.Scanners*",".{0,1000}PingCastle\.Scanners.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","54853"
"*pingcastlecloud.exe*",".{0,1000}pingcastlecloud\.exe.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","1","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","54854"
"*PingCastleReporting.exe*",".{0,1000}PingCastleReporting\.exe.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","1","N/A","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","54855"
"*pip install pyshark*",".{0,1000}pip\sinstall\spyshark.{0,1000}","greyware_tool_keyword","pyshark","Python wrapper for tshark allowing python packet parsing using wireshark dissectors","T1040 - T1213 - T1105 - T1572","TA0009 - TA0007","N/A","N/A","Discovery","https://github.com/KimiNewt/pyshark","1","0","N/A","N/A","6","10","2355","439","2024-12-04T15:41:20Z","2013-12-28T14:38:22Z","54870"
"*pip install rsocks*",".{0,1000}pip\sinstall\srsocks.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","N/A","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","54876"
"*pip install sshtunnel*",".{0,1000}pip\sinstall\ssshtunnel.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","0","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","54877"
"*pip install -U rsocks*",".{0,1000}pip\sinstall\s\-U\srsocks.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","N/A","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","54878"
"*pip* install updog*",".{0,1000}pip.{0,1000}\sinstall\supdog.{0,1000}","greyware_tool_keyword","updog","Updog is a replacement for SimpleHTTPServer. It allows uploading and downloading via HTTP/S can set ad hoc SSL certificates and use http basic auth.","T1567 - T1074.001 - T1020","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://github.com/sc0tfree/updog","1","0","N/A","N/A","9","10","3052","314","2024-03-13T15:52:39Z","2020-02-18T15:29:21Z","54882"
"*pkg install croc*",".{0,1000}pkg\sinstall\scroc.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#linux","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","54912"
"*pkg_add tmate*",".{0,1000}pkg_add\stmate.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","54913"
"*pkgctl-Tailscale.service*",".{0,1000}pkgctl\-Tailscale\.service.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","54914"
"*pkgs.tailscale.com/*/*",".{0,1000}pkgs\.tailscale\.com\/.{0,1000}\/.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","54916"
"*pkill FreeFileSync*",".{0,1000}pkill\sFreeFileSync.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","54917"
"*pkill RealTimeSync*",".{0,1000}pkill\sRealTimeSync.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","54918"
"*pkill -u boringproxy*",".{0,1000}pkill\s\-u\sboringproxy.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","54919"
"*pktmon start*",".{0,1000}pktmon\sstart.{0,1000}","greyware_tool_keyword","pktmon","pktmon network diagnostics tool for Windows that can be used for packet capture - packet drop detection - packet filtering and counting.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","N/A","Sniffing & Spoofing","https://learn.microsoft.com/en-us/windows-server/networking/technologies/pktmon/pktmon","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","54923"
"*Please wait while we stop the Remote.It system service*",".{0,1000}Please\swait\swhile\swe\sstop\sthe\sRemote\.It\ssystem\sservice.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","54936"
"*plink -N -L *:localhost:3389 *",".{0,1000}plink\s\-N\s\-L\s.{0,1000}\:localhost\:3389\s.{0,1000}","greyware_tool_keyword","plink","creates an SSH tunnel from the local machine to the remote machine allowing the user to connect to an RDP session on the remote machine through port 3389. This plink usage is often used by attackers","T1573 - T1021.004 - T1213.002","TA0010 - TA0011 - TA0008","N/A","BlackCat - PLAY - LockBit - Scattered Spider*","Persistence","N/A","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","54938"
"*plpmggfglncceinmilojdkiijhmajkjh*",".{0,1000}plpmggfglncceinmilojdkiijhmajkjh.{0,1000}","greyware_tool_keyword","Red Panda VPN","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","54939"
"*poeojclicodamonabcabmapamjkkmnnk*",".{0,1000}poeojclicodamonabcabmapamjkkmnnk.{0,1000}","greyware_tool_keyword","HMA VPN Proxy Unblocker","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","N/A","8","10","N/A","N/A","N/A","N/A","54982"
"*PollServer poll.gotomypc.com*",".{0,1000}PollServer\spoll\.gotomypc\.com.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","54999"
"*pooljnboifbodgifngpppfklhifechoe*",".{0,1000}pooljnboifbodgifngpppfklhifechoe.{0,1000}","greyware_tool_keyword","GeoProxy","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","55001"
"*PortableApps.com/EraserPortable*",".{0,1000}PortableApps\.com\/EraserPortable.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","55025"
"*PortQry Command Line Port Scanner*",".{0,1000}PortQry\sCommand\sLine\sPort\sScanner.{0,1000}","greyware_tool_keyword","PortQry","Microsoft port scanning tool abused by threat actors","T1046 - T1016 - T1049","TA0007","N/A","APT15","Discovery","https://www.microsoft.com/en-us/download/details.aspx?id=17148","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","55038"
"*portqry -local*",".{0,1000}portqry\s\-local.{0,1000}","greyware_tool_keyword","PortQry","Microsoft port scanning tool abused by threat actors","T1046 - T1016 - T1049","TA0007","N/A","APT15","Discovery","https://www.microsoft.com/en-us/download/details.aspx?id=17148","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","55039"
"*portqry -n *",".{0,1000}portqry\s\-n\s.{0,1000}","greyware_tool_keyword","PortQry","Microsoft port scanning tool abused by threat actors","T1046 - T1016 - T1049","TA0007","N/A","APT15","Discovery","https://www.microsoft.com/en-us/download/details.aspx?id=17148","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","55040"
"*portqry -wpid*",".{0,1000}portqry\s\-wpid.{0,1000}","greyware_tool_keyword","PortQry","Microsoft port scanning tool abused by threat actors","T1046 - T1016 - T1049","TA0007","N/A","APT15","Discovery","https://www.microsoft.com/en-us/download/details.aspx?id=17148","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","55041"
"*portqry -wport*",".{0,1000}portqry\s\-wport.{0,1000}","greyware_tool_keyword","PortQry","Microsoft port scanning tool abused by threat actors","T1046 - T1016 - T1049","TA0007","N/A","APT15","Discovery","https://www.microsoft.com/en-us/download/details.aspx?id=17148","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","55042"
"*Portr - Expose local ports to public URLs*",".{0,1000}Portr\s\-\sExpose\slocal\sports\sto\spublic\sURLs.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","55043"
"*portr auth set --token *",".{0,1000}portr\sauth\sset\s\-\-token\s.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","55044"
"*portr -c *.yaml*",".{0,1000}portr\s\-c\s.{0,1000}\.yaml.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","55045"
"*portr http *",".{0,1000}portr\shttp\s.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","55046"
"*portr tcp *",".{0,1000}portr\stcp\s.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","55047"
"*portr.exe http *",".{0,1000}portr\.exe\shttp\s.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","55048"
"*portr_admin.apis*",".{0,1000}portr_admin\.apis.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","55049"
"*portr_admin.db*",".{0,1000}portr_admin\.db.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","1","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","55050"
"*portr_admin.models.auth*",".{0,1000}portr_admin\.models\.auth.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","55051"
"*portr_admin.services*",".{0,1000}portr_admin\.services.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","55052"
"*PORTR_ADMIN_GITHUB_CLIENT_ID*",".{0,1000}PORTR_ADMIN_GITHUB_CLIENT_ID.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","55053"
"*PORTR_ADMIN_GITHUB_CLIENT_SECRET*",".{0,1000}PORTR_ADMIN_GITHUB_CLIENT_SECRET.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","55054"
"*portr_next_url*",".{0,1000}portr_next_url.{0,1000}","greyware_tool_keyword","Portr","Portr is a tunnel solution that allows you to expose local http, tcp or websocket connections to the public internet","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/amalshaji/portr","1","0","N/A","N/A","10","10","2409","72","2025-04-17T16:06:58Z","2023-11-21T11:14:01Z","55055"
"*poweradmin.com/PAExec*",".{0,1000}poweradmin\.com\/PAExec.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","1","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","55132"
"*poweradminllc/PAExec*",".{0,1000}poweradminllc\/PAExec.{0,1000}","greyware_tool_keyword","PAExec","PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program","T1047 - T1105 - T1204","TA0003 - TA0008 - TA0040","N/A","N/A","Lateral Movement","https://github.com/poweradminllc/PAExec","1","1","N/A","N/A","10","6","560","177","2025-02-21T15:14:44Z","2013-11-13T04:05:27Z","55133"
"*powershell ?encodedcommand $env:PSExecutionPolicyPreference=""bypass""*",".{0,1000}powershell\s?encodedcommand\s\$env\:PSExecutionPolicyPreference\=\""bypass\"".{0,1000}","greyware_tool_keyword","powershell","Execution Policy Bypass evasion","T1059.001 - T1202 - T1480","TA0005 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","55182"
"*powershell -c ""Clear-History""*",".{0,1000}powershell\s\-c\s\""Clear\-History\"".{0,1000}","greyware_tool_keyword","powershell","clearing powershell history","T1070.002","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","used by shellpwn - https://www.virustotal.com/gui/file/7e40488e6ce8545eccdcfd13124e609ff74c50a9ce89bc88b9b2b50862efda9c/behavior","8","8","N/A","N/A","N/A","N/A","55183"
"*powershell -c *\windows\system32\inetsrv\appcmd.exe list apppool /@t:*",".{0,1000}powershell\s\-c\s.{0,1000}\\windows\\system32\\inetsrv\\appcmd\.exe\slist\sapppool\s\/\@t\:.{0,1000}","greyware_tool_keyword","powershell","NetExec (a.k.a nxc) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.","T1069 - T1021 - T1136 - T1018","TA0007 - TA0003 - TA0002 - TA0001","N/A","N/A","Credential Access","https://github.com/Pennyw0rth/NetExec","1","0","N/A","Checking For Hidden Credentials With Appcmd.exe","10","10","4066","459","2025-04-20T00:08:29Z","2023-09-08T15:36:00Z","55184"
"*powershell -c clear*",".{0,1000}powershell\s\-c\sclear.{0,1000}","greyware_tool_keyword","powershell","clearing powershell history","T1070.002","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","used by shellpwn - https://www.virustotal.com/gui/file/7e40488e6ce8545eccdcfd13124e609ff74c50a9ce89bc88b9b2b50862efda9c/behavior","8","8","N/A","N/A","N/A","N/A","55186"
"*powershell New-ItemProperty -Path *HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender* -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force*",".{0,1000}powershell\sNew\-ItemProperty\s\-Path\s.{0,1000}HKLM\:\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender.{0,1000}\s\-Name\sDisableAntiSpyware\s\-Value\s1\s\-PropertyType\sDWORD\s\-Force.{0,1000}","greyware_tool_keyword","powershell","Defense evasion technique In order to avoid detection at any point of the kill chain. attackers use several ways to disable anti-virus. disable Microsoft firewall and clear logs.","T1562.001 - T1562.002 - T1070.004","TA0007 - TA0040 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#registry","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","55203"
"*powershell Uninstall-WindowsFeature -Name Windows-Defender*",".{0,1000}powershell\sUninstall\-WindowsFeature\s\-Name\sWindows\-Defender.{0,1000}","greyware_tool_keyword","powershell","uninstalls Windows Defender","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","N/A","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","55206"
"*PowerShell -Version 2 -Command *",".{0,1000}PowerShell\s\-Version\s2\s\-Command\s.{0,1000}","greyware_tool_keyword","powershell","PowerShell Downgrade Attacks - forces PowerShell to run in version 2.0","T1059.001 - T1562.001 - T1218.010","TA0005 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55207"
"*powershell -Version 2*",".{0,1000}powershell\s\-Version\s2.{0,1000}","greyware_tool_keyword","powershell","downgrading to powershell version 2","T1059.001 - T1546.015 - T1086","TA0002 - TA0003 - TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55208"
"*powershell*[adsisearcher]*(objectcategory=group)*findAll()*",".{0,1000}powershell.{0,1000}\[adsisearcher\].{0,1000}\(objectcategory\=group\).{0,1000}findAll\(\).{0,1000}","greyware_tool_keyword","ldap queries","Red Teams and adversaries may leverage [Adsisearcher] to enumerate domain groups for situational awareness and Active Directory Discovery","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://research.splunk.com/endpoint/089c862f-5f83-49b5-b1c8-7e4ff66560c7/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","55210"
"*powershell*Uninstall-WindowsFeature -Name Windows-Defender-GUI*",".{0,1000}powershell.{0,1000}Uninstall\-WindowsFeature\s\-Name\sWindows\-Defender\-GUI.{0,1000}","greyware_tool_keyword","powershell","Windows Defender tampering technique ","T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","55212"
"*Powershell.exe  -windowstyle hidden -nop -ExecutionPolicy Bypass  -Commmand *C:\Users\*\AppData\Roaming\*",".{0,1000}Powershell\.exe\s\s\-windowstyle\shidden\s\-nop\s\-ExecutionPolicy\sBypass\s\s\-Commmand\s.{0,1000}C\:\\Users\\.{0,1000}\\AppData\\Roaming\\.{0,1000}","greyware_tool_keyword","powershell","Adversaries may attempt to execute powershell script from known accessible location","T1059.001 - T1036 - T1216","TA0002 - TA0006","N/A","N/A","Exploitation tool","N/A","1","0","N/A","greyware tool - risks of False positive !","8","10","N/A","N/A","N/A","N/A","55213"
"*powershell.exe curl http://[0-9]{1,3}*",".{0,1000}powershell.+curl\s+http:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(\/|\:).{0,1000}","greyware_tool_keyword","powershell","downloading from IP without domain name","T1105","TA0009","N/A","N/A","Collection","https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html","1","0","N/A","only the regex part matters","6","10","N/A","N/A","N/A","N/A","55216"
"*powershell.exe -exec bypass -noni -nop -w 1 -C*",".{0,1000}powershell\.exe\s\-exec\sbypass\s\-noni\s\-nop\s\-w\s1\s\-C.{0,1000}","greyware_tool_keyword","powershell","command pattern used by crackmapexec by default A swiss army knife for pentesting networks","T1087.002 - T1110 - T1110.001 - T1110.003 - T1059.001 - T1083 - T1112 - T1135 - T1003.002 - T1003.003 - T1003.004 - T1201 - T1069.002 - T1018 - T1053.002 - T1082 - T1016 - T1049 - T1550.002","TA0002 - TA0006 - TA0007","N/A","N/A","Defense Evasion","https://github.com/Porchetta-Industries/CrackMapExec","1","0","N/A","High risk of false positive","N/A","10","8690","1667","2023-12-06T17:09:42Z","2015-08-14T14:11:55Z","55218"
"*powershell.exe -exec bypass -noni -nop -w 1 -C*invoke_obfuscation*",".{0,1000}powershell\.exe\s\-exec\sbypass\s\-noni\s\-nop\s\-w\s1\s\-C.{0,1000}invoke_obfuscation.{0,1000}","greyware_tool_keyword","powershell","CrackMapExec behavior","T1021 - T1048 - T1077 - T1087 - T1090 - T1135 - T1210","TA0001 - TA0002 - TA0007 - TA0008","N/A","N/A","Lateral Movement","https://github.com/Porchetta-Industries/CrackMapExec","1","0","N/A","N/A","N/A","10","8690","1667","2023-12-06T17:09:42Z","2015-08-14T14:11:55Z","55219"
"*powershell.exe -ExecutionPolicy Bypass -File cleanup_windows.ps1 -uninstallOrbit*",".{0,1000}powershell\.exe\s\-ExecutionPolicy\sBypass\s\-File\scleanup_windows\.ps1\s\-uninstallOrbit.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","55220"
"*powershell.exe Invoke-WebRequest http://[0-9]{1,3}*",".{0,1000}powershell\.exe\s+Invoke\-WebRequest\s+http:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(\/|\:).{0,1000}","greyware_tool_keyword","powershell","downloading from IP without domain name","T1105","TA0009","N/A","N/A","Collection","https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html","1","0","N/A","only the regex part matters","6","10","N/A","N/A","N/A","N/A","55221"
"*powershell.exe iwr http://[0-9]{1,3}*",".{0,1000}powershell\.exe\s+iwr\s+http:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(\/|\:).{0,1000}","greyware_tool_keyword","powershell","downloading from IP without domain name","T1105","TA0009","N/A","N/A","Collection","https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html","1","0","N/A","only the regex part matters","6","10","N/A","N/A","N/A","N/A","55222"
"*powershell.exe -noni -nop -w 1 -enc *",".{0,1000}powershell\.exe\s\-noni\s\-nop\s\-w\s1\s\-enc\s.{0,1000}","greyware_tool_keyword","powershell","command pattern used by crackmapexec by default A swiss army knife for pentesting networks","T1562.001 - T1562.002 - T1070.004","TA0007 - TA0040 - TA0005","N/A","N/A","Exploitation tool","https://github.com/byt3bl33d3r/CrackMapExec","1","0","N/A","High risk of false positive","N/A","10","8690","1667","2023-12-06T17:09:42Z","2015-08-14T14:11:55Z","55223"
"*powershell.exe -nop -c Add-MpPreference -ExclusionPath ""C:\""*",".{0,1000}powershell\.exe\s\-nop\s\-c\sAdd\-MpPreference\s\-ExclusionPath\s\""C\:\\\"".{0,1000}","greyware_tool_keyword","reg","add entire disks exclusions to Windows Defender","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55230"
"*powershell.exe -nop -c Add-MpPreference -ExclusionPath ""D:\""*",".{0,1000}powershell\.exe\s\-nop\s\-c\sAdd\-MpPreference\s\-ExclusionPath\s\""D\:\\\"".{0,1000}","greyware_tool_keyword","reg","add entire disks exclusions to Windows Defender","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55231"
"*powershell.exe -nop -c Add-MpPreference -ExclusionPath ""E:\""*",".{0,1000}powershell\.exe\s\-nop\s\-c\sAdd\-MpPreference\s\-ExclusionPath\s\""E\:\\\"".{0,1000}","greyware_tool_keyword","reg","add entire disks exclusions to Windows Defender","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55232"
"*powershell.exe -nop -c Add-MpPreference -ExclusionPath ""F:\""*",".{0,1000}powershell\.exe\s\-nop\s\-c\sAdd\-MpPreference\s\-ExclusionPath\s\""F\:\\\"".{0,1000}","greyware_tool_keyword","reg","add entire disks exclusions to Windows Defender","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55233"
"*powershell.exe -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc *",".{0,1000}powershell\.exe\s\-NoP\s\-NoL\s\-sta\s\-NonI\s\-W\sHidden\s\-Exec\sBypass\s\-Enc\s.{0,1000}","greyware_tool_keyword","powershell","CrackMapExec behavior","T1021 - T1048 - T1077 - T1087 - T1090 - T1135 - T1210","TA0001 - TA0002 - TA0007 - TA0008","N/A","N/A","Lateral Movement","https://github.com/Porchetta-Industries/CrackMapExec","1","0","N/A","N/A","N/A","10","8690","1667","2023-12-06T17:09:42Z","2015-08-14T14:11:55Z","55235"
"*powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://[0-9]{1,3}*",".{0,1000}powershell.+\s-nop\s-w\shidden\s-c\s\""IEX\s\(\(new\-object net\.webclient\)\.downloadstring\(\'http:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(\/|\:).{0,1000}","greyware_tool_keyword","powershell","downloading from IP without domain name","T1105","TA0009","N/A","N/A","Collection","https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html","1","0","N/A","only the regex part matters","6","10","N/A","N/A","N/A","N/A","55237"
"*PowerShell.exe -Version 2 -Command *",".{0,1000}PowerShell\.exe\s\-Version\s2\s\-Command\s.{0,1000}","greyware_tool_keyword","powershell","PowerShell Downgrade Attacks - forces PowerShell to run in version 2.0","T1059.001 - T1562.001 - T1218.010","TA0005 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55239"
"*powershell.exe -Version 2*",".{0,1000}powershell\.exe\s\-Version\s2.{0,1000}","greyware_tool_keyword","powershell","downgrading to powershell version 2","T1059.001 - T1546.015 - T1086","TA0002 - TA0003 - TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55240"
"*powershell.exe wget http://[0-9]{1,3}*",".{0,1000}powershell\.exe\s+wget\s+http:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(\/|\:).{0,1000}","greyware_tool_keyword","powershell","downloading from IP without domain name","T1105","TA0009","N/A","N/A","Collection","https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html","1","0","N/A","only the regex part matters","6","10","N/A","N/A","N/A","N/A","55241"
"*powershell.exe"" -Version 2*",".{0,1000}powershell\.exe\""\s\-Version\s2.{0,1000}","greyware_tool_keyword","powershell","downgrading to powershell version 2","T1059.001 - T1546.015 - T1086","TA0002 - TA0003 - TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55243"
"*ppajinakbfocjfnijggfndbdmjggcmde*",".{0,1000}ppajinakbfocjfnijggfndbdmjggcmde.{0,1000}","greyware_tool_keyword","My Browser Vpn","External VPN usage within coporate network","T1090.003 - T1133 - T1572","TA0003 - TA0001 - TA0011 - TA0010 - TA0005","N/A","N/A","Data Exfiltration","https://raw.githubusercontent.com/SigmaHQ/sigma/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/registry/registry_set/registry_set_chrome_extension.yml","1","0","#registry #VPN","detection in registry","8","10","N/A","N/A","N/A","N/A","55319"
"*privoxy_UID.conf*",".{0,1000}privoxy_UID\.conf.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","55464"
"*procdump*lsass*",".{0,1000}procdump.{0,1000}lsass.{0,1000}","greyware_tool_keyword","Procdump","dump lsass process with procdump","T1003.001","TA0006","N/A","LockBit - Kimsuky - Conti - Quantum - PYSA - NetWalker - 8BASE - APT1 - APT15 - APT20 - APT27 - APT28 - Antlion - FIN13 - GOBLIN PANDA - Lazarus Group - PowerPool - PARINACOTA - Scattered Spider - BERSERK BEAR - Dispossessor","Credential Access","https://learn.microsoft.com/en-us/sysinternals/downloads/procdump","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55468"
"*procdump*lsass*",".{0,1000}procdump.{0,1000}lsass.{0,1000}","greyware_tool_keyword","Procdump","dump lsass process with procdump","T1003.001","TA0006","N/A","LockBit - Kimsuky - Conti - Quantum - PYSA - NetWalker - 8BASE - APT1 - APT15 - APT20 - APT27 - APT28 - Antlion - FIN13 - GOBLIN PANDA - Lazarus Group - PowerPool - PARINACOTA - Scattered Spider - BERSERK BEAR - Dispossessor","Credential Access","https://learn.microsoft.com/en-us/sysinternals/downloads/procdump","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55469"
"*procdump.exe* -ma*",".{0,1000}procdump\.exe.{0,1000}\s\-ma.{0,1000}","greyware_tool_keyword","Procdump","full dump with procdump (often used to dump lsass)","T1003.001","TA0006","N/A","LockBit - Kimsuky - Conti - Quantum - PYSA - NetWalker - 8BASE - APT1 - APT15 - APT20 - APT27 - APT28 - Antlion - FIN13 - GOBLIN PANDA - Lazarus Group - PowerPool - PARINACOTA - Scattered Spider - BERSERK BEAR - Dispossessor","Credential Access","https://learn.microsoft.com/en-us/sysinternals/downloads/procdump","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55471"
"*procdump64*lsass*",".{0,1000}procdump64.{0,1000}lsass.{0,1000}","greyware_tool_keyword","Procdump","dump lsass process with procdump","T1003.001","TA0006","N/A","LockBit - Kimsuky - Conti - Quantum - PYSA - NetWalker - 8BASE - APT1 - APT15 - APT20 - APT27 - APT28 - Antlion - FIN13 - GOBLIN PANDA - Lazarus Group - PowerPool - PARINACOTA - Scattered Spider - BERSERK BEAR - Dispossessor","Credential Access","https://learn.microsoft.com/en-us/sysinternals/downloads/procdump","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55477"
"*procdump64.exe*",".{0,1000}procdump64\.exe.{0,1000}","greyware_tool_keyword","Procdump","usage of procdump (often used to dump lsass)","T1003.001","TA0006","N/A","LockBit - Kimsuky - Conti - Quantum - PYSA - NetWalker - 8BASE - APT1 - APT15 - APT20 - APT27 - APT28 - Antlion - FIN13 - GOBLIN PANDA - Lazarus Group - PowerPool - PARINACOTA - Scattered Spider - BERSERK BEAR - Dispossessor","Credential Access","https://learn.microsoft.com/en-us/sysinternals/downloads/procdump","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55479"
"*proceed: *.fleetdeck.io*",".{0,1000}proceed\:\s.{0,1000}\.fleetdeck\.io.{0,1000}","greyware_tool_keyword","fleetdm","Manage everything in one place","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://github.com/fleetdm/fleet","1","0","N/A","N/A","10","10","4896","558","2025-04-22T21:05:02Z","2020-11-03T22:17:18Z","55481"
"*process call create ""powershell enable-psremoting -force""*",".{0,1000}process\scall\screate\s\""powershell\senable\-psremoting\s\-force\"".{0,1000}","greyware_tool_keyword","wmic","Enable WinRM remotely with wmic","T1021.006 - T1059.001 - T1047","TA0002 - TA0008 - TA0011","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Lateral Movement","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","55482"
"*processhacker-*-sdk.zip*",".{0,1000}processhacker\-.{0,1000}\-sdk\.zip.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","55518"
"*processhacker-*-setup.exe*",".{0,1000}processhacker\-.{0,1000}\-setup\.exe.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","55519"
"*processhacker-*-src.zip*",".{0,1000}processhacker\-.{0,1000}\-src\.zip.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","55520"
"*ProcessHacker.exe*",".{0,1000}ProcessHacker\.exe.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","55521"
"*ProcessHacker.sln*",".{0,1000}ProcessHacker\.sln.{0,1000}","greyware_tool_keyword","processhacker","Interactions with a objects present in windows such as threads stack - handles - gpu - services ? can be used by attackers to dump process - create services  and process injection","T1055.001 - T1055.012 - T1003.001 - T1056.005","TA0005 - TA0003 - TA0040 - TA0006 - TA0009","N/A","N/A","Persistence","https://processhacker.sourceforge.io/","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","55522"
"*prod.surfshark.com*",".{0,1000}prod\.surfshark\.com.{0,1000}","greyware_tool_keyword","surfshark VPN","usage of surfsharkVPN client","T1090 - T1573","TA0005 - TA010","N/A","N/A","Defense Evasion","","1","1","N/A","N/A","7","8","N/A","N/A","N/A","N/A","55547"
"*product: damewareagent --*",".{0,1000}product\:\sdamewareagent\s\-\-.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55548"
"*'Product'>MEGAsync</Data>*",".{0,1000}\'Product\'\>MEGAsync\<\/Data\>.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55553"
"*ProductName*>AtNow<*",".{0,1000}ProductName.{0,1000}\>AtNow\<.{0,1000}","greyware_tool_keyword","atnow","AtNow is a command-line utility that schedules programs and commands to run in the near future - abused by TA","T1053 - T1059","TA0002 ","N/A","APT18 - APT29 - APT32 - Cobalt - RTM","Persistence","https://www.nirsoft.net/utils/atnow.html","1","0","#productname","N/A","7","7","N/A","N/A","N/A","N/A","55558"
"*ProductName:Zoho%%20Assist* apptype:ATTENDEE*",".{0,1000}ProductName\:Zoho\%\%20Assist.{0,1000}\sapptype\:ATTENDEE.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55559"
"*produkey.zip*",".{0,1000}produkey\.zip.{0,1000}","greyware_tool_keyword","produkey","ProduKey is a small utility that displays the ProductID and the CD-Key of Microsoft Office (Microsoft Office 2003. Microsoft Office 2007). Windows (Including Windows 8/7/Vista). Exchange Server. and SQL Server installed on your computer. You can view this information for your current running operating system. or for another operating system/computer - by using command-line options. This utility can be useful if you lost the product key of your Windows/Office. and you want to reinstall it on your computer.","T1003.001 - T1003.002 - T1012 - T1057 - T1518","TA0006 - TA0007 - TA0009","N/A","Evilnum","Credential Access","https://www.nirsoft.net/utils/product_cd_key_viewer.html","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","55560"
"*produkey_setup.exe*",".{0,1000}produkey_setup\.exe.{0,1000}","greyware_tool_keyword","produkey","ProduKey is a small utility that displays the ProductID and the CD-Key of Microsoft Office (Microsoft Office 2003. Microsoft Office 2007). Windows (Including Windows 8/7/Vista). Exchange Server. and SQL Server installed on your computer. You can view this information for your current running operating system. or for another operating system/computer - by using command-line options. This utility can be useful if you lost the product key of your Windows/Office. and you want to reinstall it on your computer.","T1003.001 - T1003.002 - T1012 - T1057 - T1518","TA0006 - TA0007 - TA0009","N/A","Evilnum","Credential Access","https://www.nirsoft.net/utils/product_cd_key_viewer.html","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","55561"
"*produkey-x64.zip*",".{0,1000}produkey\-x64\.zip.{0,1000}","greyware_tool_keyword","produkey","ProduKey is a small utility that displays the ProductID and the CD-Key of Microsoft Office (Microsoft Office 2003. Microsoft Office 2007). Windows (Including Windows 8/7/Vista). Exchange Server. and SQL Server installed on your computer. You can view this information for your current running operating system. or for another operating system/computer - by using command-line options. This utility can be useful if you lost the product key of your Windows/Office. and you want to reinstall it on your computer.","T1003.001 - T1003.002 - T1012 - T1057 - T1518","TA0006 - TA0007 - TA0009","N/A","Evilnum","Credential Access","https://www.nirsoft.net/utils/product_cd_key_viewer.html","1","1","N/A","N/A","6","10","N/A","N/A","N/A","N/A","55562"
"*Program Files (x86)\Advanced Port Scanner\*",".{0,1000}Program\sFiles\s\(x86\)\\Advanced\sPort\sScanner\\.{0,1000}","greyware_tool_keyword","advanced port scanner","port scanner tool abused by ransomware actors","T1135 - T1021 - T1016 - T1046","TA0007 - TA0043","N/A","Dispossessor - LockBit - BianLian - PYSA - Trigona - EvilCorp* - Fog - Scattered Spider* - INDRIK SPIDER - Medusa Locker","Discovery","https://www.advanced-port-scanner.com/","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","55568"
"*Program Files (x86)\Anyplace Control*",".{0,1000}Program\sFiles\s\(x86\)\\Anyplace\sControl.{0,1000}","greyware_tool_keyword","AnyplaceControl","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyplace-control[.]com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55569"
"*Program Files (x86)\AnyViewer*",".{0,1000}Program\sFiles\s\(x86\)\\AnyViewer.{0,1000}","greyware_tool_keyword","anyviewer","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyviewer.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55570"
"*Program Files (x86)\Common Files\Two Pilots*",".{0,1000}Program\sFiles\s\(x86\)\\Common\sFiles\\Two\sPilots.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55571"
"*Program Files (x86)\Proxifier*",".{0,1000}Program\sFiles\s\(x86\)\\Proxifier.{0,1000}","greyware_tool_keyword","Proxifier","allows to proxy connections for programs","T1090 - T1071 - T1078.003","TA0005","N/A","Scattered Spider* - Proxifier","Defense Evasion","https://www.proxifier.com/download/","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","55572"
"*Program Files (x86)\Radmin Viewer 3\*",".{0,1000}Program\sFiles\s\(x86\)\\Radmin\sViewer\s3\\.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55573"
"*program files (x86)\remotepc\*",".{0,1000}program\sfiles\s\(x86\)\\remotepc\\.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55574"
"*Program Files (x86)\ScreenConnect Client*",".{0,1000}Program\sFiles\s\(x86\)\\ScreenConnect\sClient.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55575"
"*Program Files (x86)\Splashtop*",".{0,1000}Program\sFiles\s\(x86\)\\Splashtop.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55576"
"*program files (x86)\tightvnc\*",".{0,1000}program\sfiles\s\(x86\)\\tightvnc\\.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55577"
"*Program Files (x86)\uvnc bvba\*",".{0,1000}Program\sFiles\s\(x86\)\\uvnc\sbvba\\.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55578"
"*program files (x86)\zohomeeting*",".{0,1000}program\sfiles\s\(x86\)\\zohomeeting.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55579"
"*program files*\netsupport\*",".{0,1000}program\sfiles.{0,1000}\\netsupport\\.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55580"
"*Program Files\DWAgent*",".{0,1000}Program\sFiles\\DWAgent.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","0","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","55581"
"*Program Files\File Shredder\*",".{0,1000}Program\sFiles\\File\sShredder\\.{0,1000}","greyware_tool_keyword","Shredder","File Shredder is FREE and powerfull aplication to shred and permanently remove unwanted files from your computer beyond recovery","T1070 - T1485 - T1565.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://www.fileshredder.org/","1","0","N/A","N/A","7","8","N/A","N/A","N/A","N/A","55582"
"*Program Files\Level\level.log*",".{0,1000}Program\sFiles\\Level\\level\.log.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55583"
"*Program Files\remoteit-bin*",".{0,1000}Program\sFiles\\remoteit\-bin.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","55584"
"*Program Files\Siber Systems\GoodSync*",".{0,1000}Program\sFiles\\Siber\sSystems\\GoodSync.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","55585"
"*Program Files\SimpleHelp*",".{0,1000}Program\sFiles\\SimpleHelp.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55586"
"*Program Files\VSA X\*",".{0,1000}Program\sFiles\\VSA\sX\\.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55587"
"*programdata\* --start-with-win --remove-first --silent --start-service*",".{0,1000}programdata\\.{0,1000}\s\-\-start\-with\-win\s\-\-remove\-first\s\-\-silent\s\-\-start\-service.{0,1000}","greyware_tool_keyword","anydesk","command line used with anydesk in the notes of the Dispossessor ransomware group","T1486 - T1490 - T1059 - T1213 - T1078","TA0040 - TA0043 - TA0001 - TA0009","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55591"
"*ProgramData\JWrapper-Remote Access\*.exe*",".{0,1000}ProgramData\\JWrapper\-Remote\sAccess\\.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55592"
"*ProgramData\JWrapper-Remote Access\*.exe*",".{0,1000}ProgramData\\JWrapper\-Remote\sAccess\\.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","vncviewer","SimpleHelp or VNCViewer is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","simple-help.com","1","0","N/A","could be used by VNCViewer or SimpleHelp","10","10","N/A","N/A","N/A","N/A","55593"
"*ProgramData\Kaseya\*",".{0,1000}ProgramData\\Kaseya\\.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55594"
"*ProgramData\RemotePC Performance*",".{0,1000}ProgramData\\RemotePC\sPerformance.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55595"
"*ProgramData\RemotePC*",".{0,1000}ProgramData\\RemotePC.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55596"
"*ProgramData\speedtest.exe*",".{0,1000}ProgramData\\speedtest\.exe.{0,1000}","greyware_tool_keyword","speedtest","legitimate tool from speedtest.net abused by threat actors to assess the network speed and determine the feasibility and duration of their exfiltration efforts","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","","Dispossessor - Dagon Locker","Data Exfiltration","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","55597"
"*ProgramData\SpeedtestCLI*",".{0,1000}ProgramData\\SpeedtestCLI.{0,1000}","greyware_tool_keyword","speedtest","legitimate tool from speedtest.net abused by threat actors to assess the network speed and determine the feasibility and duration of their exfiltration efforts","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","","Dispossessor - Dagon Locker","Data Exfiltration","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","6","7","N/A","N/A","N/A","N/A","55598"
"*ProgramData\TightVNC*",".{0,1000}ProgramData\\TightVNC.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55599"
"*ProgramFiles(x86)\xeox\*",".{0,1000}ProgramFiles\(x86\)\\xeox\\.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55600"
"*ProgramFiles\xeox\*",".{0,1000}ProgramFiles\\xeox\\.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55601"
"*projectdiscovery/interactsh*",".{0,1000}projectdiscovery\/interactsh.{0,1000}","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C12","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","1","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","55603"
"*PROMPT_COMMAND=*history -a* tail *.bash_history > /dev/tcp/127.0.0.1/*",".{0,1000}PROMPT_COMMAND\=.{0,1000}history\s\-a.{0,1000}\stail\s.{0,1000}\.bash_history\s\>\s\/dev\/tcp\/127\.0\.0\.1\/.{0,1000}","greyware_tool_keyword","bash","Bash Keylogger","T1059 - T1003","TA0006 - TA0010","N/A","N/A","Exploitation tool","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","55605"
"*protocol-v2.argotunnel.com*",".{0,1000}protocol\-v2\.argotunnel\.com.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","1","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","55612"
"*provider name=""n-able take control - [dameware]"" />*",".{0,1000}provider\sname\=\""n\-able\stake\scontrol\s\-\s\[dameware\]\""\s\/\>.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55615"
"*PSBits*NetShRun*",".{0,1000}PSBits.{0,1000}NetShRun.{0,1000}","greyware_tool_keyword","NetshRun","Netsh.exe relies on extensions taken from Registry which means it may be used as a persistence and you go one step further extending netsh with a DLL allowing you to do whatever you want","T1546.008 - T1112 - T1037 - T1055 - T1218.001","TA0003 - TA0002 - TA0008","N/A","N/A","Exploitation tool","https://github.com/gtworek/PSBits/blob/master/NetShRun","1","1","N/A","N/A","N/A","10","3337","542","2025-03-12T19:59:23Z","2019-06-29T13:22:36Z","55677"
"*psc4re/NSE-scripts*",".{0,1000}psc4re\/NSE\-scripts.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","1","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","55679"
"*pscp *@*.kirbi*",".{0,1000}pscp\s.{0,1000}\@.{0,1000}\.kirbi.{0,1000}","greyware_tool_keyword","putty","credential cache retrieving with pscp putty","T1550 - T1140 - T1071","TA0006 - TA0010 - TA0005","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","8","7","N/A","N/A","N/A","N/A","55684"
"*PSEXEC-*.key*",".{0,1000}PSEXEC\-.{0,1000}\.key.{0,1000}","greyware_tool_keyword","psexec",".key file created and deleted on the target system","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Lateral Movement","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","55689"
"*PsExec.exe /accepteula*",".{0,1000}PsExec\.exe\s\/accepteula.{0,1000}","greyware_tool_keyword","psexec","PsExec is a legitimate Microsoft tool for remote administration. However. attackers can misuse it to execute malicious commands or software on other network machines. install persistent threats. and evade some security systems. ","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Lateral Movement","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","55690"
"*PsExec[1].exe*",".{0,1000}PsExec\[1\]\.exe.{0,1000}","greyware_tool_keyword","psexec","Adversaries may place the PsExec executable in the temp directory and execute it from there as part of their offensive activities. By doing so. they can leverage PsExec to execute commands or launch processes on remote systems. enabling Lateral Movement. privilege escalation. or the execution of malicious payloads.","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Lateral Movement","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","55692"
"*PsExec64.exe*",".{0,1000}PsExec64\.exe.{0,1000}","greyware_tool_keyword","psexec","Adversaries may place the PsExec executable in the temp directory and execute it from there as part of their offensive activities. By doing so. they can leverage PsExec to execute commands or launch processes on remote systems. enabling Lateral Movement. privilege escalation. or the execution of malicious payloads.","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Lateral Movement","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","55695"
"*PSEXECSVC*",".{0,1000}PSEXECSVC.{0,1000}","greyware_tool_keyword","psexec","PsExec is a legitimate Microsoft tool for remote administration. However. attackers can misuse it to execute malicious commands or software on other network machines. install persistent threats. and evade some security systems. ","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Lateral Movement","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","#servicename","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","55700"
"*PSEXECSVC.EXE-*.pf*",".{0,1000}PSEXECSVC\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","psexec","prefetch - .key file created and deleted on the target system","T1136.002 - T1543.003 - T1570 - T1021.002 - T1569.002","TA0002 - TA0004 - TA0008 - TA0011","N/A","Turla - Chimera - APT1 - Thrip - Moses Staff - BlackTech - Cleaver - DarkVishnya - Sandworm Team - HAFNIUM - Akira - APT39 - FIN5 - FIN6 - Indrik Spider - TEMP.Veles - Kimsuky - GALLIUM - APT29 - Carbanak - Leafminer - FIN8 - Fox Kitten - Dragonfly - Magic Hound - OilRig - Cobalt Group - Naikon - Threat Group-1314 - menuPass - Wizard Spider - ALLANITE - APT20 - APT27 - Antlion - BOSS SPIDER - Common Raven - ENERGETIC BEAR - FIN7 - GOBLIN PANDA - PowerPool - INDRIK SPIDER - WIZARD SPIDER - TINY SPIDER - TA2101 - TRAVELING SPIDER - Common Raven - Antlion - Scattered Spider - COZY BEAR - EMBER BEAR - BERSERK BEAR - Gamaredon - Dispossessor","Lateral Movement","https://learn.microsoft.com/fr-fr/sysinternals/downloads/psexec","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","55701"
"*PsLoggedon.exe*",".{0,1000}PsLoggedon\.exe.{0,1000}","greyware_tool_keyword","psloggedon","PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer. or a remote one","T1003 - T1049 - T1057 - T1082 - T1087 - T1518","TA0001 - TA0002 - TA0007 - TA0011","N/A","N/A","Reconnaissance","https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon","1","1","N/A","greyware tool - risks of False positive !","8","10","N/A","N/A","N/A","N/A","55709"
"*PsLoggedon64.exe*",".{0,1000}PsLoggedon64\.exe.{0,1000}","greyware_tool_keyword","psloggedon","PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer. or a remote one","T1003 - T1049 - T1057 - T1082 - T1087 - T1518","TA0001 - TA0002 - TA0007 - TA0011","N/A","N/A","Reconnaissance","https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon","1","1","N/A","greyware tool - risks of False positive !","8","10","N/A","N/A","N/A","N/A","55710"
"*PUA.Win32.uVirusSniffer.A*",".{0,1000}PUA\.Win32\.uVirusSniffer\.A.{0,1000}","greyware_tool_keyword","Universal Virus Sniffer","Universal Virus Sniffer detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","Phobos","Defense Evasion","https://www.majorgeeks.com/files/details/universal_virus_sniffer.html","1","0","#Avsignature","N/A","8","10","N/A","N/A","N/A","N/A","55787"
"*PUA:Win32/Packunwan*",".{0,1000}PUA\:Win32\/Packunwan.{0,1000}","greyware_tool_keyword","Universal Virus Sniffer","Universal Virus Sniffer detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","Phobos","Defense Evasion","https://www.majorgeeks.com/files/details/universal_virus_sniffer.html","1","0","#Avsignature","N/A","8","10","N/A","N/A","N/A","N/A","55792"
"*pufferffish/wireproxy*",".{0,1000}pufferffish\/wireproxy.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","1","N/A","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","55803"
"*Pulseway -- Installation completed successfully*",".{0,1000}Pulseway\s\-\-\sInstallation\scompleted\ssuccessfully.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55804"
"*Pulseway -- Removal completed successfully*",".{0,1000}Pulseway\s\-\-\sRemoval\scompleted\ssuccessfully.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55805"
"*Pulseway Remote Control -- Installation completed successfully*",".{0,1000}Pulseway\sRemote\sControl\s\-\-\sInstallation\scompleted\ssuccessfully.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55806"
"*Pulseway Remote Control.lnk*",".{0,1000}Pulseway\sRemote\sControl\.lnk.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55807"
"*pulseway_x64.pkg.tar.xz*",".{0,1000}pulseway_x64\.pkg\.tar\.xz.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55808"
"*pwd86u1qwZ9PWevKqm1A3yAw==*",".{0,1000}pwd86u1qwZ9PWevKqm1A3yAw\=\=.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","55860"
"*PwDaBjJzgufjES89Rs4Lpq63O300R/kOz30WCLo6BxxX6QVEilwSlpClnG5cZaikTA==*",".{0,1000}PwDaBjJzgufjES89Rs4Lpq63O300R\/kOz30WCLo6BxxX6QVEilwSlpClnG5cZaikTA\=\=.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","0","#base64","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","55861"
"*pWDkVEtllTAK5h6cnhxNxDA==*",".{0,1000}pWDkVEtllTAK5h6cnhxNxDA\=\=.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","55862"
"*pwnedornot.py -d *",".{0,1000}pwnedornot\.py\s\-d\s.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","55905"
"*pwyrc-clip.exe*",".{0,1000}pwyrc\-clip\.exe.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","55917"
"*py2exe *",".{0,1000}py2exe\s.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","0","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","55921"
"*py2exe*.exe *",".{0,1000}py2exe.{0,1000}\.exe\s.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","0","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","55922"
"*py2exe*.msi *",".{0,1000}py2exe.{0,1000}\.msi\s.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","0","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","55923"
"*py2exe*.py*",".{0,1000}py2exe.{0,1000}\.py.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","0","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","55924"
"*py2exe-*.tar.gz*",".{0,1000}py2exe\-.{0,1000}\.tar\.gz.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","1","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","55925"
"*py2exe-*.whl*",".{0,1000}py2exe\-.{0,1000}\.whl.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","1","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","55926"
"*py2exe.build_exe*",".{0,1000}py2exe\.build_exe.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","1","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","55927"
"*py2exe.freeze*",".{0,1000}py2exe\.freeze.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","1","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","55928"
"*py2exe.git*",".{0,1000}py2exe\.git.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","1","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","55929"
"*py2exe_setuptools.py*",".{0,1000}py2exe_setuptools\.py.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","1","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","55930"
"*py2exe-master.zip*",".{0,1000}py2exe\-master\.zip.{0,1000}","greyware_tool_keyword","py2exe","py2exe allows you to convert Python scripts into standalone executable files for Windows othen used by attacker","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","Operation Wocao","N/A","Resource Development","https://github.com/py2exe/py2exe","1","1","N/A","greyware_tools high risks of false positives","N/A","10","927","102","2024-11-12T19:44:34Z","2019-03-11T13:16:35Z","55931"
"*pyinstaller *.py*",".{0,1000}pyinstaller\s.{0,1000}\.py.{0,1000}","greyware_tool_keyword","pyinstaller","PyInstaller bundles a Python application and all its dependencies into a single package executable.","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","N/A","N/A","Resource Development","https://www.pyinstaller.org/","1","0","N/A","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","55976"
"*pyinstaller* --onefile --add-data *",".{0,1000}pyinstaller.{0,1000}\s\-\-onefile\s\-\-add\-data\s.{0,1000}","greyware_tool_keyword","pyinstaller","PyInstaller bundles a Python application and all its dependencies into a single package executable.","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","N/A","N/A","Resource Development","https://www.pyinstaller.org/","1","0","N/A","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","55982"
"*pyinstaller.exe*",".{0,1000}pyinstaller\.exe.{0,1000}","greyware_tool_keyword","pyinstaller","PyInstaller bundles a Python application and all its dependencies into a single package executable.","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","N/A","N/A","Resource Development","https://www.pyinstaller.org/","1","1","N/A","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","55983"
"*pyinstaller/tarball*",".{0,1000}pyinstaller\/tarball.{0,1000}","greyware_tool_keyword","pyinstaller","PyInstaller bundles a Python application and all its dependencies into a single package executable.","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","N/A","N/A","Resource Development","https://www.pyinstaller.org/","1","0","N/A","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","55984"
"*pyinstaller-script.py*",".{0,1000}pyinstaller\-script\.py.{0,1000}","greyware_tool_keyword","pyinstaller","PyInstaller bundles a Python application and all its dependencies into a single package executable.","T1027.002 - T1045 - T1059.001 - T1587.001","TA0005 - TA0042","N/A","N/A","Resource Development","https://www.pyinstaller.org/","1","1","N/A","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","55985"
"*pyjam.as/tunnel*",".{0,1000}pyjam\.as\/tunnel.{0,1000}","greyware_tool_keyword","tunnel.pyjam.as","SSL-terminated ephemeral HTTP tunnels to your local machine - no custom software required (thanks to wireguard)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","55986"
"*pyshark.FileCapture(*",".{0,1000}pyshark\.FileCapture\(.{0,1000}","greyware_tool_keyword","pyshark","Python wrapper for tshark allowing python packet parsing using wireshark dissectors","T1040 - T1213 - T1105 - T1572","TA0009 - TA0007","N/A","N/A","Discovery","https://github.com/KimiNewt/pyshark","1","0","N/A","N/A","6","10","2355","439","2024-12-04T15:41:20Z","2013-12-28T14:38:22Z","56035"
"*pyshark.LiveCapture(*",".{0,1000}pyshark\.LiveCapture\(.{0,1000}","greyware_tool_keyword","pyshark","Python wrapper for tshark allowing python packet parsing using wireshark dissectors","T1040 - T1213 - T1105 - T1572","TA0009 - TA0007","N/A","N/A","Discovery","https://github.com/KimiNewt/pyshark","1","0","N/A","N/A","6","10","2355","439","2024-12-04T15:41:20Z","2013-12-28T14:38:22Z","56036"
"*pyshark.RemoteCapture(*",".{0,1000}pyshark\.RemoteCapture\(.{0,1000}","greyware_tool_keyword","pyshark","Python wrapper for tshark allowing python packet parsing using wireshark dissectors","T1040 - T1213 - T1105 - T1572","TA0009 - TA0007","N/A","N/A","Discovery","https://github.com/KimiNewt/pyshark","1","0","N/A","N/A","6","10","2355","439","2024-12-04T15:41:20Z","2013-12-28T14:38:22Z","56037"
"*python -c 'import pty;pty.spawn(""/bin/bash"")*",".{0,1000}python\s\-c\s\'import\spty\;pty\.spawn\(\""\/bin\/bash\""\).{0,1000}","greyware_tool_keyword","python","commonly used to upgrade a restricted shell","T1059.006 - T1059 - T1070.004","TA0004","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56058"
"*python -m http.server*",".{0,1000}python\s\-m\shttp\.server.{0,1000}","greyware_tool_keyword","http.server","setup a simple http server","T1071.001 - T1105 - T1213","TA00010 - TA0009","N/A","N/A","Data Exfiltration","https://x.com/mthcht/status/1827714529687658796","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","56072"
"*python -m SimpleHTTPServer*",".{0,1000}python\s\-m\sSimpleHTTPServer.{0,1000}","greyware_tool_keyword","simplehttpserver","quick web server in python","T1021.002 - T1059.006","TA0002 - TA0005","N/A","N/A","Data Exfiltration","https://docs.python.org/2/library/simplehttpserver.html","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","56076"
"*python3 -m http.server*",".{0,1000}python\s\-m\shttp\.server.{0,1000}","greyware_tool_keyword","http.server","setup a simple http server","T1071.001 - T1105 - T1213","TA00010 - TA0009","N/A","N/A","Data Exfiltration","https://x.com/mthcht/status/1827714529687658796","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","56108"
"*q3k/crowbar*",".{0,1000}q3k\/crowbar.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","1","N/A","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","56138"
"*QNAME*.trycloudfare.com*",".{0,1000}QNAME.{0,1000}\.trycloudfare\.com.{0,1000}","greyware_tool_keyword","trycloudflare.com","The subdomain .trycloudflare.com is a temporary hostname provided by Cloudflare Tunnel - It allows users to expose local services to the internet without needing to configure port forwarding or a public IP - attackers frequently abuse it for malicious activities","T1071.001 - T1090 - T1583.003 - T1102","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","Phishing","https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware","1","1","#dnsquery","N/A","10","10","N/A","N/A","N/A","N/A","56150"
"*Quasar Client Startup*",".{0,1000}Quasar\sClient\sStartup.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","56164"
"*Quasar v*\Client-built.exe*",".{0,1000}Quasar\sv.{0,1000}\\Client\-built\.exe.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","56165"
"*Quasar.Client.*",".{0,1000}Quasar\.Client\..{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","1","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","56166"
"*Quasar.Common.Tests\*",".{0,1000}Quasar\.Common\.Tests\\.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","56167"
"*Quasar.exe*",".{0,1000}Quasar\.exe.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","1","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","56168"
"*Quasar.Server*",".{0,1000}Quasar\.Server.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","56169"
"*Quasar.Server\Program.cs*",".{0,1000}Quasar\.Server\\Program\.cs.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","56170"
"*Quasar.sln*",".{0,1000}Quasar\.sln.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","1","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","56171"
"*Quasar.v1.4.1.zip*",".{0,1000}Quasar\.v1\.4\.1\.zip.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","56172"
"*quasar/Quasar*",".{0,1000}quasar\/Quasar.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","1","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","56173"
"*Quasar-master.zip*",".{0,1000}Quasar\-master\.zip.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","1","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","56174"
"*QuasarRAT*",".{0,1000}QuasarRAT.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","1","N/A","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","56175"
"*QuickAssist.exe launched*",".{0,1000}QuickAssist\.exe\slaunched.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","56179"
"*qwinsta /server:*",".{0,1000}qwinsta\s\/server\:.{0,1000}","greyware_tool_keyword","qwinsta","enumerate rdp session on a remote server","T1049 - T1018 - T1021.001","TA0007 - TA0009 - TA0010","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","3","8","N/A","N/A","N/A","N/A","56191"
"*radmin /connect:*",".{0,1000}radmin\s\/connect\:.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56210"
"*Radmin Server V3*",".{0,1000}Radmin\sServer\sV3.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","ServiceName","10","10","N/A","N/A","N/A","N/A","56211"
"*Radmin Viewer 3\CHATLOGS\*",".{0,1000}Radmin\sViewer\s3\\CHATLOGS\\.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56212"
"*Radmin Viewer 3\rchatx.dll*",".{0,1000}Radmin\sViewer\s3\\rchatx\.dll.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56213"
"*radmin.exe* /connect:*",".{0,1000}radmin\.exe.{0,1000}\s\/connect\:.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56214"
"*randomx.xmrig.com*",".{0,1000}randomx\.xmrig\.com.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","56242"
"*Rapid7*",".{0,1000}Rapid7.{0,1000}","greyware_tool_keyword","rapid7","Vulnerability scanner","T1046 - T1068 - T1190 - T1201 - T1222 - T1592","TA0001 - TA0002 - TA0007 - TA0011","N/A","Black Basta","Vulnerability Scanner","https://www.rapid7.com/","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","56269"
"*rapiz1/rathole*",".{0,1000}rapiz1\/rathole.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","1","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","56272"
"*rathole config.toml*",".{0,1000}rathole\sconfig\.toml.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","56299"
"*rathole server.toml*",".{0,1000}rathole\sserver\.toml.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","56300"
"*ratholec-mem.log*",".{0,1000}ratholec\-mem\.log.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","56301"
"*ratholes-mem.log*",".{0,1000}ratholes\-mem\.log.{0,1000}","greyware_tool_keyword","rathole"," expose the service on the device behind the NAT to the Internet, via a server with a public IP.","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/rapiz1/rathole","1","0","N/A","N/A","10","10","10580","549","2024-07-06T20:09:48Z","2021-12-14T05:03:07Z","56302"
"*raw.githubusercontent.com*.7z*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.7z.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56304"
"*raw.githubusercontent.com*.apk*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.apk.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56305"
"*raw.githubusercontent.com*.app*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.app.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56306"
"*raw.githubusercontent.com*.as*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.as.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56307"
"*raw.githubusercontent.com*.asc*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.asc.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56308"
"*raw.githubusercontent.com*.asp*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.asp.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56309"
"*raw.githubusercontent.com*.bash*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.bash.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","#linux","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56310"
"*raw.githubusercontent.com*.bat*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.bat.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56311"
"*raw.githubusercontent.com*.beacon*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.beacon.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56312"
"*raw.githubusercontent.com*.bin*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.bin.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56313"
"*raw.githubusercontent.com*.bpl*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.bpl.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56314"
"*raw.githubusercontent.com*.c",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.c","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56315"
"*raw.githubusercontent.com*.cer*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.cer.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56316"
"*raw.githubusercontent.com*.cmd*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.cmd.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56317"
"*raw.githubusercontent.com*.com*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.com.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56318"
"*raw.githubusercontent.com*.cpp*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.cpp.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56319"
"*raw.githubusercontent.com*.crt*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.crt.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56320"
"*raw.githubusercontent.com*.cs*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.cs.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56321"
"*raw.githubusercontent.com*.csh*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.csh.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56322"
"*raw.githubusercontent.com*.dat*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.dat.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56323"
"*raw.githubusercontent.com*.dll*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.dll.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56324"
"*raw.githubusercontent.com*.docm*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.docm.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56325"
"*raw.githubusercontent.com*.dos*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.dos.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56326"
"*raw.githubusercontent.com*.exe*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56327"
"*raw.githubusercontent.com*.go*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.go.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56328"
"*raw.githubusercontent.com*.gz*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.gz.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56329"
"*raw.githubusercontent.com*.hta*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.hta.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56330"
"*raw.githubusercontent.com*.iso*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.iso.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56331"
"*raw.githubusercontent.com*.jar*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.jar.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56332"
"*raw.githubusercontent.com*.js*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.js.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56333"
"*raw.githubusercontent.com*.lnk*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.lnk.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56334"
"*raw.githubusercontent.com*.log*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.log.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56335"
"*raw.githubusercontent.com*.mac*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.mac.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56336"
"*raw.githubusercontent.com*.mam*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.mam.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56337"
"*raw.githubusercontent.com*.msi*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.msi.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56338"
"*raw.githubusercontent.com*.msp*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.msp.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56339"
"*raw.githubusercontent.com*.nexe*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.nexe.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56340"
"*raw.githubusercontent.com*.nim*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.nim.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56341"
"*raw.githubusercontent.com*.otm*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.otm.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56342"
"*raw.githubusercontent.com*.out*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.out.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56343"
"*raw.githubusercontent.com*.ova*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.ova.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56344"
"*raw.githubusercontent.com*.pem*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.pem.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56345"
"*raw.githubusercontent.com*.pfx*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.pfx.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56346"
"*raw.githubusercontent.com*.pl*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.pl.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56347"
"*raw.githubusercontent.com*.plx*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.plx.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56348"
"*raw.githubusercontent.com*.pm*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.pm.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56349"
"*raw.githubusercontent.com*.ppk*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.ppk.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56350"
"*raw.githubusercontent.com*.ps1*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.ps1.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56351"
"*raw.githubusercontent.com*.psm1*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.psm1.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56352"
"*raw.githubusercontent.com*.pub*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.pub.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56353"
"*raw.githubusercontent.com*.py*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.py.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56354"
"*raw.githubusercontent.com*.pyc*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.pyc.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56355"
"*raw.githubusercontent.com*.pyo*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.pyo.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56356"
"*raw.githubusercontent.com*.rar*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.rar.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56357"
"*raw.githubusercontent.com*.raw*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.raw.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56358"
"*raw.githubusercontent.com*.reg*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.reg.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56359"
"*raw.githubusercontent.com*.rgs*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.rgs.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56360"
"*raw.githubusercontent.com*.RGS*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.RGS.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56361"
"*raw.githubusercontent.com*.run*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.run.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56362"
"*raw.githubusercontent.com*.scpt*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.scpt.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56363"
"*raw.githubusercontent.com*.script*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.script.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56364"
"*raw.githubusercontent.com*.sct*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.sct.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56365"
"*raw.githubusercontent.com*.sh*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.sh.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56366"
"*raw.githubusercontent.com*.ssh*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.ssh.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56367"
"*raw.githubusercontent.com*.sys*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.sys.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56368"
"*raw.githubusercontent.com*.teamserver*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.teamserver.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56369"
"*raw.githubusercontent.com*.temp*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.temp.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56370"
"*raw.githubusercontent.com*.tgz*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.tgz.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56371"
"*raw.githubusercontent.com*.tmp*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.tmp.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56372"
"*raw.githubusercontent.com*.vb*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.vb.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56373"
"*raw.githubusercontent.com*.vbs*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.vbs.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56374"
"*raw.githubusercontent.com*.vbscript*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.vbscript.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56375"
"*raw.githubusercontent.com*.ws*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.ws.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56376"
"*raw.githubusercontent.com*.wsf*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.wsf.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56377"
"*raw.githubusercontent.com*.wsh*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.wsh.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56378"
"*raw.githubusercontent.com*.X86*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.X86.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56379"
"*raw.githubusercontent.com*.X86_64*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.X86_64.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56380"
"*raw.githubusercontent.com*.xlam*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.xlam.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56381"
"*raw.githubusercontent.com*.xlm*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.xlm.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56382"
"*raw.githubusercontent.com*.xlsm*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.xlsm.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56383"
"*raw.githubusercontent.com*.zip*",".{0,1000}raw\.githubusercontent\.com.{0,1000}\.zip.{0,1000}","greyware_tool_keyword","github","Github raw access content - abused by malwares to retrieve payloads","T1119","TA0009","N/A","N/A","Collection","https://github.com/","1","1","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","56384"
"*rclone  copy *:*",".{0,1000}rclone\scopy\s.{0,1000}\:.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56412"
"*rclone config*",".{0,1000}rclone\sconfig.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56413"
"*rclone copy *:*",".{0,1000}rclone\scopy\s.{0,1000}\:.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56414"
"*rclone copy*",".{0,1000}rclone\scopy.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56415"
"*rclone obscure*",".{0,1000}rclone\sobscure.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56416"
"*rclone rcat *",".{0,1000}rclone\srcat\s.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56417"
"*rclone.exe config create remote mega user *",".{0,1000}rclone\.exe\sconfig\screate\sremote\smega\suser\s.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56418"
"*rclone.exe config*",".{0,1000}rclone\.exe\sconfig.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56419"
"*rclone.exe copy*",".{0,1000}rclone\.exe\scopy.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56420"
"*rclone.exe create*",".{0,1000}rclone\.exe\screate.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56421"
"*rclone.exe mega*",".{0,1000}rclone\.exe\smega.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56422"
"*rclone.exe remote*",".{0,1000}rclone\.exe\sremote.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56423"
"*rclone.exe* copy *:*",".{0,1000}rclone\.exe.{0,1000}\scopy\s.{0,1000}\:.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56424"
"*rclone.exe* -l * *:*",".{0,1000}rclone\.exe.{0,1000}\s\-l\s.{0,1000}\s.{0,1000}\:.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","N/A","interactive mode","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56425"
"*rclone/imagekit*",".{0,1000}rclone\/imagekit.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","0","#useragent","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56426"
"*rclone/rclone*",".{0,1000}rclone\/rclone.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","1","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56427"
"*rclone-beta-latest-windows-amd64.zip*",".{0,1000}rclone\-beta\-latest\-windows\-amd64\.zip.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","1","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56428"
"*rclone-current-windows-arm64.zip*",".{0,1000}rclone\-current\-windows\-arm64\.zip.{0,1000}","greyware_tool_keyword","rclone","Rclone is a command line program for syncing files with cloud storage services - abused by a lot of ransomware groups","T1567.002 - T1560.001 - T1030 - T1048.002 - T1048.003 - T1567.002 - T1083","TA0010","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - Karakurt - AvosLocker - LockBit - BianLian - Hive - Daixin - Conti - Dagon Locker - Trigona - Quantum - Revil - 8BASE - INC Ransom - Cactus - EvilCorp* - Scattered Spider* - FiveHands - Cinnamon Tempest - EMBER BEA - Gamaredon","Data Exfiltration","https://github.com/rclone/rclone","1","1","N/A","N/A","8","10","49963","4453","2025-04-22T16:26:31Z","2014-03-16T16:19:57Z","56429"
"*rc-update add tailscale*",".{0,1000}rc\-update\sadd\stailscale.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","56431"
"*rd /s /q %systemdrive%\$RECYCLE.BIN*",".{0,1000}rd\s\/s\s\/q\s\%systemdrive\%\\\$RECYCLE\.BIN.{0,1000}","greyware_tool_keyword","rmdir ","removes files from the Recycle Bin - erasing forensic evidence","T1070.003","TA0005","N/A","N/A","Defense Evasion","https://github.com/roadwy/DefenderYara/blob/9bbdb7f9fd3513ce30aa69cd1d88830e3cf596ca/Ransom/MSIL/Hakbit/Ransom_MSIL_Hakbit_PA_MTB.yar#L7","1","0","N/A","N/A","10","10","395","63","2025-02-24T12:25:27Z","2024-02-05T13:57:05Z","56432"
"*rd-asia-au-1.pulseway.com*",".{0,1000}rd\-asia\-au\-1\.pulseway\.com.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56433"
"*rd-eu-de-1.pulseway.com*",".{0,1000}rd\-eu\-de\-1\.pulseway\.com.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56435"
"*rd-eu-ie-1.pulseway.com*",".{0,1000}rd\-eu\-ie\-1\.pulseway\.com.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56436"
"*'RDP Wrapper Library Installer v1.0'*",".{0,1000}\'RDP\sWrapper\sLibrary\sInstaller\sv1\.0\'.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","56439"
"*RDP Wrapper\RDPConf*",".{0,1000}RDP\sWrapper\\RDPConf.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","56440"
"*RDPWInst -w*",".{0,1000}RDPWInst\s\-w.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","56475"
"*rdpwrap\*\RDPWInst.*",".{0,1000}rdpwrap\\.{0,1000}\\RDPWInst\..{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","0","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","56476"
"*rdrleakdiag.exe /p * /o * /fullmemdmp /wait 1*",".{0,1000}rdrleakdiag\.exe\s\/p\s.{0,1000}\s\/o\s.{0,1000}\s\/fullmemdmp\s\/wait\s1.{0,1000}","greyware_tool_keyword","rdrleakdiag","Microsoft Windows resource leak diagnostic tool potentially dumping lsass process","T1003","TA0006 - TA0005","N/A","N/A","Credential Access","https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56477"
"*rd-us-east-1.pulseway.com*",".{0,1000}rd\-us\-east\-1\.pulseway\.com.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56480"
"*rd-us-east-2.pulseway.com*",".{0,1000}rd\-us\-east\-2\.pulseway\.com.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56481"
"*rd-us-west-1.pulseway.com*",".{0,1000}rd\-us\-west\-1\.pulseway\.com.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56482"
"*Read-AADIntAccesstoken*",".{0,1000}Read\-AADIntAccesstoken.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","56484"
"*Read-AADIntConfiguration*",".{0,1000}Read\-AADIntConfiguration.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","56485"
"*Real-Time Protection"" /v ""DisableBehaviorMonitoring"" /t REG_DWORD /d ""1"" /f*",".{0,1000}Real\-Time\sProtection\""\s\/v\s\""DisableBehaviorMonitoring\""\s\/t\sREG_DWORD\s\/d\s\""1\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable protection features of Windows Defender","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56496"
"*realtime.ably.io*",".{0,1000}realtime\.ably\.io.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56497"
"*RealVNC.VNCViewer*",".{0,1000}RealVNC\.VNCViewer.{0,1000}","greyware_tool_keyword","vncviewer","VNCViewer is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56498"
"*Received Request Run PowerShell command '*' from device Id*",".{0,1000}Received\sRequest\sRun\sPowerShell\scommand\s\'.{0,1000}\'\sfrom\sdevice\sId.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56517"
"*ReferrerUrl=https://mega.io/*",".{0,1000}ReferrerUrl\=https\:\/\/mega\.io\/.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56599"
"*reg add ""HKEY LOCAL MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server"" /v fDenyTSConnections /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\s\""HKEY\sLOCAL\sMACHINE\\SYSTEM\\CurentControlSet\\Control\\Terminal\sServer\""\s\/v\sfDenyTSConnections\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","modifies the Windows Registry to enable Remote Desktop connections by setting the fDenyTSConnections value to 0","T1562.001 - T1021.001 - T1112","TA0005 - TA0003","N/A","N/A","Defense Evasion","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56638"
"*reg add ""HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers""*",".{0,1000}reg\sadd\s\""HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal\sServer\sClient\\Servers\"".{0,1000}","greyware_tool_keyword","reg","could be used to manipulate system behavior or remove evidence","T1112 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/xiaoy-sec/Pentest_Note/blob/52156f816f0c2497c25343c2e872130193acca80/wiki/%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87/Windows%E6%8F%90%E6%9D%83/RDP%26Firewall/%E5%88%A0%E9%99%A4%E7%97%95%E8%BF%B9.md?plain=1#L4","1","0","#registry","N/A","10","10","3875","951","2023-05-22T03:50:57Z","2020-06-15T02:58:36Z","56639"
"*reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist"" /v * /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\s\""HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\sNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\""\s\/v\s.{0,1000}\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","Hides the user from the login screen - a tactic often used for stealthy persistence.","T1547.001","TA0003","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56640"
"*reg add ""HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender"" /v DisableAntiSpyware /t REG_DWORD /d 1 /f*",".{0,1000}reg\sadd\s\""HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\""\s\/v\sDisableAntiSpyware\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","disable protection features of Windows Defender","T1562.001 - T1112 ","TA0005 - TA0043","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56641"
"*REG ADD ""HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"" /f /v fAllowUnsolicited /t REG_DWORD /d ""00000001""*",".{0,1000}REG\sADD\s\""HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\sNT\\Terminal\sServices\""\s\/f\s\/v\sfAllowUnsolicited\s\/t\sREG_DWORD\s\/d\s\""00000001\"".{0,1000}","greyware_tool_keyword","reg","making Remote Desktop Protocol (RDP) more vulnerable to unauthorized access.","T1021 - T1112","TA0008","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/cmd.cmd#L19","1","0","#registry","N/A","8","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56642"
"*REG ADD ""HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"" /f /v fDenyTSConnections /t REG_DWORD /d ""00000000""*",".{0,1000}REG\sADD\s\""HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\sNT\\Terminal\sServices\""\s\/f\s\/v\sfDenyTSConnections\s\/t\sREG_DWORD\s\/d\s\""00000000\"".{0,1000}","greyware_tool_keyword","reg","making Remote Desktop Protocol (RDP) more vulnerable to unauthorized access.","T1021 - T1112","TA0008","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/cmd.cmd#L19","1","0","#registry","N/A","8","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56643"
"*REG ADD ""HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"" /f /v UserAuthentication /t REG_DWORD /d ""00000000""*",".{0,1000}REG\sADD\s\""HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\sNT\\Terminal\sServices\""\s\/f\s\/v\sUserAuthentication\s\/t\sREG_DWORD\s\/d\s\""00000000\"".{0,1000}","greyware_tool_keyword","reg","making Remote Desktop Protocol (RDP) more vulnerable to unauthorized access.","T1021 - T1112","TA0008","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/cmd.cmd#L19","1","0","#registry","N/A","8","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56644"
"*REG ADD ""HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\TamperProtection"" /t REG_DWORD /v Enabled /d 0 /f*",".{0,1000}REG\sADD\s\""HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Sophos\\SAVService\\TamperProtection\""\s\/t\sREG_DWORD\s\/v\sEnabled\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","Sophos disable tamper protection","T1543 - T1547 - T1112","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56645"
"*reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"" /v fDenyTSConnections /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\s\""HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal\sServer\""\s\/v\sfDenyTSConnections\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","Open passwords mimic + open rdp 3389 - used by many ransomware groups","T1112 - T1003 - T1076","TA0003 - TA0005 - TA0006","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56646"
"*reg add ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"" /v fDenyTSConnections /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\s\""HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal\sServer\""\s\/v\sfDenyTSConnections\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","Enables Remote Desktop Protocol (RDP) connections by setting fDenyTSConnections to 0","T1076 - T1021.001","TA0005 - TA0008","N/A","N/A","Defense Evasion","N/A","1","0","#registry","false positives expected","6","7","N/A","N/A","N/A","N/A","56647"
"*REG ADD ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"" /f /v SecurityLayer /t REG_DWORD /d ""00000001""*",".{0,1000}REG\sADD\s\""HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal\sServer\\WinStations\\RDP\-Tcp\""\s\/f\s\/v\sSecurityLayer\s\/t\sREG_DWORD\s\/d\s\""00000001\"".{0,1000}","greyware_tool_keyword","reg","making Remote Desktop Protocol (RDP) more vulnerable to unauthorized access.","T1021 - T1112","TA0008","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/cmd.cmd#L19","1","0","#registry","N/A","8","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56648"
"*REG ADD ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SAVService"" /t REG_DWORD /v Start /d 0x00000004 /f*",".{0,1000}REG\sADD\s\""HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\SAVService\""\s\/t\sREG_DWORD\s\/v\sStart\s\/d\s0x00000004\s\/f.{0,1000}","greyware_tool_keyword","reg","Sophos disable tamper protection","T1543 - T1547 - T1112","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56649"
"*REG ADD ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config"" /t REG_DWORD /v SAVEnabled /d 0 /f*",".{0,1000}REG\sADD\s\""HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Sophos\sEndpoint\sDefense\\TamperProtection\\Config\""\s\/t\sREG_DWORD\s\/v\sSAVEnabled\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","Sophos disable tamper protection","T1543 - T1547 - T1112","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56650"
"*REG ADD ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config"" /t REG_DWORD /v SEDEnabled /d 0 /f*",".{0,1000}REG\sADD\s\""HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Sophos\sEndpoint\sDefense\\TamperProtection\\Config\""\s\/t\sREG_DWORD\s\/v\sSEDEnabled\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","Sophos disable tamper protection","T1543 - T1547 - T1112","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56651"
"*REG ADD ""HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent"" /t REG_DWORD /v Start /d 0x00000004 /f*",".{0,1000}REG\sADD\s\""HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Sophos\sMCS\sAgent\""\s\/t\sREG_DWORD\s\/v\sStart\s\/d\s0x00000004\s\/f.{0,1000}","greyware_tool_keyword","reg","Sophos disable tamper protection","T1543 - T1547 - T1112","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56652"
"*REG ADD ""HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications"" /v DisableNotifications /t REG_DWORD /d 1 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\sDefender\sSecurity\sCenter\\Notifications\""\s\/v\sDisableNotifications\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","disable security notifications / adjust User Account Control (UAC) settings / reduce security prompts for administrative actions","T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56654"
"*reg add ""HKLM\Software\Microsoft\Windows Defender"" /v DisableAntiSpyware and DisableAntiVirus /t REG_DWORD /d ""1"" /f*",".{0,1000}reg\sadd\s\""HKLM\\Software\\Microsoft\\Windows\sDefender\""\s\/v\sDisableAntiSpyware\sand\sDisableAntiVirus\s\/t\sREG_DWORD\s\/d\s\""1\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable Windows Defender-related services","T1562.001","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56655"
"*REG ADD ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe"" /f /v Debugger /t REG_SZ /d ""%windir%\system32\cmd.exe""*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\sNT\\CurrentVersion\\Image\sFile\sExecution\sOptions\\HelpPane\.exe\""\s\/f\s\/v\sDebugger\s\/t\sREG_SZ\s\/d\s\""\%windir\%\\system32\\cmd\.exe\"".{0,1000}","greyware_tool_keyword","reg","modify the Image File Execution Options to substitute accessibility tools with cmd.exe enabling privilege escalation by launching an elevated command prompt","T1546.012 - T1112","TA0004 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/cmd.cmd#L12","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56656"
"*REG ADD ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe"" /f /v Debugger /t REG_SZ /d ""%windir%\system32\cmd.exe""*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\sNT\\CurrentVersion\\Image\sFile\sExecution\sOptions\\Magnify\.exe\""\s\/f\s\/v\sDebugger\s\/t\sREG_SZ\s\/d\s\""\%windir\%\\system32\\cmd\.exe\"".{0,1000}","greyware_tool_keyword","reg","modify the Image File Execution Options to substitute accessibility tools with cmd.exe enabling privilege escalation by launching an elevated command prompt","T1546.012 - T1112","TA0004 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/cmd.cmd#L12","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56657"
"*REG ADD ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"" /f /v Debugger /t REG_SZ /d ""%windir%\system32\cmd.exe""*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\sNT\\CurrentVersion\\Image\sFile\sExecution\sOptions\\sethc\.exe\""\s\/f\s\/v\sDebugger\s\/t\sREG_SZ\s\/d\s\""\%windir\%\\system32\\cmd\.exe\"".{0,1000}","greyware_tool_keyword","reg","modify the Image File Execution Options to substitute accessibility tools with cmd.exe enabling privilege escalation by launching an elevated command prompt","T1546.012 - T1112","TA0004 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/cmd.cmd#L12","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56658"
"*REG ADD ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe"" /f /v Debugger /t REG_SZ /d ""%windir%\system32\cmd.exe""*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\sNT\\CurrentVersion\\Image\sFile\sExecution\sOptions\\utilman\.exe\""\s\/f\s\/v\sDebugger\s\/t\sREG_SZ\s\/d\s\""\%windir\%\\system32\\cmd\.exe\"".{0,1000}","greyware_tool_keyword","reg","modify the Image File Execution Options to substitute accessibility tools with cmd.exe enabling privilege escalation by launching an elevated command prompt","T1546.012 - T1059.003 - T1055.001 - T1112","TA0004 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/cmd.cmd#L12","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56660"
"*reg add ""HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist"" /v * /t REG_DWORD /d 0*",".{0,1000}reg\sadd\s\""HKLM\\Software\\Microsoft\\Windows\sNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\""\s\/v\s.{0,1000}\s\/t\sREG_DWORD\s\/d\s0.{0,1000}","greyware_tool_keyword","reg","hiding a user from the login screen by modifying a specific registry key","T1112 - T1564.001","TA0005 - TA0003","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","N/A","1","0","#registry","N/A","9","10","N/A","N/A","N/A","N/A","56661"
"*REG ADD ""hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"" /v ""ConsentPromptBehaviorAdmin"" /t REG_Dword /d 00000000 /f*",".{0,1000}REG\sADD\s\""hklm\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\""\s\/v\s\""ConsentPromptBehaviorAdmin\""\s\/t\sREG_Dword\s\/d\s00000000\s\/f.{0,1000}","greyware_tool_keyword","reg","disables the UAC consent prompt for administrators","T1112","TA0004","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Privilege Escalation","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56663"
"*REG ADD ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\""\s\/v\sConsentPromptBehaviorAdmin\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","disable security notifications / adjust User Account Control (UAC) settings / reduce security prompts for administrative actions","T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56664"
"*reg add ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\""\s\/v\sConsentPromptBehaviorAdmin\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","disables the consent prompt for administrators","T1112","TA0004","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Privilege Escalation","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56665"
"*REG ADD ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"" /v EnableLUA /t REG_DWORD /d 1 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\""\s\/v\sEnableLUA\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","disable security notifications / adjust User Account Control (UAC) settings / reduce security prompts for administrative actions","T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56666"
"*REG ADD ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"" /v PromptOnSecureDesktop /t REG_DWORD /d 0 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\""\s\/v\sPromptOnSecureDesktop\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","disable security notifications / adjust User Account Control (UAC) settings / reduce security prompts for administrative actions","T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56667"
"*reg add ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"" /v PromptOnSecureDesktop /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\""\s\/v\sPromptOnSecureDesktop\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","disables the secure desktop for User Account Control (UAC) prompts","T1112","TA0004 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Privilege Escalation","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56668"
"*reg add ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nvspbind"" /v SystemComponent /t REG_DWORD /d 1 /f*",".{0,1000}reg\sadd\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\nvspbind\""\s\/v\sSystemComponent\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","Hides the nvspbind component from the uninstall programs list - making it harder for users or administrators to detect or remove the program","T1070.006 - T1027.002","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#registry","N/A","9","9","N/A","N/A","N/A","N/A","56669"
"*REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender"" /v AllowFastServiceStartup /t REG_DWORD /d 0 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\""\s\/v\sAllowFastServiceStartup\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","disable Windows Defender - prevent it from starting quickly and prevent services from staying alive","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56670"
"*REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender"" /v DisableAntiSpyware /t REG_DWORD /d 1 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\""\s\/v\sDisableAntiSpyware\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","disable Windows Defender - prevent it from starting quickly and prevent services from staying alive","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56671"
"*REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender"" /v ServiceKeepAlive /t REG_DWORD /d 0 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\""\s\/v\sServiceKeepAlive\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","disable Windows Defender - prevent it from starting quickly and prevent services from staying alive","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56672"
"*REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection"" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\\Real\-Time\sProtection\""\s\/v\sDisableBehaviorMonitoring\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","disable real-time protection features of Windows Defender","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56673"
"*REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection"" /v DisableIOAVProtection /t REG_DWORD /d 1 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\\Real\-Time\sProtection\""\s\/v\sDisableIOAVProtection\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","disable real-time protection features of Windows Defender","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56674"
"*REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection"" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\\Real\-Time\sProtection\""\s\/v\sDisableOnAccessProtection\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","disable real-time protection features of Windows Defender","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56675"
"*REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection"" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\\Real\-Time\sProtection\""\s\/v\sDisableRealtimeMonitoring\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","disable real-time protection features of Windows Defender","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56676"
"*REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection"" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\\Real\-Time\sProtection\""\s\/v\sDisableScanOnRealtimeEnable\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","disable real-time protection features of Windows Defender","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56677"
"*reg add ""HKLM\Software\Policies\Microsoft\Windows Defender\Reporting"" /v ""DisableEnhancedNotifications"" /t REG_DWORD /d ""1"" /f*",".{0,1000}reg\sadd\s\""HKLM\\Software\\Policies\\Microsoft\\Windows\sDefender\\Reporting\""\s\/v\s\""DisableEnhancedNotifications\""\s\/t\sREG_DWORD\s\/d\s\""1\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable protection features of Windows Defender","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56678"
"*reg add ""HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet"" /v ""SpyNetReporting"" /t REG_DWORD /d ""0"" /f*",".{0,1000}reg\sadd\s\""HKLM\\Software\\Policies\\Microsoft\\Windows\sDefender\\SpyNet\""\s\/v\s\""SpyNetReporting\""\s\/t\sREG_DWORD\s\/d\s\""0\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable protection features of Windows Defender","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56679"
"*reg add ""HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet"" /v ""SubmitSamplesConsent"" /t REG_DWORD /d ""0"" /f*",".{0,1000}reg\sadd\s\""HKLM\\Software\\Policies\\Microsoft\\Windows\sDefender\\SpyNet\""\s\/v\s\""SubmitSamplesConsent\""\s\/t\sREG_DWORD\s\/d\s\""0\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable protection features of Windows Defender","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56680"
"*REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet"" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\\SpyNet\""\s\/v\sDisableBlockAtFirstSeen\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","reduce Windows Defender's ability to block suspicious files and prevent sample submissions to Microsoft","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56681"
"*REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet"" /v LocalSettingOverrideSpyNetReporting /t REG_DWORD /d 0 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\\SpyNet\""\s\/v\sLocalSettingOverrideSpyNetReporting\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","reduce Windows Defender's ability to block suspicious files and prevent sample submissions to Microsoft","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56682"
"*REG ADD ""HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet"" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f*",".{0,1000}REG\sADD\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\\SpyNet\""\s\/v\sSubmitSamplesConsent\s\/t\sREG_DWORD\s\/d\s2\s\/f.{0,1000}","greyware_tool_keyword","reg","reduce Windows Defender's ability to block suspicious files and prevent sample submissions to Microsoft","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56683"
"*reg add ""HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint"" /f /v PackagePointAndPrintOnly /t REG_DWORD /d 1*",".{0,1000}reg\sadd\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sNT\\Printers\\PackagePointAndPrint\""\s\/f\s\/v\sPackagePointAndPrintOnly\s\/t\sREG_DWORD\s\/d\s1.{0,1000}","greyware_tool_keyword","reg","mimikatz command","T1003 - T1021.001 - T1053 - T1055 - T1057 - T1059.003 - T1070 - T1071 - T1078.002 - T1078.003 - T1078.005 - T1106 - T1136 - T1204 - T1218 - T1547 - T1555.003 - T1555.004 - T1573 - T1574 - T1596 - T1543","TA0001 - TA0002 - TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0008 - TA0011 - TA0010 - TA0040","N/A","BlackSuit - Royal - Black Basta - Akira - Phobos - PLAY - Karakurt - Scattered Spider - AvosLocker - LockBit - Conti - Bassterlord - Quantum - PYSA - NetWalker - GoGoogle - 8BASE - Trigona - Cuba - RansomEXX - BlackCat","Credential Access","https://github.com/gentilkiwi/mimikatz","1","0","#registry","N/A","10","10","20094","3854","2024-07-05T17:42:58Z","2014-04-06T18:30:02Z","56685"
"*reg add ""HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint"" /f /v PackagePointAndPrintServerList /t REG_DWORD /d 1*",".{0,1000}reg\sadd\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sNT\\Printers\\PackagePointAndPrint\""\s\/f\s\/v\sPackagePointAndPrintServerList\s\/t\sREG_DWORD\s\/d\s1.{0,1000}","greyware_tool_keyword","reg","mimikatz command","T1003 - T1021.001 - T1053 - T1055 - T1057 - T1059.003 - T1070 - T1071 - T1078.002 - T1078.003 - T1078.005 - T1106 - T1136 - T1204 - T1218 - T1547 - T1555.003 - T1555.004 - T1573 - T1574 - T1596 - T1543","TA0001 - TA0002 - TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0008 - TA0011 - TA0010 - TA0040","N/A","BlackSuit - Royal - Black Basta - Akira - Phobos - PLAY - Karakurt - Scattered Spider - AvosLocker - LockBit - Conti - Bassterlord - Quantum - PYSA - NetWalker - GoGoogle - 8BASE - Trigona - Cuba - RansomEXX - BlackCat","Credential Access","https://github.com/gentilkiwi/mimikatz","1","0","#registry","N/A","10","10","20094","3854","2024-07-05T17:42:58Z","2014-04-06T18:30:02Z","56687"
"*reg add ""HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint\ListofServers"" /f /v 1 /t REG_SZ /d *",".{0,1000}reg\sadd\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sNT\\Printers\\PackagePointAndPrint\\ListofServers\""\s\/f\s\/v\s1\s\/t\sREG_SZ\s\/d\s.{0,1000}","greyware_tool_keyword","reg","mimikatz command","T1003 - T1021.001 - T1053 - T1055 - T1057 - T1059.003 - T1070 - T1071 - T1078.002 - T1078.003 - T1078.005 - T1106 - T1136 - T1204 - T1218 - T1547 - T1555.003 - T1555.004 - T1573 - T1574 - T1596 - T1543","TA0001 - TA0002 - TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0008 - TA0011 - TA0010 - TA0040","N/A","BlackSuit - Royal - Black Basta - Akira - Phobos - PLAY - Karakurt - Scattered Spider - AvosLocker - LockBit - Conti - Bassterlord - Quantum - PYSA - NetWalker - GoGoogle - 8BASE - Trigona - Cuba - RansomEXX - BlackCat","Credential Access","https://github.com/gentilkiwi/mimikatz","1","0","#registry","N/A","10","10","20094","3854","2024-07-05T17:42:58Z","2014-04-06T18:30:02Z","56689"
"*reg add ""HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"" /f /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0*",".{0,1000}reg\sadd\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sNT\\Printers\\PointAndPrint\""\s\/f\s\/v\sRestrictDriverInstallationToAdministrators\s\/t\sREG_DWORD\s\/d\s0.{0,1000}","greyware_tool_keyword","reg","mimikatz command","T1003 - T1021.001 - T1053 - T1055 - T1057 - T1059.003 - T1070 - T1071 - T1078.002 - T1078.003 - T1078.005 - T1106 - T1136 - T1204 - T1218 - T1547 - T1555.003 - T1555.004 - T1573 - T1574 - T1596 - T1543","TA0001 - TA0002 - TA0003 - TA0004 - TA0005 - TA0006 - TA0007 - TA0008 - TA0011 - TA0010 - TA0040","N/A","BlackSuit - Royal - Black Basta - Akira - Phobos - PLAY - Karakurt - Scattered Spider - AvosLocker - LockBit - Conti - Bassterlord - Quantum - PYSA - NetWalker - GoGoogle - 8BASE - Trigona - Cuba - RansomEXX - BlackCat","Credential Access","https://github.com/gentilkiwi/mimikatz","1","0","#registry","N/A","10","10","20094","3854","2024-07-05T17:42:58Z","2014-04-06T18:30:02Z","56691"
"*reg add ""HKLM\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc."" /v ""Allow Uninstall"" /t REG_DWORD /d 1 /f*",".{0,1000}reg\sadd\s\""HKLM\\SOFTWARE\\Wow6432Node\\TrendMicro\\PC\-cillinNTCorp\\CurrentVersion\\Misc\.\""\s\/v\s\""Allow\sUninstall\""\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","Uninstall TrendMicro","T1112","TA0005","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","8","10","N/A","N/A","N/A","N/A","56692"
"*REG ADD ""HKLM\System\CurrentControlSet\Control\Lsa"" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f*",".{0,1000}REG\sADD\s\""HKLM\\System\\CurrentControlSet\\Control\\Lsa\""\s\/v\sEveryoneIncludesAnonymous\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","PrintNightmare exploitation","T1210 - T1059.001 - T1548.002","TA0001 - TA0002 - TA0004","N/A","Dispossessor","Privilege Escalation","https://github.com/outflanknl/PrintNightmare","1","0","#registry","N/A","7","4","337","67","2021-09-13T08:45:26Z","2021-09-13T08:44:02Z","56693"
"*REG ADD ""HKLM\System\CurrentControlSet\Control\Lsa"" /v RestrictAnonymous /t REG_DWORD /d 0 /f*",".{0,1000}REG\sADD\s\""HKLM\\System\\CurrentControlSet\\Control\\Lsa\""\s\/v\sRestrictAnonymous\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","PrintNightmare exploitation","T1210 - T1059.001 - T1548.002","TA0001 - TA0002 - TA0004","N/A","Dispossessor","Privilege Escalation","https://github.com/outflanknl/PrintNightmare","1","0","#registry","N/A","7","4","337","67","2021-09-13T08:45:26Z","2021-09-13T08:44:02Z","56694"
"*reg add ""HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server"" /v fDenyTSConnections /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\s\""HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal\sServer\""\s\/v\sfDenyTSConnections\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","enable Remote Desktop connections with reg.exe","T1112","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#registry","N/A","7","10","N/A","N/A","N/A","N/A","56695"
"*reg add ""HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server"" /v fDenyTSConnections /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\s\""HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal\sServer\""\s\/v\sfDenyTSConnections\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","Enables Remote Desktop Protocol (RDP) connections by setting fDenyTSConnections to 0","T1076 - T1021.001","TA0005 - TA0008","N/A","N/A","Defense Evasion","N/A","1","0","#registry","false positives expected","6","7","N/A","N/A","N/A","N/A","56696"
"*REG ADD ""HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp"" /v PortNumber /t REG_DWORD /d 443 /f*",".{0,1000}REG\sADD\s\""HKLM\\System\\CurrentControlSet\\Control\\TerminalServer\\WinStations\\RDP\-Tcp\""\s\/v\sPortNumber\s\/t\sREG_DWORD\s\/d\s443\s\/f.{0,1000}","greyware_tool_keyword","reg","Tunnel RDP through port 443","T1562.001 - T1021.001 - T1112","TA0005 - TA0003","N/A","N/A","Defense Evasion","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56697"
"*reg add ""HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger"" /v ""Start"" /t REG_DWORD /d ""0"" /f*",".{0,1000}reg\sadd\s\""HKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\DefenderApiLogger\""\s\/v\s\""Start\""\s\/t\sREG_DWORD\s\/d\s\""0\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable logging related to Windows Defender","T1070.003 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56698"
"*reg add ""HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger"" /v ""Start"" /t REG_DWORD /d ""0"" /f*",".{0,1000}reg\sadd\s\""HKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\DefenderAuditLogger\""\s\/v\s\""Start\""\s\/t\sREG_DWORD\s\/d\s\""0\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable logging related to Windows Defender","T1070.003 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56699"
"*REG ADD ""HKLM\System\CurrentControlSet\Services\LanManServer\Parameters"" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f*",".{0,1000}REG\sADD\s\""HKLM\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters\""\s\/v\sNullSessionPipes\s\/t\sREG_MULTI_SZ\s\/d\ssrvsvc\s\/f.{0,1000}","greyware_tool_keyword","reg","PrintNightmare exploitation","T1210 - T1059.001 - T1548.002","TA0001 - TA0002 - TA0004","N/A","Dispossessor","Privilege Escalation","https://github.com/outflanknl/PrintNightmare","1","0","#registry","N/A","7","4","337","67","2021-09-13T08:45:26Z","2021-09-13T08:44:02Z","56700"
"*REG ADD ""HKLM\System\CurrentControlSet\Services\LanManServer\Parameters"" /v NullSessionShares /t REG_MULTI_SZ /d share /f*",".{0,1000}REG\sADD\s\""HKLM\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters\""\s\/v\sNullSessionShares\s\/t\sREG_MULTI_SZ\s\/d\sshare\s\/f.{0,1000}","greyware_tool_keyword","reg","PrintNightmare exploitation","T1210 - T1059.001 - T1548.002","TA0001 - TA0002 - TA0004","N/A","Dispossessor","Privilege Escalation","https://github.com/outflanknl/PrintNightmare","1","0","#registry","N/A","7","4","337","67","2021-09-13T08:45:26Z","2021-09-13T08:44:02Z","56701"
"*reg add ""HKLM\System\CurrentControlSet\Services\SecurityHealthService"" /v ""Start"" /t REG_DWORD /d ""4"" /f*",".{0,1000}reg\sadd\s\""HKLM\\System\\CurrentControlSet\\Services\\SecurityHealthService\""\s\/v\s\""Start\""\s\/t\sREG_DWORD\s\/d\s\""4\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable Windows Defender-related services","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56702"
"*reg add ""HKLM\System\CurrentControlSet\Services\WdBoot"" /v ""Start"" /t REG_DWORD /d ""4"" /f*",".{0,1000}reg\sadd\s\""HKLM\\System\\CurrentControlSet\\Services\\WdBoot\""\s\/v\s\""Start\""\s\/t\sREG_DWORD\s\/d\s\""4\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable Windows Defender-related services","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56703"
"*reg add ""HKLM\System\CurrentControlSet\Services\WdFilter"" /v ""Start"" /t REG_DWORD /d ""4"" /f*",".{0,1000}reg\sadd\s\""HKLM\\System\\CurrentControlSet\\Services\\WdFilter\""\s\/v\s\""Start\""\s\/t\sREG_DWORD\s\/d\s\""4\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable Windows Defender-related services","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56704"
"*reg add ""HKLM\System\CurrentControlSet\Services\WdNisDrv"" /v ""Start"" /t REG_DWORD /d ""4"" /f*",".{0,1000}reg\sadd\s\""HKLM\\System\\CurrentControlSet\\Services\\WdNisDrv\""\s\/v\s\""Start\""\s\/t\sREG_DWORD\s\/d\s\""4\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable Windows Defender-related services","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56705"
"*reg add ""HKLM\System\CurrentControlSet\Services\WdNisSvc"" /v ""Start"" /t REG_DWORD /d ""4"" /f*",".{0,1000}reg\sadd\s\""HKLM\\System\\CurrentControlSet\\Services\\WdNisSvc\""\s\/v\s\""Start\""\s\/t\sREG_DWORD\s\/d\s\""4\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable Windows Defender-related services","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56706"
"*reg add ""HKLM\System\CurrentControlSet\Services\WinDefend"" /v ""Start"" /t REG_DWORD /d ""4"" /f*",".{0,1000}reg\sadd\s\""HKLM\\System\\CurrentControlSet\\Services\\WinDefend\""\s\/v\s\""Start\""\s\/t\sREG_DWORD\s\/d\s\""4\""\s\/f.{0,1000}","greyware_tool_keyword","reg","disable Windows Defender-related services","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56707"
"*REG ADD ""HKLM\SYSTEM\CurrentControlSet\services\WinDefend"" /v Start /t REG_DWORD /d 4 /f*",".{0,1000}REG\sADD\s\""HKLM\\SYSTEM\\CurrentControlSet\\services\\WinDefend\""\s\/v\sStart\s\/t\sREG_DWORD\s\/d\s4\s\/f.{0,1000}","greyware_tool_keyword","reg","disables Windows Defender by setting its start value to 4 (disabled)","T1562.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L7","1","0","#registry","N/A","10","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","56708"
"*reg add *HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server* /v fDenyTSConnections /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\s.{0,1000}HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal\sServer.{0,1000}\s\/v\sfDenyTSConnections\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","Allowing remote connections to this computer","T1021.001 - T1059.003 - T1112","TA0008 - TA0002","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","N/A","1","0","#registry","N/A","7","7","N/A","N/A","N/A","N/A","56711"
"*REG ADD *HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe* /t REG_SZ /v Debugger /d *\windows\system32\cmd.exe* /f*",".{0,1000}REG\sADD\s.{0,1000}HKLM\\SOFTWARE\\Microsoft\\Windows\sNT\\CurrentVersion\\Image\sFile\sExecution\sOptions\\sethc\.exe.{0,1000}\s\/t\sREG_SZ\s\/v\sDebugger\s\/d\s.{0,1000}\\windows\\system32\\cmd\.exe.{0,1000}\s\/f.{0,1000}","greyware_tool_keyword","reg","Hit F5 a bunch of times when you are at the RDP login screen","T1546.012 - T1059.003 - T1055.001 - T1112","TA0002 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Persistence","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56712"
"*REG ADD *HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe* /t REG_SZ /v Debugger /d *\windows\system32\cmd.exe* /f*",".{0,1000}REG\sADD\s.{0,1000}HKLM\\SOFTWARE\\Microsoft\\Windows\sNT\\CurrentVersion\\Image\sFile\sExecution\sOptions\\utilman\.exe.{0,1000}\s\/t\sREG_SZ\s\/v\sDebugger\s\/d\s.{0,1000}\\windows\\system32\\cmd\.exe.{0,1000}\s\/f.{0,1000}","greyware_tool_keyword","reg","At the login screen press Windows Key+U and you get a cmd.exe window as SYSTEM.","T1546.012 - T1059.003 - T1055.001 - T1112","TA0002 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Persistence","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56713"
"*reg add *HKLM\SOFTWARE\Policies\Microsoft\Windows Defender""* /v DisableAntiSpyware /t REG_DWORD /d 1 /f*",".{0,1000}reg\sadd\s.{0,1000}HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\"".{0,1000}\s\/v\sDisableAntiSpyware\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","Defense evasion technique disable windows defender","T1562.001 - T1562.002 - T1070.004 - T1112","TA0007 - TA0040 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","N/A","1","0","#registry","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","56714"
"*reg add *HKLM\Software\Policies\Microsoft\Windows Defender""*/v *DisableAntiSpyware* /t REG_DWORD /d *1* /f*",".{0,1000}reg\sadd\s.{0,1000}HKLM\\Software\\Policies\\Microsoft\\Windows\sDefender\"".{0,1000}\/v\s.{0,1000}DisableAntiSpyware.{0,1000}\s\/t\sREG_DWORD\s\/d\s.{0,1000}1.{0,1000}\s\/f.{0,1000}","greyware_tool_keyword","reg","Disable Real Time Protection","T1562.001 - T1562.002 - T1070.004 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","N/A","1","0","#registry","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","56715"
"*reg add *HKLM\Software\Policies\Microsoft\Windows Defender* /v *DisableAntiVirus* /t REG_DWORD /d *1* /f*",".{0,1000}reg\sadd\s.{0,1000}HKLM\\Software\\Policies\\Microsoft\\Windows\sDefender.{0,1000}\s\/v\s.{0,1000}DisableAntiVirus.{0,1000}\s\/t\sREG_DWORD\s\/d\s.{0,1000}1.{0,1000}\s\/f.{0,1000}","greyware_tool_keyword","reg","Disable Real Time Protection","T1562.001 - T1562.002 - T1070.004 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","N/A","1","0","#registry","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","56716"
"*reg add *HKLM\Software\Policies\Microsoft\Windows Defender* /v Disable* /t REG_DWORD /d 1 /f*",".{0,1000}reg\sadd\s.{0,1000}HKLM\\Software\\Policies\\Microsoft\\Windows\sDefender.{0,1000}\s\/v\sDisable.{0,1000}\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","Defense evasion technique In order to avoid detection at any point of the kill chain. attackers use several ways to disable anti-virus. disable Microsoft firewall and clear logs.","T1562.001 - T1562.002 - T1070.004 - T1112","TA0007 - TA0040 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","N/A","1","0","#registry","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","56717"
"*reg add *HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction*",".{0,1000}reg\sadd\s.{0,1000}HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\\Threats\\ThreatIDDefaultAction.{0,1000}","greyware_tool_keyword","reg","Windows Defender Tampering Via registry","T1489 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://www.virustotal.com/gui/file/00820a1f0972678cfe7885bc989ab3e5602b0febc96baf9bf3741d56aa374f03/behavior","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56718"
"*reg add *HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters* /v EnablePrefetcher /t REG_DWORD /f /d 0*",".{0,1000}reg\sadd\s.{0,1000}HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session\sManager\\Memory\sManagement\\PrefetchParameters.{0,1000}\s\/v\sEnablePrefetcher\s\/t\sREG_DWORD\s\/f\s\/d\s0.{0,1000}","greyware_tool_keyword","reg","Anti forensic - Disabling Prefetch","T1215 - T1562.001 - T1037 - T1112","TA0008","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Anti-Forensics.md","1","0","#servicename #registry","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","56719"
"*reg add *HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger* /v *Start* /t REG_DWORD /d *0* /f*",".{0,1000}reg\sadd\s.{0,1000}HKLM\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\DefenderApiLogger.{0,1000}\s\/v\s.{0,1000}Start.{0,1000}\s\/t\sREG_DWORD\s\/d\s.{0,1000}0.{0,1000}\s\/f.{0,1000}","greyware_tool_keyword","reg","Blind ETW Windows Defender: zero out registry values corresponding to its ETW sessions","T1562.001 - T1055.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","N/A","1","0","#registry","greyware tool - risks of False positive !","10","7","N/A","N/A","N/A","N/A","56720"
"*reg add *HKLM\System\CurrentControlSet\Services\SecurityHealthService* /v *Start* /t REG_DWORD /d *4* /f*",".{0,1000}reg\sadd\s.{0,1000}HKLM\\System\\CurrentControlSet\\Services\\SecurityHealthService.{0,1000}\s\/v\s.{0,1000}Start.{0,1000}\s\/t\sREG_DWORD\s\/d\s.{0,1000}4.{0,1000}\s\/f.{0,1000}","greyware_tool_keyword","reg","Disable Windows Defender Security Center","T1562.001 - T1055.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","N/A","1","0","#servicename #registry","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","56721"
"*reg add \""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\"" /t REG_DWORD /f /d 0 /v *",".{0,1000}reg\sadd\s\\\""HKLM\\SOFTWARE\\Microsoft\\Windows\sNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\\\""\s\/t\sREG_DWORD\s\/f\s\/d\s0\s\/v\s.{0,1000}","greyware_tool_keyword","reg","command used in the Dispossessor ransomware group notes - The account will no longer be visible on the Windows login screen.","T1098 - T1068 - T1112 - T1088 - T1546.015 - T1059","TA0001 - TA0002 - TA0003 - TA0004 - TA0008","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56723"
"*reg add HKCU\software\policies\microsoft\office\16.0\excel\security /v PythonFunctionWarnings /t REG_DWORD /d 0 /f?*",".{0,1000}reg\sadd\sHKCU\\software\\policies\\microsoft\\office\\16\.0\\excel\\security\s\/v\sPythonFunctionWarnings\s\/t\sREG_DWORD\s\/d\s0\s\/f\?.{0,1000}","greyware_tool_keyword","Excel","prevent any warnings or alerts when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet","T1112 - T1131 - T1204.002","TA0003 - TA0005","N/A","N/A","Defense Evasion","https://github.com/tsale/Sigma_rules/blob/main/MISC/pythonfunctionwarnings_disabled.yml","1","0","#registry","N/A","7","2","119","17","2025-01-29T17:41:49Z","2022-01-11T07:34:37Z","56727"
"*reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d ""0"" /f*",".{0,1000}reg\sadd\sHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\s\/v\sDisableRestrictedAdmin\s\/t\sREG_DWORD\s\/d\s\""0\""\s\/f.{0,1000}","greyware_tool_keyword","reg","This modification can be used to enable or disable the Restricted Admin mode for Remote Desktop Protocol (RDP) which has implications for Lateral Movement and privilege escalation","T1112 - T1021 - T1078 - T1112","TA0005 - TA0006 - TA0008","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Lateral Movement","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56728"
"*reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\sHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\s\/v\sDisableRestrictedAdmin\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","This modification can be used to enable or disable the Restricted Admin mode for Remote Desktop Protocol (RDP) which has implications for Lateral Movement and privilege escalation","T1210","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Lateral Movement","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56729"
"*reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v NoLMHash /t REG_DWORD /d ""0"" /f*",".{0,1000}reg\sadd\sHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\s\/v\sNoLMHash\s\/t\sREG_DWORD\s\/d\s\""0\""\s\/f.{0,1000}","greyware_tool_keyword","reg","This particular change is associated with the handling of LAN Manager (LM) hash storage which can affect the security of password storage on the system. This command can be used as part of credential access or defense evasion techniques","T1112 - T1556 - T1547 - T1112","TA0005 - TA0006","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56730"
"*reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\sHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\s\/v\sRunAsPPL\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","Disables Protected Process Light (PPL) for Local Security Authority (LSA). This reduces system security by making LSA more vulnerable to tampering - exposing credentials","T1055.011 - T1547.001 - T1027.004","TA0005 - TA0006","N/A","N/A","Defense Evasion","N/A","1","0","#registry","N/A","9","9","N/A","N/A","N/A","N/A","56731"
"*reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters /t REG_EXPAND_SZ /v ServiceDll /d *",".{0,1000}reg\sadd\sHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CryptSvc\\Parameters\s\/t\sREG_EXPAND_SZ\s\/v\sServiceDll\s\/d\s.{0,1000}","greyware_tool_keyword","reg","Disable Cortex: Change the DLL to a random value","T1547.001 - T1055.001 - T1055.002 - T1112","TA0002 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","N/A","1","0","#registry","N/A","8","9","N/A","N/A","N/A","N/A","56732"
"*reg add HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Devtunnels /v DisableDevTunnelsInVisualStudio /t REG_DWORD /d 0*",".{0,1000}reg\sadd\sHKLM\\SOFTWARE\\Policies\\Microsoft\\VisualStudio\\Devtunnels\s\/v\sDisableDevTunnelsInVisualStudio\s\/t\sREG_DWORD\s\/d\s0.{0,1000}","greyware_tool_keyword","reg","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","56733"
"*reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f*",".{0,1000}reg\sadd\sHKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA\s\/v\sRunAsPPL\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","Disables Protected Process Light (PPL) for Local Security Authority (LSA). This reduces system security by making LSA more vulnerable to tampering - exposing credentials","T1055.011 - T1547.001 - T1027.004","TA0005 - TA0006","N/A","N/A","Defense Evasion","N/A","1","0","#registry","N/A","9","9","N/A","N/A","N/A","N/A","56735"
"*reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d /f 1*",".{0,1000}reg\sadd\sHKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\s\/v\sUseLogonCredential\s\/t\sREG_DWORD\s\/d\s\/f\s1.{0,1000}","greyware_tool_keyword","reg","allows the storage of plaintext passwords in memory","T1003.001 - T1112","TA0006 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Credential Access","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56736"
"*reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f*",".{0,1000}reg\sadd\sHKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\s\/v\sUseLogonCredential\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","allows the storage of plaintext passwords in memory","T1003.001 - T1112","TA0006 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Credential Access","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56737"
"*reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f*",".{0,1000}reg\sadd\sHKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\s\/v\sUseLogonCredential\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","Enables WDigest authentication - storing plaintext credentials in memory. This exposes the system to credential theft attacks","T1003.001 - T1547.001 - T1552.001","TA0005 - TA0006","N/A","N/A","Credential Access","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56738"
"*reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1*",".{0,1000}reg\sadd\sHKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\s\/v\sUseLogonCredential\s\/t\sREG_DWORD\s\/d\s1.{0,1000}","greyware_tool_keyword","reg","Open passwords mimic + open rdp 3389 - used by many ransomware groups","T1112 - T1003 - T1076","TA0003 - TA0005 - TA0006","N/A","Dispossessor","Persistence","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56739"
"*reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 1*",".{0,1000}reg\sadd\sHKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\s\/v\sUseLogonCredential\s\/t\sREG_DWORD\s\/f\s\/d\s1.{0,1000}","greyware_tool_keyword","reg","allows the storage of plaintext passwords in memory","T1003.001 - T1112 - T1112","TA0006 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Credential Access","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56740"
"*reg delete ""HKCR\*\shellex\ContextMenuHandlers\EPP"" /f*",".{0,1000}reg\sdelete\s\""HKCR\\.{0,1000}\\shellex\\ContextMenuHandlers\\EPP\""\s\/f.{0,1000}","greyware_tool_keyword","reg","remove the Windows Defender context menu options","T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56741"
"*reg delete ""HKCR\Directory\shellex\ContextMenuHandlers\EPP"" /f*",".{0,1000}reg\sdelete\s\""HKCR\\Directory\\shellex\\ContextMenuHandlers\\EPP\""\s\/f.{0,1000}","greyware_tool_keyword","reg","remove the Windows Defender context menu options","T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56742"
"*reg delete ""HKCR\Drive\shellex\ContextMenuHandlers\EPP"" /f*",".{0,1000}reg\sdelete\s\""HKCR\\Drive\\shellex\\ContextMenuHandlers\\EPP\""\s\/f.{0,1000}","greyware_tool_keyword","reg","remove the Windows Defender context menu options","T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56743"
"*Reg Delete ""HKCU\software\Microsoft\Windows\CurrentVersion\Run"" /v ""SUPERAntiSpyware"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKCU\\software\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""SUPERAntiSpyware\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543 - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56753"
"*reg delete ""HKCU\Software\Microsoft\Windows\CurrentVersion\Run"" /v ""Windows Defender"" /f*",".{0,1000}reg\sdelete\s\""HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""Windows\sDefender\""\s\/f.{0,1000}","greyware_tool_keyword","reg","remove Windows Defender from the system tray","T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56754"
"*REG DELETE ""HKEY_CLASSES_ROOT\Installer\Products\10F15BFE50893924BB61F671FEC4D2EF"" /f*",".{0,1000}REG\sDELETE\s\""HKEY_CLASSES_ROOT\\Installer\\Products\\10F15BFE50893924BB61F671FEC4D2EF\""\s\/f.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56756"
"*REG DELETE ""HKEY_CLASSES_ROOT\Installer\Products\4758948C95C1B194AB15204D95B42292"" /f*",".{0,1000}REG\sDELETE\s\""HKEY_CLASSES_ROOT\\Installer\\Products\\4758948C95C1B194AB15204D95B42292\""\s\/f.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56757"
"*reg delete ""HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"" /va /f*",".{0,1000}reg\sdelete\s\""HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal\sServer\sClient\\Default\""\s\/va\s\/f.{0,1000}","greyware_tool_keyword","reg","delete terminal server client entries from the registry - erasing potential evidence of RDP connections","T1070.004 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/roadwy/DefenderYara/blob/9bbdb7f9fd3513ce30aa69cd1d88830e3cf596ca/Ransom/Win32/Ergop/Ransom_Win32_Ergop_A_.yar#L10","1","0","#registry","N/A","10","10","395","63","2025-02-24T12:25:27Z","2024-02-05T13:57:05Z","56758"
"*reg delete ""HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"" /f*",".{0,1000}reg\sdelete\s\""HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal\sServer\sClient\\Servers\""\s\/f.{0,1000}","greyware_tool_keyword","reg","delete terminal server client entries from the registry - erasing potential evidence of RDP connections","T1070.004 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://github.com/roadwy/DefenderYara/blob/9bbdb7f9fd3513ce30aa69cd1d88830e3cf596ca/Ransom/Win32/Ergop/Ransom_Win32_Ergop_A_.yar#L10","1","0","#registry","N/A","10","10","395","63","2025-02-24T12:25:27Z","2024-02-05T13:57:05Z","56759"
"*reg delete ""HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run"" /v ""Windows Defender"" /f*",".{0,1000}reg\sdelete\s\""HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\""\s\/v\s\""Windows\sDefender\""\s\/f.{0,1000}","greyware_tool_keyword","reg","remove Windows Defender from the system tray","T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56761"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""AvastUI.exe"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""AvastUI\.exe\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56762"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""AvastUI.exe"" /f /reg:64*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""AvastUI\.exe\""\s\/f\s\/reg\:64.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56763"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""AVGUI.exe"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""AVGUI\.exe\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56764"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""AVGUI.exe"" /f /reg:64*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""AVGUI\.exe\""\s\/f\s\/reg\:64.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56765"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""Avira SystrayStartTrigger"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""Avira\sSystrayStartTrigger\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56766"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""Avira SystrayStartTrigger"" /f /reg:64*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""Avira\sSystrayStartTrigger\""\s\/f\s\/reg\:64.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56767"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""ClamWin"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""ClamWin\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56768"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""ClamWin"" /f /reg:64*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""ClamWin\""\s\/f\s\/reg\:64.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56769"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""COMODO Internet Security"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""COMODO\sInternet\sSecurity\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56770"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""COMODO Internet Security"" /f /reg:64*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""COMODO\sInternet\sSecurity\""\s\/f\s\/reg\:64.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56771"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""egui"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""egui\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56772"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""egui"" /f /reg:64*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""egui\""\s\/f\s\/reg\:64.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56773"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""IseUI"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""IseUI\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56774"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""IseUI"" /f /reg:64*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""IseUI\""\s\/f\s\/reg\:64.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56775"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""QHSafeTray"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""QHSafeTray\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56776"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""QHSafeTray"" /f /reg:64*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""QHSafeTray\""\s\/f\s\/reg\:64.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56777"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""SBAMTray"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""SBAMTray\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56778"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""SBAMTray"" /f /reg:64*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""SBAMTray\""\s\/f\s\/reg\:64.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56779"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""SBRegRebootCleaner"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""SBRegRebootCleaner\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56780"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""SBRegRebootCleaner"" /f /reg:64*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""SBRegRebootCleaner\""\s\/f\s\/reg\:64.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56781"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""SUPERAntiSpyware"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""SUPERAntiSpyware\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56782"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""SUPERAntiSpyware"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""SUPERAntiSpyware\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56783"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""SUPERAntiSpyware"" /f /reg:64*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""SUPERAntiSpyware\""\s\/f\s\/reg\:64.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543  - T1112","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56784"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""SUPERAntiSpyware"" /f /reg:64*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""SUPERAntiSpyware\""\s\/f\s\/reg\:64.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56785"
"*reg delete ""HKLM\Software\Microsoft\Windows\CurrentVersion\Run"" /v ""Windows Defender"" /f*",".{0,1000}reg\sdelete\s\""HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""Windows\sDefender\""\s\/f.{0,1000}","greyware_tool_keyword","reg","remove Windows Defender from the system tray","T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56786"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""Zillya Antivirus"" /f /reg:32*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""Zillya\sAntivirus\""\s\/f\s\/reg\:32.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56787"
"*Reg Delete ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"" /v ""Zillya Antivirus"" /f /reg:64*",".{0,1000}Reg\sDelete\s\""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""Zillya\sAntivirus\""\s\/f\s\/reg\:64.{0,1000}","greyware_tool_keyword","reg","prevents security tools from launching automatically","T1562.001 - T1543","TA0003 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56788"
"*reg delete ""HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Devtunnels"" /v DisableDevTunnelsInVisualStudio /f*",".{0,1000}reg\sdelete\s\""HKLM\\SOFTWARE\\Policies\\Microsoft\\VisualStudio\\Devtunnels\""\s\/v\sDisableDevTunnelsInVisualStudio\s\/f.{0,1000}","greyware_tool_keyword","reg","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","56789"
"*REG Delete ""HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"" /v ""Sophos AutoUpdate Monitor"" /f*",".{0,1000}REG\sDelete\s\""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\""\s\/v\s\""Sophos\sAutoUpdate\sMonitor\""\s\/f.{0,1000}","greyware_tool_keyword","reg","Remove Sophos Registry Keys","T1112","TA0005","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56790"
"*reg delete * /v MRUList /f*",".{0,1000}reg\sdelete\s.{0,1000}\s\/v\sMRUList\s\/f.{0,1000}","greyware_tool_keyword","powershell","attempts to evade defenses or remove traces of activity by deleting MRUList registry keys","T1012 - T1070 - T1485 - T1146","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","56792"
"*reg delete *\Software\Microsoft\Windows Defender*",".{0,1000}reg\sdelete\s.{0,1000}\\Software\\Microsoft\\Windows\sDefender.{0,1000}","greyware_tool_keyword","reg","Delete stuffs related to windows defender registry","T1070","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56793"
"*reg delete *HKLM\Software\Policies\Microsoft\Windows Defender* /f*",".{0,1000}reg\sdelete\s.{0,1000}HKLM\\Software\\Policies\\Microsoft\\Windows\sDefender.{0,1000}\s\/f.{0,1000}","greyware_tool_keyword","reg","Disable Real Time Protection","T1562.001 - T1055.001 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","N/A","1","0","#registry","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","56795"
"*reg delete HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Devtunnels*",".{0,1000}reg\sdelete\sHKLM\\SOFTWARE\\Policies\\Microsoft\\VisualStudio\\Devtunnels.{0,1000}","greyware_tool_keyword","reg","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","56798"
"*reg delete*\Software\Microsoft\SystemSettings\SettingId\SystemSettings_WindowsDefender_UseWindowsDefender*",".{0,1000}reg\sdelete.{0,1000}\\Software\\Microsoft\\SystemSettings\\SettingId\\SystemSettings_WindowsDefender_UseWindowsDefender.{0,1000}","greyware_tool_keyword","reg","Deletes the registry key responsible for enabling Windows Defender under System Settings.","T1070","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56799"
"*reg delete*\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC*",".{0,1000}reg\sdelete.{0,1000}\\Software\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft\-Windows\-Windows\sDefender\/WHC.{0,1000}","greyware_tool_keyword","reg","Deletes the Windows Event Log channel for Windows Defender WHC (Windows Health Center","T1070","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56800"
"*reg query ""HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON"" /v CACHEDLOGONSCOUNT*",".{0,1000}reg\squery\s\""HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS\sNT\\CURRENTVERSION\\WINLOGON\""\s\/v\sCACHEDLOGONSCOUNT.{0,1000}","greyware_tool_keyword","reg","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Discovery","https://github.com/ice-wzl/wmiexec2","1","0","#registry","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","56801"
"*reg query *\Software\Microsoft\Terminal Server Client\Default""*",".{0,1000}reg\squery\s.{0,1000}\\Software\\Microsoft\\Terminal\sServer\sClient\\Default\"".{0,1000}","greyware_tool_keyword","reg","Query registry for Terminal Server Client settings","T1012","TA0007","N/A","N/A","Discovery","N/A","1","0","#registry","N/A","5","6","N/A","N/A","N/A","N/A","56802"
"*reg query HKCU /f passw /t REG_SZ /s*",".{0,1000}reg\squery\sHKCU\s\/f\spassw\s\/t\sREG_SZ\s\/s.{0,1000}","greyware_tool_keyword","reg","associated with PEASS-ng - Privilege Escalation Awesome Scripts suite","T1098","TA0004 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Privilege Escalation","https://github.com/peass-ng/PEASS-ng","1","0","#registry","N/A","10","10","17347","3209","2025-04-01T04:29:00Z","2019-01-13T19:58:24Z","56804"
"*reg query HKCU /f pwd /t REG_SZ /s*",".{0,1000}reg\squery\sHKCU\s\/f\spwd\s\/t\sREG_SZ\s\/s.{0,1000}","greyware_tool_keyword","reg","associated with PEASS-ng - Privilege Escalation Awesome Scripts suite","T1098","TA0004 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Privilege Escalation","https://github.com/peass-ng/PEASS-ng","1","0","#registry","N/A","10","10","17347","3209","2025-04-01T04:29:00Z","2019-01-13T19:58:24Z","56806"
"*reg query hkcu\software\*\putty\session*",".{0,1000}reg\squery\shkcu\\software\\.{0,1000}\\putty\\session.{0,1000}","greyware_tool_keyword","reg","Query the Windows registry sensitive informations","T1012 - T1003.002","TA0007 - TA0003","N/A","Volt Typhoon","Reconnaissance","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","#registry","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","56807"
"*reg query hkcu\software\*\putty\session*",".{0,1000}reg\squery\shkcu\\software\\.{0,1000}\\putty\\session.{0,1000}","greyware_tool_keyword","reg","credential access with reg","T1555 - T1003","TA0007 - TA0006","N/A","APT41","Credential Access","https://medium.com/detect-fyi/playbook-hunting-chinese-apt-379a6b950492","1","0","#registry","N/A","7","7","N/A","N/A","N/A","N/A","56808"
"*reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run*",".{0,1000}reg\squery\sHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.{0,1000}","greyware_tool_keyword","reg","queries the Windows Registry for entries in the Run key (indicate programs set to execute upon user login - potentially revealing persistence mechanisms)","T1012","TA0007","N/A","N/A","Discovery","N/A","1","0","#registry","N/A","6","10","N/A","N/A","N/A","N/A","56809"
"*reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL*",".{0,1000}reg\squery\sHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\s\/v\sRunAsPPL.{0,1000}","greyware_tool_keyword","reg","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Discovery","https://github.com/ice-wzl/wmiexec2","1","0","#registry","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","56810"
"*reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL*",".{0,1000}reg\squery\sHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\s\/v\sRunAsPPL.{0,1000}","greyware_tool_keyword","reg","Check if LSASS is running in PPL","T1012 - T1003.003","TA0009 - TA0006","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Reconnaissance","https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASbat/winPEAS.bat","1","0","#registry","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","56811"
"*reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ /v RunAsPPL*",".{0,1000}reg\squery\sHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\s\/v\sRunAsPPL.{0,1000}","greyware_tool_keyword","reg","NetExec (a.k.a nxc) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.","T1069 - T1021 - T1136 - T1018","TA0007 - TA0003 - TA0002 - TA0001","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Credential Access","https://github.com/Pennyw0rth/NetExec","1","0","#registry","Checking For Hidden Credentials With Appcmd.exe","10","10","4066","459","2025-04-20T00:08:29Z","2023-09-08T15:36:00Z","56812"
"*reg query HKLM /f passw /t REG_SZ /s*",".{0,1000}reg\squery\sHKLM\s\/f\spassw\s\/t\sREG_SZ\s\/s.{0,1000}","greyware_tool_keyword","reg","associated with PEASS-ng - Privilege Escalation Awesome Scripts suite","T1098","TA0004 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Privilege Escalation","https://github.com/peass-ng/PEASS-ng","1","0","#registry","N/A","10","10","17347","3209","2025-04-01T04:29:00Z","2019-01-13T19:58:24Z","56814"
"*reg query HKLM /f password  /t REG_SZ  /s *",".{0,1000}reg\squery\sHKLM\s\/f\spassword\s\s\/t\sREG_SZ\s\s\/s\s.{0,1000}","greyware_tool_keyword","reg","Searching the Registry for Passwords","T1552.001 - T1012","TA0006 - TA0009","N/A","N/A","Credential Access","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56815"
"*reg query HKLM /f pwd /t REG_SZ /s*",".{0,1000}reg\squery\sHKLM\s\/f\spwd\s\/t\sREG_SZ\s\/s.{0,1000}","greyware_tool_keyword","reg","associated with PEASS-ng - Privilege Escalation Awesome Scripts suite","T1098","TA0004 - TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Privilege Escalation","https://github.com/peass-ng/PEASS-ng","1","0","#registry","N/A","10","10","17347","3209","2025-04-01T04:29:00Z","2019-01-13T19:58:24Z","56817"
"*reg query hklm\software\OpenSSH*",".{0,1000}reg\squery\shklm\\software\\OpenSSH.{0,1000}","greyware_tool_keyword","reg","Query the Windows registry sensitive informations","T1012 - T1003.002","TA0007 - TA0003","N/A","Volt Typhoon","Reconnaissance","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","#registry","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","56818"
"*reg query hklm\software\OpenSSH*",".{0,1000}reg\squery\shklm\\software\\OpenSSH.{0,1000}","greyware_tool_keyword","reg","credential access with reg","T1555 - T1003","TA0007 - TA0006","N/A","APT41","Credential Access","https://medium.com/detect-fyi/playbook-hunting-chinese-apt-379a6b950492","1","0","#registry","N/A","7","7","N/A","N/A","N/A","N/A","56819"
"*reg query hklm\software\OpenSSH\Agent*",".{0,1000}reg\squery\shklm\\software\\OpenSSH\\Agent.{0,1000}","greyware_tool_keyword","reg","Query the Windows registry sensitive informations","T1012 - T1003.002","TA0007 - TA0003","N/A","Volt Typhoon","Reconnaissance","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","#registry","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","56820"
"*reg query hklm\software\OpenSSH\Agent*",".{0,1000}reg\squery\shklm\\software\\OpenSSH\\Agent.{0,1000}","greyware_tool_keyword","reg","credential access with reg","T1555 - T1003","TA0007 - TA0006","N/A","APT41","Credential Access","https://medium.com/detect-fyi/playbook-hunting-chinese-apt-379a6b950492","1","0","#registry","N/A","7","7","N/A","N/A","N/A","N/A","56821"
"*reg query hklm\software\realvnc*",".{0,1000}reg\squery\shklm\\software\\realvnc.{0,1000}","greyware_tool_keyword","reg","Query the Windows registry sensitive informations","T1012 - T1003.002","TA0007 - TA0003","N/A","Volt Typhoon","Reconnaissance","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","#registry","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","56822"
"*reg query hklm\software\realvnc*",".{0,1000}reg\squery\shklm\\software\\realvnc.{0,1000}","greyware_tool_keyword","reg","credential access with reg","T1555 - T1003","TA0007 - TA0006","N/A","APT41","Credential Access","https://medium.com/detect-fyi/playbook-hunting-chinese-apt-379a6b950492","1","0","#registry","N/A","7","7","N/A","N/A","N/A","N/A","56823"
"*reg query hklm\software\realvnc\Allusers*",".{0,1000}reg\squery\shklm\\software\\realvnc\\Allusers.{0,1000}","greyware_tool_keyword","reg","Query the Windows registry sensitive informations","T1012 - T1003.002","TA0007 - TA0003","N/A","Volt Typhoon","Reconnaissance","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","#registry","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","56824"
"*reg query hklm\software\realvnc\Allusers*",".{0,1000}reg\squery\shklm\\software\\realvnc\\Allusers.{0,1000}","greyware_tool_keyword","reg","credential access with reg","T1555 - T1003","TA0007 - TA0006","N/A","APT41","Credential Access","https://medium.com/detect-fyi/playbook-hunting-chinese-apt-379a6b950492","1","0","#registry","N/A","7","7","N/A","N/A","N/A","N/A","56825"
"*reg query hklm\software\realvnc\Allusers\vncserver*",".{0,1000}reg\squery\shklm\\software\\realvnc\\Allusers\\vncserver.{0,1000}","greyware_tool_keyword","reg","Query the Windows registry sensitive informations","T1012 - T1003.002","TA0007 - TA0003","N/A","Volt Typhoon","Reconnaissance","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","#registry","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","56826"
"*reg query hklm\software\realvnc\Allusers\vncserver*",".{0,1000}reg\squery\shklm\\software\\realvnc\\Allusers\\vncserver.{0,1000}","greyware_tool_keyword","reg","credential access with reg","T1555 - T1003","TA0007 - TA0006","N/A","APT41","Credential Access","https://medium.com/detect-fyi/playbook-hunting-chinese-apt-379a6b950492","1","0","#registry","N/A","7","7","N/A","N/A","N/A","N/A","56827"
"*reg query hklm\software\realvnc\vncserver*",".{0,1000}reg\squery\shklm\\software\\realvnc\\vncserver.{0,1000}","greyware_tool_keyword","reg","Query the Windows registry sensitive informations","T1012 - T1003.002","TA0007 - TA0003","N/A","Volt Typhoon","Reconnaissance","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","#registry","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","56828"
"*reg query hklm\software\realvnc\vncserver*",".{0,1000}reg\squery\shklm\\software\\realvnc\\vncserver.{0,1000}","greyware_tool_keyword","reg","credential access with reg","T1555 - T1003","TA0007 - TA0006","N/A","APT41","Credential Access","https://medium.com/detect-fyi/playbook-hunting-chinese-apt-379a6b950492","1","0","#registry","N/A","7","7","N/A","N/A","N/A","N/A","56829"
"*reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags*",".{0,1000}reg\squery\sHKLM\\System\\CurrentControlSet\\Control\\LSA\s\/v\sLsaCfgFlags.{0,1000}","greyware_tool_keyword","reg","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Discovery","https://github.com/ice-wzl/wmiexec2","1","0","#registry","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","56830"
"*reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential*",".{0,1000}reg\squery\sHKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\s\/v\sUseLogonCredential.{0,1000}","greyware_tool_keyword","reg","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Discovery","https://github.com/ice-wzl/wmiexec2","1","0","#registry","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","56831"
"*reg save ""HK""L""""M\s""""a""""m"""" win32.dll*",".{0,1000}reg\ssave\s\""HK\""L\""M\\s\""a\""m\""\swin32\.dll.{0,1000}","greyware_tool_keyword","reg","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Discovery","https://github.com/ice-wzl/wmiexec2","1","0","N/A","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","56832"
"*reg save ""HK""L""""M\s""""ys""""t""em"" win32.exe*",".{0,1000}reg\ssave\s\""HK\""L\""M\\s\""ys\""t\""em\""\swin32\.exe.{0,1000}","greyware_tool_keyword","reg","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Discovery","https://github.com/ice-wzl/wmiexec2","1","0","N/A","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","56833"
"*reg save ""HK*L*M\s*ec*u*rit*y*"" update.exe*",".{0,1000}reg\ssave\s\""HK.{0,1000}L.{0,1000}M\\s.{0,1000}ec.{0,1000}u.{0,1000}rit.{0,1000}y.{0,1000}\""\supdate\.exe.{0,1000}","greyware_tool_keyword","reg","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Discovery","https://github.com/ice-wzl/wmiexec2","1","0","N/A","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","56834"
"*reg save hklm\sam *.dat*",".{0,1000}reg\ssave\shklm\\sam\s.{0,1000}\.dat.{0,1000}","greyware_tool_keyword","reg","saves a copy of the registry hive hklm\sam to a .dat file","T1003.002 - T1564.001","TA0006 - TA0010","N/A","Volt Typhoon","Collection","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56835"
"*reg save HKLM\SAM *c:*",".{0,1000}reg\ssave\sHKLM\\SAM\s.{0,1000}c\:.{0,1000}","greyware_tool_keyword","reg","the commands are used to export the SAM and SYSTEM registry hives which contain sensitive Windows security data including hashed passwords for local accounts. By obtaining these hives an attacker can attempt to crack the hashes or use them in pass-the-hash attacks for unauthorized access.","T1003.002","TA0009","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Collection","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56836"
"*reg save hklm\sam sam*",".{0,1000}reg\ssave\shklm\\sam\ssam.{0,1000}","greyware_tool_keyword","reg","the commands are used to export the SAM and SYSTEM registry hives which contain sensitive Windows security data including hashed passwords for local accounts. By obtaining these hives an attacker can attempt to crack the hashes or use them in pass-the-hash attacks for unauthorized access.","T1003.002","TA0009","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Collection","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56838"
"*reg save HKLM\SECURITY *",".{0,1000}reg\ssave\sHKLM\\SECURITY\s.{0,1000}c\:.{0,1000}","greyware_tool_keyword","reg","saves a copy of the registry hive hklm\security to a .dat file","T1005 - T1003.002","TA0005 - TA0003","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Collection","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56839"
"*reg save hklm\system *.dat*",".{0,1000}reg\ssave\shklm\\system\s.{0,1000}\.dat.{0,1000}","greyware_tool_keyword","reg","saves a copy of the registry hive hklm\system to a .dat file","T1005 - T1003.002","TA0005 - TA0003","N/A","Volt Typhoon","Collection","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56840"
"*reg save HKLM\SYSTEM *c:*",".{0,1000}reg\ssave\sHKLM\\SYSTEM\s.{0,1000}c\:.{0,1000}","greyware_tool_keyword","reg","the commands are used to export the SAM and SYSTEM registry hives which contain sensitive Windows security data including hashed passwords for local accounts. By obtaining these hives an attacker can attempt to crack the hashes or use them in pass-the-hash attacks for unauthorized access.","T1003.002","TA0009","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Collection","N/A","1","0","#registry","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","56841"
"*reg save hklm\system system*",".{0,1000}reg\ssave\shklm\\system\ssystem.{0,1000}","greyware_tool_keyword","reg","the commands are used to export the SAM and SYSTEM registry hives which contain sensitive Windows security data including hashed passwords for local accounts. By obtaining these hives an attacker can attempt to crack the hashes or use them in pass-the-hash attacks for unauthorized access.","T1003.002","TA0009","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Collection","N/A","1","0","#registry","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","56843"
"*reg.exe ADD ""HKLM\System\CurrentControlSet\Control\Lsa"" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f*",".{0,1000}reg\.exe\sADD\s\""HKLM\\System\\CurrentControlSet\\Control\\Lsa\""\s\/v\sEveryoneIncludesAnonymous\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","PrintNightmare exploitation","T1210 - T1059.001 - T1548.002","TA0001 - TA0002 - TA0004","N/A","Dispossessor","Privilege Escalation","https://github.com/outflanknl/PrintNightmare","1","0","#registry","N/A","7","4","337","67","2021-09-13T08:45:26Z","2021-09-13T08:44:02Z","56844"
"*reg.exe ADD ""HKLM\System\CurrentControlSet\Control\Lsa"" /v RestrictAnonymous /t REG_DWORD /d 0 /f*",".{0,1000}reg\.exe\sADD\s\""HKLM\\System\\CurrentControlSet\\Control\\Lsa\""\s\/v\sRestrictAnonymous\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","PrintNightmare exploitation","T1210 - T1059.001 - T1548.002","TA0001 - TA0002 - TA0004","N/A","Dispossessor","Privilege Escalation","https://github.com/outflanknl/PrintNightmare","1","0","#registry","N/A","7","4","337","67","2021-09-13T08:45:26Z","2021-09-13T08:44:02Z","56845"
"*reg.exe ADD ""HKLM\System\CurrentControlSet\Services\LanManServer\Parameters"" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f*",".{0,1000}reg\.exe\sADD\s\""HKLM\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters\""\s\/v\sNullSessionPipes\s\/t\sREG_MULTI_SZ\s\/d\ssrvsvc\s\/f.{0,1000}","greyware_tool_keyword","reg","PrintNightmare exploitation","T1210 - T1059.001 - T1548.002","TA0001 - TA0002 - TA0004","N/A","Dispossessor","Privilege Escalation","https://github.com/outflanknl/PrintNightmare","1","0","#servicename #registry","N/A","7","4","337","67","2021-09-13T08:45:26Z","2021-09-13T08:44:02Z","56846"
"*reg.exe ADD ""HKLM\System\CurrentControlSet\Services\LanManServer\Parameters"" /v NullSessionShares /t REG_MULTI_SZ /d share /f*",".{0,1000}reg\.exe\sADD\s\""HKLM\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters\""\s\/v\sNullSessionShares\s\/t\sREG_MULTI_SZ\s\/d\sshare\s\/f.{0,1000}","greyware_tool_keyword","reg","PrintNightmare exploitation","T1210 - T1059.001 - T1548.002","TA0001 - TA0002 - TA0004","N/A","Dispossessor","Privilege Escalation","https://github.com/outflanknl/PrintNightmare","1","0","#servicename #registry","N/A","7","4","337","67","2021-09-13T08:45:26Z","2021-09-13T08:44:02Z","56847"
"*reg.exe add *HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction*",".{0,1000}reg\.exe\sadd\s.{0,1000}HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\sDefender\\Threats\\ThreatIDDefaultAction.{0,1000}","greyware_tool_keyword","reg","Windows Defender Tampering Via registry","T1489 - T1112","TA0005","N/A","Rancor - OilRig - Dragonfly - GALLIUM - Turla","Defense Evasion","https://www.virustotal.com/gui/file/00820a1f0972678cfe7885bc989ab3e5602b0febc96baf9bf3741d56aa374f03/behavior","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56851"
"*reg.exe delete ""HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"" /va /f*",".{0,1000}reg\.exe\sdelete\s\""HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal\sServer\sClient\\Default\""\s\/va\s\/f.{0,1000}","greyware_tool_keyword","reg","CleanRDP.bat script erasing RDP traces used by Dispossessor ransomware group","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56853"
"*reg.exe delete ""HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"" /f*",".{0,1000}reg\.exe\sdelete\s\""HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal\sServer\sClient\\Servers\""\s\/f.{0,1000}","greyware_tool_keyword","reg","CleanRDP.bat script erasing RDP traces used by Dispossessor ransomware group","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56854"
"*reg.exe query hklm ^| findstr /i \\OFFLINE'*",".{0,1000}reg\.exe\squery\shklm\s\^\|\sfindstr\s\/i\s\\\\OFFLINE\'.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56858"
"*reg.exe query hklm ^| findstr /i \OFFLINE*",".{0,1000}reg\.exe\squery\shklm\s\^\|\sfindstr\s\/i\s\\OFFLINE.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56859"
"*reg.exe save hklm\sam *",".{0,1000}reg\.exe\ssave\shklm\\sam\s.{0,1000}","greyware_tool_keyword","reg","saves a copy of the registry hive","T1003.002","TA0009","N/A","Dispossessor - Rancor - OilRig - Dragonfly - GALLIUM - Turla","Collection","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56862"
"*reg.exe save hklm\security *",".{0,1000}reg\.exe\ssave\shklm\\security\s.{0,1000}","greyware_tool_keyword","reg","saves a copy of the registry hive","T1003.002","TA0009","N/A","Dispossessor - Rancor - OilRig - Dragonfly - GALLIUM - Turla","Collection","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56865"
"*reg.exe save hklm\system *",".{0,1000}reg\.exe\ssave\shklm\\system\s.{0,1000}","greyware_tool_keyword","reg","saves a copy of the registry hive","T1003.002","TA0009","N/A","Dispossessor - Rancor - OilRig - Dragonfly - GALLIUM - Turla","Collection","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56868"
"*reg.exe"" ADD ""HKLM\System\CurrentControlSet\Control\Lsa"" /v EveryoneIncludesAnonymous /t REG_DWORD /d 1 /f*",".{0,1000}reg\.exe\""\sADD\s\""HKLM\\System\\CurrentControlSet\\Control\\Lsa\""\s\/v\sEveryoneIncludesAnonymous\s\/t\sREG_DWORD\s\/d\s1\s\/f.{0,1000}","greyware_tool_keyword","reg","PrintNightmare exploitation","T1210 - T1059.001 - T1548.002","TA0001 - TA0002 - TA0004","N/A","Dispossessor","Privilege Escalation","https://github.com/outflanknl/PrintNightmare","1","0","#registry","N/A","7","4","337","67","2021-09-13T08:45:26Z","2021-09-13T08:44:02Z","56871"
"*reg.exe"" ADD ""HKLM\System\CurrentControlSet\Control\Lsa"" /v RestrictAnonymous /t REG_DWORD /d 0 /f*",".{0,1000}reg\.exe\""\sADD\s\""HKLM\\System\\CurrentControlSet\\Control\\Lsa\""\s\/v\sRestrictAnonymous\s\/t\sREG_DWORD\s\/d\s0\s\/f.{0,1000}","greyware_tool_keyword","reg","PrintNightmare exploitation","T1210 - T1059.001 - T1548.002","TA0001 - TA0002 - TA0004","N/A","Dispossessor","Privilege Escalation","https://github.com/outflanknl/PrintNightmare","1","0","#registry","N/A","7","4","337","67","2021-09-13T08:45:26Z","2021-09-13T08:44:02Z","56872"
"*reg.exe"" ADD ""HKLM\System\CurrentControlSet\Services\LanManServer\Parameters"" /v NullSessionPipes /t REG_MULTI_SZ /d srvsvc /f*",".{0,1000}reg\.exe\""\sADD\s\""HKLM\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters\""\s\/v\sNullSessionPipes\s\/t\sREG_MULTI_SZ\s\/d\ssrvsvc\s\/f.{0,1000}","greyware_tool_keyword","reg","PrintNightmare exploitation","T1210 - T1059.001 - T1548.002","TA0001 - TA0002 - TA0004","N/A","Dispossessor","Privilege Escalation","https://github.com/outflanknl/PrintNightmare","1","0","#servicename #registry","N/A","7","4","337","67","2021-09-13T08:45:26Z","2021-09-13T08:44:02Z","56873"
"*reg.exe"" ADD ""HKLM\System\CurrentControlSet\Services\LanManServer\Parameters"" /v NullSessionShares /t REG_MULTI_SZ /d share /f*",".{0,1000}reg\.exe\""\sADD\s\""HKLM\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters\""\s\/v\sNullSessionShares\s\/t\sREG_MULTI_SZ\s\/d\sshare\s\/f.{0,1000}","greyware_tool_keyword","reg","PrintNightmare exploitation","T1210 - T1059.001 - T1548.002","TA0001 - TA0002 - TA0004","N/A","Dispossessor","Privilege Escalation","https://github.com/outflanknl/PrintNightmare","1","0","#servicename #registry","N/A","7","4","337","67","2021-09-13T08:45:26Z","2021-09-13T08:44:02Z","56874"
"*reg.exe"" save hklm\sam *",".{0,1000}reg\.exe\""\ssave\shklm\\sam\s.{0,1000}","greyware_tool_keyword","reg","saves a copy of the registry hive","T1003.002","TA0009","N/A","Dispossessor - Rancor - OilRig - Dragonfly - GALLIUM - Turla","Collection","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56875"
"*reg.exe"" save hklm\security *",".{0,1000}reg\.exe\""\ssave\shklm\\security\s.{0,1000}","greyware_tool_keyword","reg","saves a copy of the registry hive","T1003.002","TA0009","N/A","Dispossessor - Rancor - OilRig - Dragonfly - GALLIUM - Turla","Collection","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56876"
"*reg.exe"" save hklm\system *",".{0,1000}reg\.exe\""\ssave\shklm\\system\s.{0,1000}","greyware_tool_keyword","reg","saves a copy of the registry hive","T1003.002","TA0009","N/A","Dispossessor - Rancor - OilRig - Dragonfly - GALLIUM - Turla","Collection","N/A","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","56877"
"*reg.exe* delete *\Software\Microsoft\Windows Defender*",".{0,1000}reg\.exe.{0,1000}\sdelete\s.{0,1000}\\Software\\Microsoft\\Windows\sDefender.{0,1000}","greyware_tool_keyword","reg","Delete stuffs related to windows defender registry","T1070","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56878"
"*reg.exe* delete *\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC*",".{0,1000}reg\.exe.{0,1000}\sdelete\s.{0,1000}\\Software\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft\-Windows\-Windows\sDefender\/WHC.{0,1000}","greyware_tool_keyword","reg","Deletes the Windows Event Log channel for Windows Defender WHC (Windows Health Center","T1070","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56879"
"*reg.exe* delete*\Software\Microsoft\SystemSettings\SettingId\SystemSettings_WindowsDefender_UseWindowsDefender*",".{0,1000}reg\.exe.{0,1000}\sdelete.{0,1000}\\Software\\Microsoft\\SystemSettings\\SettingId\\SystemSettings_WindowsDefender_UseWindowsDefender.{0,1000}","greyware_tool_keyword","reg","Deletes the registry key responsible for enabling Windows Defender under System Settings.","T1070","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56880"
"*Register-AADIntHybridHealthServiceAgent*",".{0,1000}Register\-AADIntHybridHealthServiceAgent.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","56888"
"*Register-AADIntMFAApp*",".{0,1000}Register\-AADIntMFAApp.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","56889"
"*Register-AADIntProxyAgent*",".{0,1000}Register\-AADIntProxyAgent.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","56890"
"*Register-AADIntPTAAgent*",".{0,1000}Register\-AADIntPTAAgent.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","56891"
"*Register-AADIntSyncAgent*",".{0,1000}Register\-AADIntSyncAgent.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","56892"
"*regsvr32 AmsiProvider.dll*",".{0,1000}regsvr32\sAmsiProvider\.dll.{0,1000}","greyware_tool_keyword","regsvr32","A fake AMSI Provider which can be used for persistence","T1546.013 - T1574.012","TA0005 - TA0003","N/A","N/A","Persistence","https://github.com/netbiosX/AMSI-Provider","1","0","N/A","The AMSI Provider can be registered with the system by executing the following command from an elevated command prompt - risk of false positive","9","2","150","16","2021-05-16T16:56:15Z","2021-05-15T16:18:47Z","56908"
"*relay-*.net.anydesk.com*",".{0,1000}relay\-.{0,1000}\.net\.anydesk\.com.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","1","1","N/A","risk of false positives - compliance detection","10","10","N/A","N/A","N/A","N/A","56917"
"*-relay.screenconnect.com*",".{0,1000}\-relay\.screenconnect\.com.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56919"
"*relays.syncthing.net*",".{0,1000}relays\.syncthing\.net.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","1","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","56921"
"*RemCom - Win32 Debug*",".{0,1000}RemCom\s\-\sWin32\sDebug.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","56941"
"*RemCom - Win32 Release*",".{0,1000}RemCom\s\-\sWin32\sRelease.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","56942"
"*RemComSvc - Win32 Debug*",".{0,1000}RemComSvc\s\-\sWin32\sDebug.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","56943"
"*RemComSvc - Win32 Release*",".{0,1000}RemComSvc\s\-\sWin32\sRelease.{0,1000}","greyware_tool_keyword","RemCom","Remote Command Executor: A OSS replacement for PsExec and RunAs","T1077 - T1059 - T1021 - T1569.002","TA0002 - TA0005 - TA0008","N/A","APT33 - TA558 - The Gorgon Group - Common Raven - APT-C-36 - Operation Comando ","Lateral Movement","https://github.com/kavika13/RemCom","1","0","N/A","N/A","10","4","346","100","2017-10-30T04:48:38Z","2011-11-09T11:00:09Z","56944"
"*remiflavien1/nse-install*",".{0,1000}remiflavien1\/nse\-install.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","1","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","56945"
"*remot3.it, Inc*",".{0,1000}remot3\.it,\sInc.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","0","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","56947"
"*Remote AccessECompatibility.exe*",".{0,1000}Remote\sAccessECompatibility\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56949"
"*Remote Access-linux32arm-offline.tar*",".{0,1000}Remote\sAccess\-linux32arm\-offline\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56950"
"*Remote Access-linux32arm-online.tar*",".{0,1000}Remote\sAccess\-linux32arm\-online\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56951"
"*Remote Access-linux32-offline.tar*",".{0,1000}Remote\sAccess\-linux32\-offline\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56952"
"*Remote Access-linux32-online.tar*",".{0,1000}Remote\sAccess\-linux32\-online\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56953"
"*Remote Access-linux64arm-offline.tar*",".{0,1000}Remote\sAccess\-linux64arm\-offline\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56954"
"*Remote Access-linux64arm-online.tar*",".{0,1000}Remote\sAccess\-linux64arm\-online\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56955"
"*Remote Access-linux64-offline.tar*",".{0,1000}Remote\sAccess\-linux64\-offline\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56956"
"*Remote Access-linux64-online.tar*",".{0,1000}Remote\sAccess\-linux64\-online\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56957"
"*Remote Access-macos-intel-offline.dmg*",".{0,1000}Remote\sAccess\-macos\-intel\-offline\.dmg.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","56958"
"*Remote Access-macos-intel-online.dmg*",".{0,1000}Remote\sAccess\-macos\-intel\-online\.dmg.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","56959"
"*Remote Access-macos-offline.dmg*",".{0,1000}Remote\sAccess\-macos\-offline\.dmg.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","56960"
"*Remote Access-macos-online.dmg*",".{0,1000}Remote\sAccess\-macos\-online\.dmg.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","56961"
"*Remote Access-windows32-offline.exe*",".{0,1000}Remote\sAccess\-windows32\-offline\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56962"
"*Remote Access-windows32-online.exe*",".{0,1000}Remote\sAccess\-windows32\-online\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56963"
"*Remote Access-windows64-offline.exe*",".{0,1000}Remote\sAccess\-windows64\-offline\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56964"
"*remote access-windows64-online.exe*",".{0,1000}remote\saccess\-windows64\-online\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56965"
"*Remote Access-windows64-online.exe*",".{0,1000}Remote\sAccess\-windows64\-online\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56966"
"*Remote Support-java-online.jar*",".{0,1000}Remote\sSupport\-java\-online\.jar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56969"
"*Remote Support-linux32arm-offline.tar*",".{0,1000}Remote\sSupport\-linux32arm\-offline\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56970"
"*Remote Support-linux32arm-online.tar*",".{0,1000}Remote\sSupport\-linux32arm\-online\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56971"
"*Remote Support-linux32-offline.tar*",".{0,1000}Remote\sSupport\-linux32\-offline\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56972"
"*Remote Support-linux32-online.tar*",".{0,1000}Remote\sSupport\-linux32\-online\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56973"
"*Remote Support-linux64arm-offline.tar*",".{0,1000}Remote\sSupport\-linux64arm\-offline\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56974"
"*Remote Support-linux64arm-online.tar*",".{0,1000}Remote\sSupport\-linux64arm\-online\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56975"
"*Remote Support-linux64-offline.tar*",".{0,1000}Remote\sSupport\-linux64\-offline\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56976"
"*Remote Support-linux64-online.tar*",".{0,1000}Remote\sSupport\-linux64\-online\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","56977"
"*Remote Support-macos-intel-offline.dmg*",".{0,1000}Remote\sSupport\-macos\-intel\-offline\.dmg.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","56978"
"*Remote Support-macos-intel-online.dmg*",".{0,1000}Remote\sSupport\-macos\-intel\-online\.dmg.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","56979"
"*Remote Support-macos-offline.dmg*",".{0,1000}Remote\sSupport\-macos\-offline\.dmg.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","56980"
"*Remote Support-macos-online.dmg*",".{0,1000}Remote\sSupport\-macos\-online\.dmg.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","56981"
"*Remote Support-windows32-offline.exe*",".{0,1000}Remote\sSupport\-windows32\-offline\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56982"
"*Remote Support-windows32-online.exe*",".{0,1000}Remote\sSupport\-windows32\-online\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56983"
"*Remote Support-windows64-offline.exe*",".{0,1000}Remote\sSupport\-windows64\-offline\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56984"
"*remote support-windows64-online.exe*",".{0,1000}remote\ssupport\-windows64\-online\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56985"
"*Remote Support-windows64-online.exe*",".{0,1000}Remote\sSupport\-windows64\-online\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56986"
"*Remote Utilities Pty (Cy) Ltd.*",".{0,1000}Remote\sUtilities\sPty\s\(Cy\)\sLtd\..{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56988"
"*remote work-windows64-online.exe*",".{0,1000}remote\swork\-windows64\-online\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56989"
"*Remote Work-windows64-online.exe*",".{0,1000}Remote\sWork\-windows64\-online\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","56990"
"*remote.it.developertoolsHW9iHnd*",".{0,1000}remote\.it\.developertoolsHW9iHnd.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","N/A","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","56991"
"*RemoteAdmin.RemoteUtilities*",".{0,1000}RemoteAdmin\.RemoteUtilities.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#Avsignature","N/A","10","10","N/A","N/A","N/A","N/A","57010"
"*RemoteDesktop.exe *",".{0,1000}RemoteDesktop\.exe\s.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57011"
"*RemoteDesktop.exe*pwy-rd:?token=*",".{0,1000}RemoteDesktop\.exe.{0,1000}pwy\-rd\:\?token\=.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57012"
"*remotedesktop.google.com/access*",".{0,1000}remotedesktop\.google\.com\/access.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57013"
"*remotedesktop.google.com/support*",".{0,1000}remotedesktop\.google\.com\/support.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57014"
"*RemoteDesktop_x64 (1).msi*",".{0,1000}RemoteDesktop_x64\s\(1\)\.msi.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57015"
"*RemoteDesktop_x64.msi*",".{0,1000}RemoteDesktop_x64\.msi.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57016"
"*remoteit/installer*",".{0,1000}remoteit\/installer.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","1","N/A","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","57021"
"*remoteit/remoteit-agent*",".{0,1000}remoteit\/remoteit\-agent.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","1","N/A","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","57022"
"*remoteit-amd64-installer.deb*",".{0,1000}remoteit\-amd64\-installer\.deb.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","1","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","57023"
"*remoteit-installer.exe*",".{0,1000}remoteit\-installer\.exe.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/desktop","1","1","N/A","N/A","10","10","46","11","2025-04-11T23:19:29Z","2019-01-12T00:59:20Z","57024"
"*RemotePC (1).exe*",".{0,1000}RemotePC\s\(1\)\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57030"
"*RemotePC Performance Printer.url*",".{0,1000}RemotePC\sPerformance\sPrinter\.url.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57031"
"*RemotePC* - A new computer has been added to your account*",".{0,1000}RemotePC.{0,1000}\s\-\sA\snew\scomputer\shas\sbeen\sadded\sto\syour\saccount.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57032"
"*RemotePC.exe *",".{0,1000}RemotePC\.exe\s.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57033"
"*RemotePC.WebSockets.dll*",".{0,1000}RemotePC\.WebSockets\.dll.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57034"
"*RemotePC\REMOTE~2.DLL*",".{0,1000}RemotePC\\REMOTE\~2\.DLL.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57035"
"*RemotePCAttended.exe*",".{0,1000}RemotePCAttended\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57036"
"*RemotePCAttendedService*",".{0,1000}RemotePCAttendedService.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57037"
"*RemotePCBlackScreenApp.exe*",".{0,1000}RemotePCBlackScreenApp\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57038"
"*RemotePCCopyPaste.txt*",".{0,1000}RemotePCCopyPaste\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57039"
"*RemotePCDesktop.exe*",".{0,1000}RemotePCDesktop\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57040"
"*RemotePCDesktop.txt*",".{0,1000}RemotePCDesktop\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57041"
"*RemotePCHDDesktop.txt*",".{0,1000}RemotePCHDDesktop\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57042"
"*RemotePCHDService.txt*",".{0,1000}RemotePCHDService\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57043"
"*remotepclauncher.exe *",".{0,1000}remotepclauncher\.exe\s.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57044"
"*RemotePCModules.log*",".{0,1000}RemotePCModules\.log.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","#logfile","N/A","10","10","N/A","N/A","N/A","N/A","57045"
"*RemotePCPerformanceWebLauncher.exe*",".{0,1000}RemotePCPerformanceWebLauncher\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57046"
"*RemotePCPerformanceWebLauncher.log*",".{0,1000}RemotePCPerformanceWebLauncher\.log.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57047"
"*RemotePCPrinter.exe.config*",".{0,1000}RemotePCPrinter\.exe\.config.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57048"
"*RemotePCPrinting.exe*",".{0,1000}RemotePCPrinting\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57049"
"*RemotePCPrintView.exe*",".{0,1000}RemotePCPrintView\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57050"
"*RemotePCProxys.dat*",".{0,1000}RemotePCProxys\.dat.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57051"
"*RemotePCService.exe*",".{0,1000}RemotePCService\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57052"
"*RemotePCService.txt*",".{0,1000}RemotePCService\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57053"
"*RemotePCService_2.txt*",".{0,1000}RemotePCService_2\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57054"
"*RemotePCShortcut.exe*",".{0,1000}RemotePCShortcut\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57055"
"*RemotePCSuite.Model.dll*",".{0,1000}RemotePCSuite\.Model\.dll.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57056"
"*RemotePCSuite.Service.dll*",".{0,1000}RemotePCSuite\.Service\.dll.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57057"
"*remotepcuiu.exe *",".{0,1000}remotepcuiu\.exe\s.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57058"
"*RemoteScanner.exe*",".{0,1000}RemoteScanner\.exe.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner and Earth Lusca Operations Tools and commands","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf https://github.com/vletoux/pingcastle","1","1","N/A","N/A","10","","N/A","","","","57066"
"*Remove-AADIntAccessDeviceFromIntune*",".{0,1000}Remove\-AADIntAccessDeviceFromIntune.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","57074"
"*Remove-AADIntAzureDiagnosticSettings*",".{0,1000}Remove\-AADIntAzureDiagnosticSettings.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","57075"
"*Remove-AADIntDeviceFromAzureAD*",".{0,1000}Remove\-AADIntDeviceFromAzureAD.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","57076"
"*Remove-AADIntForceNTHash*",".{0,1000}Remove\-AADIntForceNTHash.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","57077"
"*Remove-AADIntHybridHealthService*",".{0,1000}Remove\-AADIntHybridHealthService.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","57078"
"*Remove-AADIntHybridHealthServiceMember*",".{0,1000}Remove\-AADIntHybridHealthServiceMember.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","57079"
"*Remove-AADIntMSPartnerDelegatedAdminRoles*",".{0,1000}Remove\-AADIntMSPartnerDelegatedAdminRoles.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","57080"
"*Remove-AADIntPTASpy*",".{0,1000}Remove\-AADIntPTASpy.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","57081"
"*Remove-AADIntRolloutPolicy*",".{0,1000}Remove\-AADIntRolloutPolicy.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","57082"
"*Remove-AADIntRolloutPolicyGroups*",".{0,1000}Remove\-AADIntRolloutPolicyGroups.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","57083"
"*Remove-AADIntTeamsMessages*",".{0,1000}Remove\-AADIntTeamsMessages.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","57084"
"*Remove-Item -LiteralPath ""C:\Program Files (x86)\Sophos"" -Force -Recurse*",".{0,1000}Remove\-Item\s\-LiteralPath\s\""C\:\\Program\sFiles\s\(x86\)\\Sophos\""\s\-Force\s\-Recurse.{0,1000}","greyware_tool_keyword","powershell","Remove  Sophos folders","T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57091"
"*Remove-Item -LiteralPath ""C:\Program Files\Sophos"" -Force -Recurse*",".{0,1000}Remove\-Item\s\-LiteralPath\s\""C\:\\Program\sFiles\\Sophos\""\s\-Force\s\-Recurse.{0,1000}","greyware_tool_keyword","powershell","Remove  Sophos folders","T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57092"
"*Remove-Item -LiteralPath ""C:\Program Files\Sophos*"" -Force -Recurse*",".{0,1000}Remove\-Item\s\-LiteralPath\s\""C\:\\Program\sFiles\\Sophos.{0,1000}\""\s\-Force\s\-Recurse.{0,1000}","greyware_tool_keyword","powershell","Remove  Sophos folders","T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57093"
"*Remove-Item -LiteralPath ""C:\ProgramData\Sophos"" -Force -Recurse*",".{0,1000}Remove\-Item\s\-LiteralPath\s\""C\:\\ProgramData\\Sophos\""\s\-Force\s\-Recurse.{0,1000}","greyware_tool_keyword","powershell","Remove  Sophos folders","T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57094"
"*Remove-ItemProperty -Path ""HKLM:\SOFTWARE\Policies\Microsoft\VisualStudio\Devtunnels"" -Name ""DisableDevTunnelsInVisualStudio""*",".{0,1000}Remove\-ItemProperty\s\-Path\s\""HKLM\:\\SOFTWARE\\Policies\\Microsoft\\VisualStudio\\Devtunnels\""\s\-Name\s\""DisableDevTunnelsInVisualStudio\"".{0,1000}","greyware_tool_keyword","powershell","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","57097"
"*Remove-ItemProperty -Path* -Name MRUList *",".{0,1000}Remove\-ItemProperty\s\-Path.{0,1000}\s\-Name\sMRUList\s.{0,1000}","greyware_tool_keyword","powershell","attempts to evade defenses or remove traces of activity by deleting MRUList registry keys","T1012 - T1070 - T1485 - T1146","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","57098"
"*Remove-ItemProperty*HKLM:\SOFTWARE\Policies\Microsoft\VisualStudio\Devtunnels*DisableDevTunnelsInVisualStudio*",".{0,1000}Remove\-ItemProperty.{0,1000}HKLM\:\\SOFTWARE\\Policies\\Microsoft\\VisualStudio\\Devtunnels.{0,1000}DisableDevTunnelsInVisualStudio.{0,1000}","greyware_tool_keyword","powershell","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","57099"
"*Removing AIX package from all standard users*",".{0,1000}Removing\sAIX\spackage\sfrom\sall\sstandard\susers.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","0","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","57124"
"*ren C:\Windows\System32\amsi.dll *.dll",".{0,1000}ren\sC\:\\Windows\\System32\\amsi\.dll\s.{0,1000}\.dll","greyware_tool_keyword","ren","Spartacus DLL/COM Hijacking Toolkit","T1574.001 - T1055.001 - T1027.002","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://www.pavel.gr/blog/neutralising-amsi-system-wide-as-an-admin","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","57125"
"*ren sethc.exe sethcbad.exe*",".{0,1000}ren\ssethc\.exe\ssethcbad\.exe.{0,1000}","greyware_tool_keyword","ren","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z","57126"
"*ren sethcold.exe sethc.exe*",".{0,1000}ren\ssethcold\.exe\ssethc\.exe.{0,1000}","greyware_tool_keyword","ren","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z","57128"
"*ren sethcold.exe sethc.exe*",".{0,1000}ren\ssethcold\.exe\ssethc\.exe.{0,1000}","greyware_tool_keyword","ren","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z","57129"
"*ren SophosED.sys SophosED.sys.old*",".{0,1000}ren\sSophosED\.sys\sSophosED\.sys\.old.{0,1000}","greyware_tool_keyword","ren","renaming some AV sys files - allows bypass","T1070","TA0005","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57132"
"*resolv.pre-tailscale-backup.conf*",".{0,1000}resolv\.pre\-tailscale\-backup\.conf.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","57162"
"*resolv.tailscale.conf*",".{0,1000}resolv\.tailscale\.conf.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","57163"
"*rest.ably.io*",".{0,1000}rest\.ably\.io.{0,1000}","greyware_tool_keyword","level.io","Level is reinventing remote monitoring and management","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://level.io/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57186"
"*restic backup --*",".{0,1000}restic\sbackup\s\-\-.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","57189"
"*restic check --read-data*",".{0,1000}restic\scheck\s\-\-read\-data.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","57190"
"*restic init --repo *",".{0,1000}restic\sinit\s\-\-repo\s.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","57191"
"*restic -o s3.bucket-lookup*",".{0,1000}restic\s\-o\ss3\.bucket\-lookup.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","57192"
"*restic -r *",".{0,1000}restic\s\-r\s.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","57193"
"*restic --repo *",".{0,1000}restic\s\-\-repo\s.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","57194"
"*restic/restic:latest*",".{0,1000}restic\/restic\:latest.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","1","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","57195"
"*restic_*_windows_amd64.exe*",".{0,1000}restic_.{0,1000}_windows_amd64\.exe.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","1","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","57196"
"*RESTIC_PASSWORD=""I9n7G7G0ZpDWA3GOcJbIuwQCGvGUBkU5*",".{0,1000}RESTIC_PASSWORD\=\""I9n7G7G0ZpDWA3GOcJbIuwQCGvGUBkU5.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","57197"
"*RESTIC_REST_PASSWORD*",".{0,1000}RESTIC_REST_PASSWORD.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","57198"
"*RESTIC_REST_USERNAME*",".{0,1000}RESTIC_REST_USERNAME.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","57199"
"*Restore-AADIntADFSAutoRollover*",".{0,1000}Restore\-AADIntADFSAutoRollover.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","57203"
"*Reverse tunnel server started*",".{0,1000}Reverse\stunnel\sserver\sstarted.{0,1000}","greyware_tool_keyword","pgrok","Poor man's ngrok - a multi-tenant HTTP/TCP reverse tunnel solution through SSH remote port forwarding","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/pgrok/pgrok","1","0","N/A","N/A","10","10","3325","117","2025-04-19T18:37:55Z","2023-03-08T12:43:55Z","57235"
"*reverse_proxy_tcp.txt*",".{0,1000}reverse_proxy_tcp\.txt.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","0","#filehostingservice","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","57236"
"*rfusclient.exe *",".{0,1000}rfusclient\.exe\s.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57292"
"*rl.ammyy.com/*",".{0,1000}rl\.ammyy\.com\/.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57334"
"*rm $HISTFILE*",".{0,1000}rm\s\$HISTFILE.{0,1000}","greyware_tool_keyword","rm","deleting bash history","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","57337"
"*rm .bash_history*",".{0,1000}rm\s\.bash_history.{0,1000}","greyware_tool_keyword","bash","Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml","1","0","#linux","greyware tool - risks of False positive !","10","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","57338"
"*rm .bash_history*",".{0,1000}rm\s\.bash_history.{0,1000}","greyware_tool_keyword","rm","deleting bash history","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","57339"
"*rm /home/*/.bash_history*",".{0,1000}rm\s\/home\/.{0,1000}\/\.bash_history.{0,1000}","greyware_tool_keyword","bash","Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml","1","0","#linux","greyware tool - risks of False positive !","10","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","57340"
"*rm /root/.bash_history*",".{0,1000}rm\s\/root\/\.bash_history.{0,1000}","greyware_tool_keyword","bash","Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml","1","0","#linux","greyware tool - risks of False positive !","10","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","57341"
"*rm /var/log/*",".{0,1000}rm\s\/var\/log\/.{0,1000}","greyware_tool_keyword","rm","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","57345"
"*rm /var/log/*.log*",".{0,1000}rm\s\/var\/log\/.{0,1000}\.log.{0,1000}","greyware_tool_keyword","rm","deleting log files","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","57346"
"*rm ~/.bash_history*",".{0,1000}rm\s\~\/\.bash_history.{0,1000}","greyware_tool_keyword","rm","deleting bash history","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","57347"
"*rm -f *.bash_history*",".{0,1000}rm\s\-f\s.{0,1000}\.bash_history.{0,1000}","greyware_tool_keyword","rm","Indicator Removal on Host","T1070.002 - T1562.004 - T1059.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57348"
"*rm -f *.zsh_history*",".{0,1000}rm\s\-f\s.{0,1000}\.zsh_history.{0,1000}","greyware_tool_keyword","rm","Indicator Removal on Host","T1070.002 - T1562.004 - T1059.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57350"
"*rm -f /var/log/*",".{0,1000}rm\s\-f\s\/var\/log\/.{0,1000}","greyware_tool_keyword","rm","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","57351"
"*rm -f backpipe* mknod /tmp/backpipe p && nc *",".{0,1000}rm\s\-f\sbackpipe.{0,1000}\smknod\s\/tmp\/backpipe\sp\s\&\&\snc\s.{0,1000}","greyware_tool_keyword","shell","Reverse Shell Command Line","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/lnx_shell_susp_rev_shells.yml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","9115","2316","2025-04-17T19:43:35Z","2016-12-24T09:48:49Z","57352"
"*rm -fr *.zsh_history*",".{0,1000}rm\s\-fr\s.{0,1000}\.zsh_history.{0,1000}","greyware_tool_keyword","rm","Indicator Removal on Host","T1070.002 - T1562.004 - T1059.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57353"
"*rm -r /var/log/*",".{0,1000}rm\s\-r\s\/var\/log\/.{0,1000}","greyware_tool_keyword","rm","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","57354"
"*rm -rf *.zsh_history*",".{0,1000}rm\s\-rf\s.{0,1000}\.zsh_history.{0,1000}","greyware_tool_keyword","rm","Indicator Removal on Host","T1070.002 - T1562.004 - T1059.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57355"
"*rm -rf .bash_history*",".{0,1000}rm\s\-rf\s\.bash_history.{0,1000}","greyware_tool_keyword","rm","delete bash history","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","57356"
"*rm -rf /var/log/*",".{0,1000}rm\s\-rf\s\/var\/log\/.{0,1000}","greyware_tool_keyword","rm","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","57359"
"*rm -rf /var/log/messages*",".{0,1000}rm\s\-rf\s\/var\/log\/messages.{0,1000}","greyware_tool_keyword","rm","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","57360"
"*rm -rf /var/log/security*",".{0,1000}rm\s\-rf\s\/var\/log\/security.{0,1000}","greyware_tool_keyword","rm","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","57361"
"*rm -rf ~/.bash_history*",".{0,1000}rm\s\-rf\s\~\/\.bash_history.{0,1000}","greyware_tool_keyword","rm","delete bash history","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","57363"
"*rmdir C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resources /S*",".{0,1000}rmdir\sC\:\\ProgramData\\Microsoft\\Windows\sDefender\\Quarantine\\Resources\s\/S.{0,1000}","greyware_tool_keyword","rmdir","del command used by Anti Forensics Tools","T1070.001 - T1070.002 - T1070.004 - T1070.006 - T1070.009 - T1564.004 - T1553.002 - T1027","TA0005 - TA0004","N/A","N/A","Defense Evasion","https://github.com/PaulNorman01/Forensia","1","0","N/A","N/A","10","8","755","75","2023-06-23T23:23:22Z","2022-12-07T14:45:52Z","57369"
"*rmm.barracudamsp.com*",".{0,1000}rmm\.barracudamsp\.com.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57390"
"*RMM.WebRemote.exe*",".{0,1000}RMM\.WebRemote\.exe.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","57391"
"*rmmod -r*",".{0,1000}rmmod\s\-r.{0,1000}","greyware_tool_keyword","rmmod","Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.","T1547.006 - T1070.006","TA0005 - TA0003","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_kernel_module_removal.toml","1","0","N/A","greyware tool - risks of False positive !","7","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","57393"
"*rmmod --remove*",".{0,1000}rmmod\s\-\-remove.{0,1000}","greyware_tool_keyword","rmmod","Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.","T1547.006 - T1070.006","TA0005 - TA0003","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_kernel_module_removal.toml","1","0","N/A","greyware tool - risks of False positive !","7","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","57394"
"*robbie-cahill/tunnelmole-client*",".{0,1000}robbie\-cahill\/tunnelmole\-client.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","1","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","57421"
"*robertdavidgraham/rdpscan*",".{0,1000}robertdavidgraham\/rdpscan.{0,1000}","greyware_tool_keyword","rdpscan","A quick scanner for the CVE-2019-0708 ""BlueKeep"" vulnerability","T1210 - T1046","TA0001 - TA0008","N/A","Dispossessor","Discovery","https://github.com/robertdavidgraham/rdpscan","1","1","N/A","N/A","6","10","904","242","2019-06-22T21:48:45Z","2019-05-23T22:50:12Z","57424"
"*ROCAVulnerabilityTester*",".{0,1000}ROCAVulnerabilityTester.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner and Earth Lusca Operations Tools and commands","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf https://github.com/vletoux/pingcastle","1","1","N/A","N/A","10","","N/A","","","","57426"
"*root/SecurityCenter2* -ClassName AntiVirusProduct*",".{0,1000}root\/SecurityCenter2.{0,1000}\s\-ClassName\sAntiVirusProduct.{0,1000}","greyware_tool_keyword","powershell","list AV products with powershell","T1518.001 - T1082","TA0007 - TA0005","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","2","9","N/A","N/A","N/A","N/A","57455"
"*rootcert.meshcentral.com*",".{0,1000}rootcert\.meshcentral\.com.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","57460"
"*RpcApp*TransferClient.exe*",".{0,1000}RpcApp.{0,1000}TransferClient\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57499"
"*RpcApp*TransferServer.exe*",".{0,1000}RpcApp.{0,1000}TransferServer\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57500"
"*RpcApp\Tools\TransferClient.exe*",".{0,1000}RpcApp\\Tools\\TransferClient\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57501"
"*RPCAttendedInstaller.log*",".{0,1000}RPCAttendedInstaller\.log.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57504"
"*rpcclient -U """" *",".{0,1000}rpcclient\s\-U\s\""\s.{0,1000}","greyware_tool_keyword","rpcclient","tool for executing client side MS-RPC functions (NULL session)","T1021.006 - T1049","TA0002 - TA0009","N/A","N/A","Lateral Movement","https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html","1","0","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","57507"
"*rpcdownloader.exe *",".{0,1000}rpcdownloader\.exe\s.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57508"
"*RPCDownloaderLogFile.txt*",".{0,1000}RPCDownloaderLogFile\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57509"
"*RPCFireWallRule.exe*",".{0,1000}RPCFireWallRule\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57514"
"*RPCFireWallRulelogfile.txt*",".{0,1000}RPCFireWallRulelogfile\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57515"
"*RPCKeyMouseHandler.txt*",".{0,1000}RPCKeyMouseHandler\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57517"
"*RPCPerformanceHealthCheck*",".{0,1000}RPCPerformanceHealthCheck.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57521"
"*rpcperformanceservice.exe*",".{0,1000}rpcperformanceservice\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57522"
"*RPCPerformanceService.exe*",".{0,1000}RPCPerformanceService\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57523"
"*rpcperfviewer.exe *",".{0,1000}rpcperfviewer\.exe\s.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57524"
"*RPCPerfViewer.log*",".{0,1000}RPCPerfViewer\.log.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","#logfile","N/A","10","10","N/A","N/A","N/A","N/A","57525"
"*rpcprinterdownloader.exe*",".{0,1000}rpcprinterdownloader\.exe.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57526"
"*RPCProxyLatency.exe *",".{0,1000}RPCProxyLatency\.exe\s.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57527"
"*RPCsuiteLaunch.txt*",".{0,1000}RPCsuiteLaunch\.txt.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57534"
"*rserver3 /start*",".{0,1000}rserver3\s\/start.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57541"
"*rserver3 /stop*",".{0,1000}rserver3\s\/stop.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57542"
"*rserver3.exe*/start*",".{0,1000}rserver3\.exe.{0,1000}\/start.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57543"
"*rserver3.exe*/stop*",".{0,1000}rserver3\.exe.{0,1000}\/stop.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57544"
"*rs-ny.rustdesk.com*",".{0,1000}rs\-ny\.rustdesk\.com.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","1","N/A","network request after installation","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57547"
"*rsocks --config*",".{0,1000}rsocks\s\-\-config.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","N/A","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","57548"
"*rsocks/server.py*",".{0,1000}rsocks\/server\.py.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","1","N/A","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","57549"
"*rsocks\server.py*",".{0,1000}rsocks\\server\.py.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","0","N/A","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","57550"
"*rsync -e 'sh -p -c *sh 0<&2 1>&2*127.0.0.1:/dev/null*",".{0,1000}rsync\s\-e\s\'sh\s\-p\s\-c\s.{0,1000}sh\s0\<\&2\s1\>\&2.{0,1000}127\.0\.0\.1\:\/dev\/null.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","N/A","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","57561"
"*rsync -r * *@*:*",".{0,1000}rsync\s\-r\s.{0,1000}\s.{0,1000}\@.{0,1000}\:.{0,1000}","greyware_tool_keyword","rsync","Detects the use of tools that copy files from or to remote systems","T1041 - T1105 - T1106","TA0002 - TA0008 - TA0010","N/A","N/A","Data Exfiltration","https://attack.mitre.org/techniques/T1105/","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","57562"
"*rsync -r *@*:* *",".{0,1000}rsync\s\-r\s.{0,1000}\@.{0,1000}\:.{0,1000}\s.{0,1000}","greyware_tool_keyword","rsync","Detects the use of tools that copy files from or to remote systems","T1041 - T1105 - T1106","TA0002 - TA0008 - TA0010","N/A","N/A","Data Exfiltration","https://attack.mitre.org/techniques/T1105/","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","57563"
"*ruby -rsocket *TCPSocket.open(*exec sprintf*/bin/sh -i *",".{0,1000}ruby\s\-rsocket\s.{0,1000}TCPSocket\.open\(.{0,1000}exec\ssprintf.{0,1000}\/bin\/sh\s\-i\s.{0,1000}","greyware_tool_keyword","ruby","ruby reverse shell","T1071 - T1071.004 - T1021","TA0002 - TA0011","N/A","N/A","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","57617"
"*rule name=""TransferServer""*",".{0,1000}rule\sname\=\""TransferServer\"".{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57633"
"*'RuleName'>NetSupport Client<*",".{0,1000}\'RuleName\'\>NetSupport\sClient\<.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#firewallrulename","N/A","10","10","N/A","N/A","N/A","N/A","57634"
"*'RuleName'>NetSupport Control<*",".{0,1000}\'RuleName\'\>NetSupport\sControl\<.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#firewallrulename","N/A","10","10","N/A","N/A","N/A","N/A","57635"
"*'RuleName'>NetSupport Deploy<*",".{0,1000}\'RuleName\'\>NetSupport\sDeploy\<.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#firewallrulename","N/A","10","10","N/A","N/A","N/A","N/A","57636"
"*'RuleName'>NetSupport Gateway<*",".{0,1000}\'RuleName\'\>NetSupport\sGateway\<.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#firewallrulename","N/A","10","10","N/A","N/A","N/A","N/A","57637"
"*'RuleName'>NetSupport Group Leader<*",".{0,1000}\'RuleName\'\>NetSupport\sGroup\sLeader\<.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#firewallrulename","N/A","10","10","N/A","N/A","N/A","N/A","57638"
"*'RuleName'>NetSupport Run Script<*",".{0,1000}\'RuleName\'\>NetSupport\sRun\sScript\<.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#firewallrulename","N/A","10","10","N/A","N/A","N/A","N/A","57639"
"*'RuleName'>NetSupport Script Editor<*",".{0,1000}\'RuleName\'\>NetSupport\sScript\sEditor\<.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#firewallrulename","N/A","10","10","N/A","N/A","N/A","N/A","57640"
"*'RuleName'>NetSupport Scripting Agent<*",".{0,1000}\'RuleName\'\>NetSupport\sScripting\sAgent\<.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#firewallrulename","N/A","10","10","N/A","N/A","N/A","N/A","57641"
"*'RuleName'>NetSupport Tech Console<*",".{0,1000}\'RuleName\'\>NetSupport\sTech\sConsole\<.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#firewallrulename","N/A","10","10","N/A","N/A","N/A","N/A","57642"
"*'RuleName'>NetSupport Tutor<*",".{0,1000}\'RuleName\'\>NetSupport\sTutor\<.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","#firewallrulename","N/A","10","10","N/A","N/A","N/A","N/A","57643"
"*rundll32*.dll*a*/p:*",".{0,1000}rundll32.{0,1000}\.dll.{0,1000}a.{0,1000}\/p\:.{0,1000}","greyware_tool_keyword","rundll32","Detects the use of getsystem Meterpreter/Cobalt Strike command. Getsystem is used to elevate privilege to SYSTEM account.","T1055.002 - T1078.002 - T1134.001 - T1134.002","TA0002 - TA0008","N/A","N/A","Exploitation tool","https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","9115","2316","2025-04-17T19:43:35Z","2016-12-24T09:48:49Z","57701"
"*rundll32*.dll*StartW*",".{0,1000}rundll32.{0,1000}\.dll.{0,1000}StartW.{0,1000}","greyware_tool_keyword","rundll32","Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.","T1218.005 - T1071.001","TA0002 - TA0003","N/A","N/A","Exploitation tool","https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence","1","0","N/A","greyware tool - risks of False positive !","N/A","10","1282","189","2022-07-14T07:15:10Z","2021-01-01T16:44:42Z","57702"
"*rundll32*comsvcs.dll MiniDump *",".{0,1000}rundll32.{0,1000}comsvcs\.dll\sMiniDump\s.{0,1000}","greyware_tool_keyword","rundll32","Caling MiniDump function - dump memory of a process (often abused to dump lsass process)","T1218.011 - T1003","TA0006 - TA0005 - TA0002","N/A","Black Basta","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57703"
"*rundll32.exe *comsvcs.dll, MiniDump *lsass*full*",".{0,1000}rundll32\.exe\s.{0,1000}comsvcs\.dll,\sMiniDump\s.{0,1000}lsass.{0,1000}full.{0,1000}","greyware_tool_keyword","rundll32","dumping lsass","T1055.002 - T1078.002 - T1134.001 - T1134.002","TA0002 - TA0008","N/A","Dispossessor - Black Basta","Exploitation tool","https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","9115","2316","2025-04-17T19:43:35Z","2016-12-24T09:48:49Z","57704"
"*runscript -raw=```curl *",".{0,1000}runscript\s\-raw\=\`\`\`curl\s.{0,1000}","greyware_tool_keyword","crowdstrike falcon","suspicious commands executed remotly by crowdstrike agent","T1033","TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","6","5","N/A","N/A","N/A","N/A","57731"
"*runscript -raw=```whoami*",".{0,1000}runscript\s\-raw\=\`\`\`whoami.{0,1000}","greyware_tool_keyword","crowdstrike falcon","suspicious commands executed remotly by crowdstrike agent","T1033","TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","6","5","N/A","N/A","N/A","N/A","57732"
"*RuntimeBroker_rustdesk.exe*",".{0,1000}RuntimeBroker_rustdesk\.exe.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","1","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57747"
"*runuser -l boringproxy *",".{0,1000}runuser\s\-l\sboringproxy\s.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","57748"
"*RustDesk Service is running*",".{0,1000}RustDesk\sService\sis\srunning.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57758"
"*rustdesk-*.apk*",".{0,1000}rustdesk\-.{0,1000}\.apk.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57759"
"*rustdesk-*.deb*",".{0,1000}rustdesk\-.{0,1000}\.deb.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57760"
"*rustdesk-*.dmg*",".{0,1000}rustdesk\-.{0,1000}\.dmg.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","#macos","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57761"
"*rustdesk-*.rpm*",".{0,1000}rustdesk\-.{0,1000}\.rpm.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57762"
"*rustdesk-*-win7-install.exe*",".{0,1000}rustdesk\-.{0,1000}\-win7\-install\.exe.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","1","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57763"
"*RustDesk.exe *",".{0,1000}RustDesk\.exe\s.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57764"
"*RUSTDESK.EXE-*.pf*",".{0,1000}RUSTDESK\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57765"
"*RustDesk_hwcodec.*",".{0,1000}RustDesk_hwcodec\..{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57766"
"*RustDesk_install.bat*",".{0,1000}RustDesk_install\.bat.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","1","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57767"
"*rustdesk_portable.exe*",".{0,1000}rustdesk_portable\.exe.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","1","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57768"
"*RustDesk_rCURRENT.log*",".{0,1000}RustDesk_rCURRENT\.log.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57769"
"*RustDesk_uninstall.bat*",".{0,1000}RustDesk_uninstall\.bat.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","1","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57770"
"*RustDeskIddDriver.cer*",".{0,1000}RustDeskIddDriver\.cer.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","1","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57771"
"*RustDeskIddDriver.dll*",".{0,1000}RustDeskIddDriver\.dll.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","1","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57772"
"*rustdesk-portable-packer.exe*",".{0,1000}rustdesk\-portable\-packer\.exe.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","1","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","57773"
"*rutserv.exe *",".{0,1000}rutserv\.exe\s.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57786"
"*rutserv.exe /*",".{0,1000}rutserv\.exe\s\/.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57787"
"*rutview.exe *",".{0,1000}rutview\.exe\s.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57788"
"*rutview.exe -*",".{0,1000}rutview\.exe\s\-.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57789"
"*s\AutoHotkey Window Spy.lnk*",".{0,1000}s\\AutoHotkey\sWindow\sSpy\.lnk.{0,1000}","greyware_tool_keyword","Ahk2Exe","Official AutoHotkey script compiler - misused in scripting malicious executables","T1059 - T1204 - T1036 - T1027","TA0002 - TA0005","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/Ahk2Exe","1","0","N/A","N/A","7","7","658","118","2025-03-09T02:27:33Z","2011-08-01T10:28:19Z","57812"
"*S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')*",".{0,1000}S\`eT\-It\`em\s\(\s\'V\'\+\'aR\'\s\+\s\s\'IA\'\s\+\s\(\'blE\:1\'\+\'q2\'\).{0,1000}","greyware_tool_keyword","powershell","AMSI bypass obfuscation pattern","T1059.001 - T1562.001 - T1027.009","TA0005 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","57813"
"*SamOfflineConnect*",".{0,1000}SamOfflineConnect.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57905"
"*SamOfflineEnumerateDomainsInSamServer*",".{0,1000}SamOfflineEnumerateDomainsInSamServer.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57906"
"*SamOfflineEnumerateUsersInDomain2*",".{0,1000}SamOfflineEnumerateUsersInDomain2.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57907"
"*SamOfflineGetMembersInAlias*",".{0,1000}SamOfflineGetMembersInAlias.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57908"
"*SamOfflineLookupDomainInSamServer*",".{0,1000}SamOfflineLookupDomainInSamServer.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57909"
"*SamOfflineOpenDomain*",".{0,1000}SamOfflineOpenDomain.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57910"
"*SamOfflineOpenUser*",".{0,1000}SamOfflineOpenUser.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57911"
"*SamOfflineQueryInformationAlias*",".{0,1000}SamOfflineQueryInformationAlias.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57912"
"*SamOfflineQueryInformationUser*",".{0,1000}SamOfflineQueryInformationUser.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57913"
"*SamOfflineRemoveMemberFromAlias*",".{0,1000}SamOfflineRemoveMemberFromAlias.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57914"
"*SamOfflineRidToSid*",".{0,1000}SamOfflineRidToSid.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57915"
"*SamOfflineSetInformationAlias*",".{0,1000}SamOfflineSetInformationAlias.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57916"
"*sanalytics.box.com*",".{0,1000}sanalytics\.box\.com.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","1","N/A","N/A","6","7","N/A","N/A","N/A","N/A","57927"
"*sandialabs/wiretap*",".{0,1000}sandialabs\/wiretap.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","57932"
"*sc  delete ""RPCService""*",".{0,1000}sc\s\sdelete\s\""RPCService\"".{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57941"
"*SC  QUERYEX ""PC Monitor""*",".{0,1000}SC\s\sQUERYEX\s\""PC\sMonitor\"".{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57942"
"*SC  QUERYEX ""PC Monitor""*",".{0,1000}SC\s\sQUERYEX\s\""PC\sMonitor\"".{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57943"
"*SC  QUERYEX ""VSAX""*",".{0,1000}SC\s\sQUERYEX\s\""VSAX\"".{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57944"
"*sc  sdset RemoteAccess *",".{0,1000}sc\s\ssdset\sRemoteAccess\s.{0,1000}","greyware_tool_keyword","sc","modifies the security descriptor of the RemoteAccess service - could be used to achieve persistence or elevate privileges","T1543.003 - T1112","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","57945"
"*sc  start ""RPCService""*",".{0,1000}sc\s\sstart\s\""RPCService\"".{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57946"
"*sc  stop ""RPCService""*",".{0,1000}sc\s\sstop\s\""RPCService\"".{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57947"
"*sc config KeyIso start= Disabled | sc stop KeyIso*",".{0,1000}sc\sconfig\sKeyIso\sstart\=\sDisabled\s\|\ssc\sstop\sKeyIso.{0,1000}","greyware_tool_keyword","sc","disables and stops the KeyIso service (CNG Key Isolation) potentially interfering with cryptographic functions on the system","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://github.com/spicy-bear/Threat-Hunting/blob/2c89b519862672e29547b4db4796caa923044595/95.213.145.101/%D1%81%D0%B8%D1%80/bat/defendermalwar.bat#L3","1","0","N/A","N/A","8","1","0","0","2024-10-31T13:26:22Z","2024-10-31T12:11:37Z","57948"
"*sc config WinDefend start= disabled*",".{0,1000}sc\sconfig\sWinDefend\sstart\=\sdisabled.{0,1000}","greyware_tool_keyword","shell","Defense evasion technique In order to avoid detection at any point of the kill chain. attackers use several ways to disable anti-virus. disable Microsoft firewall and clear logs.","T1562.001 - T1562.002 - T1070.004","TA0007 - TA0040 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","57949"
"*sc create *cmd /c regsvr32.exe /s *\desktop.ini*",".{0,1000}sc\screate\s.{0,1000}cmd\s\/c\sregsvr32\.exe\s\/s\s.{0,1000}\\desktop\.ini.{0,1000}","greyware_tool_keyword","regsvr32","suspicious service creation executing a desktop.ini file observed in a malware sample","T1543.003","TA0003","N/A","N/A","Persistence","https://www.virustotal.com/gui/file/faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e/behavior","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","57950"
"*sc create *nc.exe -*cmd.exe*",".{0,1000}sc\screate\s.{0,1000}nc\.exe\s\-.{0,1000}cmd\.exe.{0,1000}","greyware_tool_keyword","sc","create service with netcat","T1569.002 - T1059.003 - T1021.006","TA0004 - TA0002 - TA0011","N/A","Snatch","Persistence","https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","57951"
"*sc create Cloudflared binPath=\*",".{0,1000}sc\screate\sCloudflared\sbinPath\=\\.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","57952"
"*sc create RPCService start=auto*",".{0,1000}sc\screate\sRPCService\sstart\=auto.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57955"
"*sc create RPCService*",".{0,1000}sc\screate\sRPCService.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57956"
"*sc delete ""AVP18.0.0""*",".{0,1000}sc\sdelete\s\""AVP18\.0\.0\"".{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57958"
"*sc delete ""ekrn""*",".{0,1000}sc\sdelete\s\""ekrn\"".{0,1000}","greyware_tool_keyword","sc","deletes the ESET service","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57959"
"*sc delete ""FirebirdGuardianDefaultInstance""*",".{0,1000}sc\sdelete\s\""FirebirdGuardianDefaultInstance\"".{0,1000}","greyware_tool_keyword","sc","delete services related to the Firebird database ","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57960"
"*sc delete ""FirebirdServerDefaultInstance""*",".{0,1000}sc\sdelete\s\""FirebirdServerDefaultInstance\"".{0,1000}","greyware_tool_keyword","sc","delete services related to the Firebird database ","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57961"
"*sc delete ""hvdswvc""*",".{0,1000}sc\sdelete\s\""hvdswvc\"".{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57962"
"*sc delete ""klbackupdisk""*",".{0,1000}sc\sdelete\s\""klbackupdisk\"".{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57963"
"*sc delete ""klbackupflt""*",".{0,1000}sc\sdelete\s\""klbackupflt\"".{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57964"
"*sc delete ""klflt""*",".{0,1000}sc\sdelete\s\""klflt\"".{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57965"
"*sc delete ""klhk""*",".{0,1000}sc\sdelete\s\""klhk\"".{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57966"
"*sc delete ""KLIF""*",".{0,1000}sc\sdelete\s\""KLIF\"".{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57967"
"*sc delete ""klim6""*",".{0,1000}sc\sdelete\s\""klim6\"".{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57968"
"*sc delete ""klkbdflt""*",".{0,1000}sc\sdelete\s\""klkbdflt\"".{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57969"
"*sc delete ""klmouflt""*",".{0,1000}sc\sdelete\s\""klmouflt\"".{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57970"
"*sc delete ""klpd""*",".{0,1000}sc\sdelete\s\""klpd\"".{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57971"
"*sc delete ""kltap""*",".{0,1000}sc\sdelete\s\""kltap\"".{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57972"
"*sc delete ""KSDE1.0.0""*",".{0,1000}sc\sdelete\s\""KSDE1\.0\.0\"".{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57973"
"*sc delete ""ntrtscan""*",".{0,1000}sc\sdelete\s\""ntrtscan\"".{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57974"
"*sc delete ""nvspwmi""*",".{0,1000}sc\sdelete\s\""nvspwmi\"".{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57975"
"*sc delete ""ofcservice""*",".{0,1000}sc\sdelete\s\""ofcservice\"".{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57976"
"*sc delete ""RPCService""*",".{0,1000}sc\sdelete\s\""RPCService\"".{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57977"
"*sc delete ""storflt""*",".{0,1000}sc\sdelete\s\""storflt\"".{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57978"
"*sc delete ""sysmon""*",".{0,1000}sc\sdelete\s\""sysmon\"".{0,1000}","greyware_tool_keyword","sc","deleting sysmon service - used by Dispossessor ransomware group","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57979"
"*sc delete ""TmCCSF""*",".{0,1000}sc\sdelete\s\""TmCCSF\"".{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57980"
"*sc delete ""TmFilter""*",".{0,1000}sc\sdelete\s\""TmFilter\"".{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57981"
"*sc delete ""TMiCRCScanService""*",".{0,1000}sc\sdelete\s\""TMiCRCScanService\"".{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57982"
"*sc delete ""tmlisten""*",".{0,1000}sc\sdelete\s\""tmlisten\"".{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57983"
"*sc delete ""TMLWCSService""*",".{0,1000}sc\sdelete\s\""TMLWCSService\"".{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57984"
"*sc delete ""TmPreFilter""*",".{0,1000}sc\sdelete\s\""TmPreFilter\"".{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57985"
"*sc delete ""TmProxy""*",".{0,1000}sc\sdelete\s\""TmProxy\"".{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57986"
"*sc delete ""TMSmartRelayService""*",".{0,1000}sc\sdelete\s\""TMSmartRelayService\"".{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57987"
"*sc delete ""tmusa""*",".{0,1000}sc\sdelete\s\""tmusa\"".{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57988"
"*sc delete ""vmicguestinterface""*",".{0,1000}sc\sdelete\s\""vmicguestinterface\"".{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57989"
"*sc delete ""vmicheartbeat""*",".{0,1000}sc\sdelete\s\""vmicheartbeat\"".{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57990"
"*sc delete ""vmickvpexchange""*",".{0,1000}sc\sdelete\s\""vmickvpexchange\"".{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57991"
"*sc delete ""vmicrdv""*",".{0,1000}sc\sdelete\s\""vmicrdv\"".{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57992"
"*sc delete ""vmicshutdown""*",".{0,1000}sc\sdelete\s\""vmicshutdown\"".{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57993"
"*sc delete ""vmictimesync""*",".{0,1000}sc\sdelete\s\""vmictimesync\"".{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57994"
"*sc delete ""vmicvss""*",".{0,1000}sc\sdelete\s\""vmicvss\"".{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57995"
"*sc delete ""VSApiNt""*",".{0,1000}sc\sdelete\s\""VSApiNt\"".{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57996"
"*sc delete ""wmms""*",".{0,1000}sc\sdelete\s\""wmms\"".{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57997"
"*sc delete ""WRSVC""*",".{0,1000}sc\sdelete\s\""WRSVC\"".{0,1000}","greyware_tool_keyword","sc","deletes the Webroot service - disabling the antivirus","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57998"
"*sc delete AteraAgent*",".{0,1000}sc\sdelete\sAteraAgent.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","57999"
"*sc delete AVP18.0.0*",".{0,1000}sc\sdelete\sAVP18\.0\.0.{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58000"
"*sc delete ehorus*",".{0,1000}sc\sdelete\sehorus.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58001"
"*sc delete ekrn*",".{0,1000}sc\sdelete\sekrn.{0,1000}","greyware_tool_keyword","sc","deletes the ESET service","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58002"
"*sc delete FirebirdGuardianDefaultInstance*",".{0,1000}sc\sdelete\sFirebirdGuardianDefaultInstance.{0,1000}","greyware_tool_keyword","sc","delete services related to the Firebird database ","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58003"
"*sc delete FirebirdServerDefaultInstance*",".{0,1000}sc\sdelete\sFirebirdServerDefaultInstance.{0,1000}","greyware_tool_keyword","sc","delete services related to the Firebird database ","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58004"
"*sc delete hvdswvc*",".{0,1000}sc\sdelete\shvdswvc.{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58005"
"*sc delete klbackupdisk*",".{0,1000}sc\sdelete\sklbackupdisk.{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58006"
"*sc delete klbackupflt*",".{0,1000}sc\sdelete\sklbackupflt.{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58007"
"*sc delete klflt*",".{0,1000}sc\sdelete\sklflt.{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58008"
"*sc delete klhk*",".{0,1000}sc\sdelete\sklhk.{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58009"
"*sc delete KLIF*",".{0,1000}sc\sdelete\sKLIF.{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58010"
"*sc delete klim6*",".{0,1000}sc\sdelete\sklim6.{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58011"
"*sc delete klkbdflt*",".{0,1000}sc\sdelete\sklkbdflt.{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58012"
"*sc delete klmouflt*",".{0,1000}sc\sdelete\sklmouflt.{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58013"
"*sc delete klpd*",".{0,1000}sc\sdelete\sklpd.{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58014"
"*sc delete kltap*",".{0,1000}sc\sdelete\skltap.{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58015"
"*sc delete KSDE1.0.0*",".{0,1000}sc\sdelete\sKSDE1\.0\.0.{0,1000}","greyware_tool_keyword","sc","delete Kaspersky services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58016"
"*sc delete MBAMProtection*",".{0,1000}sc\sdelete\sMBAMProtection.{0,1000}","greyware_tool_keyword","sc","stop AV script","T1562.001 - T1489","TA0005 - TA0007","N/A","Snatch","Defense Evasion","https://thedfirreport.com/wp-content/uploads/2023/12/19208-013.png","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58017"
"*sc delete MBAMService*",".{0,1000}sc\sdelete\sMBAMService.{0,1000}","greyware_tool_keyword","sc","stop AV script","T1562.001 - T1489","TA0005 - TA0007","N/A","Snatch","Defense Evasion","https://thedfirreport.com/wp-content/uploads/2023/12/19208-013.png","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58018"
"*sc delete ntrtscan*",".{0,1000}sc\sdelete\sntrtscan.{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58019"
"*sc delete nvspwmi*",".{0,1000}sc\sdelete\snvspwmi.{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58020"
"*sc delete ofcservice*",".{0,1000}sc\sdelete\sofcservice.{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58021"
"*sc delete storflt*",".{0,1000}sc\sdelete\sstorflt.{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58023"
"*sc delete sysmon*",".{0,1000}sc\sdelete\ssysmon.{0,1000}","greyware_tool_keyword","sc","deleting sysmon service - used by Dispossessor ransomware group","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58024"
"*sc delete TmCCSF*",".{0,1000}sc\sdelete\sTmCCSF.{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58025"
"*sc delete TmFilter*",".{0,1000}sc\sdelete\sTmFilter.{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58026"
"*sc delete TMiCRCScanService*",".{0,1000}sc\sdelete\sTMiCRCScanService.{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58027"
"*sc delete tmlisten*",".{0,1000}sc\sdelete\stmlisten.{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58028"
"*sc delete TMLWCSService*",".{0,1000}sc\sdelete\sTMLWCSService.{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58029"
"*sc delete TmPreFilter*",".{0,1000}sc\sdelete\sTmPreFilter.{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58030"
"*sc delete TmProxy*",".{0,1000}sc\sdelete\sTmProxy.{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58031"
"*sc delete TMSmartRelayService*",".{0,1000}sc\sdelete\sTMSmartRelayService.{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58032"
"*sc delete tmusa*",".{0,1000}sc\sdelete\stmusa.{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58033"
"*sc delete ViewerService*",".{0,1000}sc\sdelete\sViewerService.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58034"
"*sc delete vmicguestinterface*",".{0,1000}sc\sdelete\svmicguestinterface.{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58035"
"*sc delete vmicheartbeat*",".{0,1000}sc\sdelete\svmicheartbeat.{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58036"
"*sc delete vmickvpexchange*",".{0,1000}sc\sdelete\svmickvpexchange.{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58037"
"*sc delete vmicrdv*",".{0,1000}sc\sdelete\svmicrdv.{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58038"
"*sc delete vmicshutdown*",".{0,1000}sc\sdelete\svmicshutdown.{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58039"
"*sc delete vmictimesync*",".{0,1000}sc\sdelete\svmictimesync.{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58040"
"*sc delete vmicvss*",".{0,1000}sc\sdelete\svmicvss.{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58041"
"*sc delete VSApiNt*",".{0,1000}sc\sdelete\sVSApiNt.{0,1000}","greyware_tool_keyword","sc","delete Trend Micro services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58042"
"*sc delete VSS*",".{0,1000}sc\sdelete\sVSS.{0,1000}","greyware_tool_keyword","sc","deleting the Volume Shadow Copy Service","T1490 - T1070.004 - T1562.002","TA0005 - TA0040","N/A","Snatch","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58043"
"*sc delete wmms*",".{0,1000}sc\sdelete\swmms.{0,1000}","greyware_tool_keyword","sc","delete Hyper-V related services","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58044"
"*sc delete WRSVC*",".{0,1000}sc\sdelete\sWRSVC.{0,1000}","greyware_tool_keyword","sc","deletes the Webroot service - disabling the antivirus","T1562.001","TA0005","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58045"
"*sc qtriggerinfo RemoteRegistry*",".{0,1000}sc\sqtriggerinfo\sRemoteRegistry.{0,1000}","greyware_tool_keyword","sc","start the RemoteRegistry service without Admin privileges","T1569.002","TA0004 ","N/A","Snatch","Defense Evasion","https://twitter.com/splinter_code/status/1715876413474025704","1","0","N/A","N/A","8","8","N/A","N/A","N/A","N/A","58047"
"*sc sdset scmanager D:(A;;KA;;;WD)*",".{0,1000}sc\ssdset\sscmanager\sD\:\(A\;\;KA\;\;\;WD\).{0,1000}","greyware_tool_keyword","sc","creates a backdoor by weakening the security of the Service Control Manager allowing any user to manage services on the machine which can lead to privilege escalation and persistent access by an attacker","T1560.003 - T1562.001 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://x.com/0gtweet/status/1628720819537936386","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58048"
"*sc start AteraAgent*",".{0,1000}sc\sstart\sAteraAgent.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58049"
"*sc start RemoteRegistry*",".{0,1000}sc\sstart\sRemoteRegistry.{0,1000}","greyware_tool_keyword","sc","start the RemoteRegistry service without Admin privileges","T1569.002","TA0004 ","N/A","Snatch","Defense Evasion","https://twitter.com/splinter_code/status/1715876413474025704","1","0","N/A","N/A","8","8","N/A","N/A","N/A","N/A","58051"
"*sc start RustDesk*",".{0,1000}sc\sstart\sRustDesk.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","58052"
"*sc start ViewerService*",".{0,1000}sc\sstart\sViewerService.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58053"
"*sc stop ""RPCService""*",".{0,1000}sc\sstop\s\""RPCService\"".{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58054"
"*sc stop AteraAgent*",".{0,1000}sc\sstop\sAteraAgent.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58055"
"*sc stop ehorus*",".{0,1000}sc\sstop\sehorus.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58056"
"*sc stop eventlog*",".{0,1000}sc\sstop\seventlog.{0,1000}","greyware_tool_keyword","sc","Stop EventLog service","T1489","TA0005","N/A","Snatch","Defense Evasion","https://www.virustotal.com/gui/file/00820a1f0972678cfe7885bc989ab3e5602b0febc96baf9bf3741d56aa374f03/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58057"
"*sc stop MBAMProtection*",".{0,1000}sc\sstop\sMBAMProtection.{0,1000}","greyware_tool_keyword","sc","stop AV script","T1562.001 - T1489","TA0005 - TA0007","N/A","Snatch","Defense Evasion","https://thedfirreport.com/wp-content/uploads/2023/12/19208-013.png","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58058"
"*sc stop MBAMService*",".{0,1000}sc\sstop\sMBAMService.{0,1000}","greyware_tool_keyword","sc","stop AV script","T1562.001 - T1489","TA0005 - TA0007","N/A","Snatch","Defense Evasion","https://thedfirreport.com/wp-content/uploads/2023/12/19208-013.png","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58059"
"*sc stop RustDesk*",".{0,1000}sc\sstop\sRustDesk.{0,1000}","greyware_tool_keyword","RustDesk","Rustdesk open suorce remote control software abused by scammers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","Akira - Scattered Spider*","RMM","https://github.com/rustdesk/rustdesk","1","0","N/A","N/A","10","10","87186","12334","2025-04-22T15:18:36Z","2020-09-28T15:36:08Z","58060"
"*sc stop Sophos File Scanner Service*",".{0,1000}sc\sstop\sSophos\sFile\sScanner\sService.{0,1000}","greyware_tool_keyword","sc","stop AV","T1562.001 - T1489","TA0005 - TA0007","N/A","Snatch","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58061"
"*sc stop ViewerService*",".{0,1000}sc\sstop\sViewerService.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58062"
"*sc.exe  sdset RemoteAccess *",".{0,1000}sc\.exe\s\ssdset\sRemoteAccess\s.{0,1000}","greyware_tool_keyword","sc","modifies the security descriptor of the RemoteAccess service - could be used to achieve persistence or elevate privileges","T1543.003 - T1112","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","58063"
"*sc.exe create aswSP_ArPot1*",".{0,1000}sc\.exe\screate\saswSP_ArPot1.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","N/A","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","58064"
"*sc.exe create aswSP_ArPot2*",".{0,1000}sc\.exe\screate\saswSP_ArPot2.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","N/A","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","58065"
"*sc.exe create aswSP_ArPot3*",".{0,1000}sc\.exe\screate\saswSP_ArPot3.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","N/A","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","58066"
"*sc.exe create aswSP_ArPots*",".{0,1000}sc\.exe\screate\saswSP_ArPots.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","N/A","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","58067"
"*sc.exe create Cloudflared binPath=\*",".{0,1000}sc\.exe\screate\sCloudflared\sbinPath\=\\.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","58068"
"*sc.exe delete ""SAVAdminService""*",".{0,1000}sc\.exe\sdelete\s\""SAVAdminService\"".{0,1000}","greyware_tool_keyword","sc","Sophos Services Removal","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58069"
"*sc.exe delete ""SAVAdminService""*",".{0,1000}sc\.exe\sdelete\s\""SAVAdminService\"".{0,1000}","greyware_tool_keyword","sc","Sophos Services Removal","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58070"
"*sc.exe delete ""SAVService""*",".{0,1000}sc\.exe\sdelete\s\""SAVService\"".{0,1000}","greyware_tool_keyword","sc","Sophos Services Removal","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58071"
"*sc.exe delete ""SAVService""*",".{0,1000}sc\.exe\sdelete\s\""SAVService\"".{0,1000}","greyware_tool_keyword","sc","Sophos Services Removal","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58072"
"*sc.exe delete ""SntpService""*",".{0,1000}sc\.exe\sdelete\s\""SntpService\"".{0,1000}","greyware_tool_keyword","sc","Sophos Services Removal","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58073"
"*sc.exe delete ""Sophos Agent""*",".{0,1000}sc\.exe\sdelete\s\""Sophos\sAgent\"".{0,1000}","greyware_tool_keyword","sc","Sophos Services Removal","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58074"
"*sc.exe delete ""Sophos AutoUpdate Service""*",".{0,1000}sc\.exe\sdelete\s\""Sophos\sAutoUpdate\sService\"".{0,1000}","greyware_tool_keyword","sc","Sophos Services Removal","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58075"
"*sc.exe delete ""Sophos Endpoint Defense Service""*",".{0,1000}sc\.exe\sdelete\s\""Sophos\sEndpoint\sDefense\sService\"".{0,1000}","greyware_tool_keyword","sc","Sophos Services Removal","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58076"
"*sc.exe delete ""Sophos Message Router""*",".{0,1000}sc\.exe\sdelete\s\""Sophos\sMessage\sRouter\"".{0,1000}","greyware_tool_keyword","sc","Sophos Services Removal","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58077"
"*sc.exe delete ""Sophos System Protection Service""*",".{0,1000}sc\.exe\sdelete\s\""Sophos\sSystem\sProtection\sService\"".{0,1000}","greyware_tool_keyword","sc","Sophos Services Removal","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58078"
"*sc.exe delete ""Sophos Web Control Service""*",".{0,1000}sc\.exe\sdelete\s\""Sophos\sWeb\sControl\sService\"".{0,1000}","greyware_tool_keyword","sc","Sophos Services Removal","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58079"
"*sc.exe delete ""swi_service""*",".{0,1000}sc\.exe\sdelete\s\""swi_service\"".{0,1000}","greyware_tool_keyword","sc","Sophos Services Removal","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58080"
"*sc.exe delete ""swi_update""*",".{0,1000}sc\.exe\sdelete\s\""swi_update\"".{0,1000}","greyware_tool_keyword","sc","Sophos Services Removal","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58081"
"*sc.exe delete sysmon*",".{0,1000}sc\.exe\sdelete\ssysmon.{0,1000}","greyware_tool_keyword","sc","deleting sysmon service - used by Dispossessor ransomware group","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58082"
"*sc.exe sdset scmanager D:(A;;KA;;;WD)*",".{0,1000}sc\.exe\ssdset\sscmanager\sD\:\(A\;\;KA\;\;\;WD\).{0,1000}","greyware_tool_keyword","sc","creates a backdoor by weakening the security of the Service Control Manager allowing any user to manage services on the machine which can lead to privilege escalation and persistent access by an attacker","T1560.003 - T1562.001 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://x.com/0gtweet/status/1628720819537936386","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58083"
"*sc.exe start aswSP_ArPot*",".{0,1000}sc\.exe\sstart\saswSP_ArPot.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","N/A","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","58084"
"*sc.exe stop *Sophos File Scanner Service*",".{0,1000}sc\.exe\sstop\s.{0,1000}Sophos\sFile\sScanner\sService.{0,1000}","greyware_tool_keyword","sc","stop AV","T1562.001 - T1489","TA0005 - TA0007","N/A","Snatch","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58085"
"*sc.exe stop bits*",".{0,1000}sc\.exe\sstop\sbits.{0,1000}","greyware_tool_keyword","sc","Stop Bits service","T1489","TA0005","N/A","Snatch","Defense Evasion","https://www.virustotal.com/gui/file/00820a1f0972678cfe7885bc989ab3e5602b0febc96baf9bf3741d56aa374f03/behavior","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","58086"
"*sc.exe stop eventlog*",".{0,1000}sc\.exe\sstop\seventlog.{0,1000}","greyware_tool_keyword","sc","Stop EventLog service","T1489","TA0005","N/A","Snatch","Defense Evasion","https://www.virustotal.com/gui/file/00820a1f0972678cfe7885bc989ab3e5602b0febc96baf9bf3741d56aa374f03/behavior","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58087"
"*sc.exe""  sdset RemoteAccess *",".{0,1000}sc\.exe\""\s\ssdset\sRemoteAccess\s.{0,1000}","greyware_tool_keyword","sc","modifies the security descriptor of the RemoteAccess service - could be used to achieve persistence or elevate privileges","T1543.003 - T1112","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","9","8","N/A","N/A","N/A","N/A","58088"
"*sc.exe"" delete ""sysmon""*",".{0,1000}sc\.exe\""\sdelete\s\""sysmon\"".{0,1000}","greyware_tool_keyword","sc","deleting sysmon service - used by Dispossessor ransomware group","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58089"
"*sc.exe"" delete sysmon*",".{0,1000}sc\.exe\""\sdelete\ssysmon.{0,1000}","greyware_tool_keyword","sc","deleting sysmon service - used by Dispossessor ransomware group","T1543 - T1070","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58090"
"*sc.exe*sdset scmanager D:(A;;KA;;;WD)*",".{0,1000}sc\.exe.{0,1000}sdset\sscmanager\sD\:\(A\;\;KA\;\;\;WD\).{0,1000}","greyware_tool_keyword","sc","creates a backdoor by weakening the security of the Service Control Manager allowing any user to manage services on the machine which can lead to privilege escalation and persistent access by an attacker","T1560.003 - T1562.001 - T1548.002","TA0003 - TA0004 - TA0005","N/A","N/A","Persistence","https://x.com/0gtweet/status/1628720819537936386","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58091"
"*sc0tfree/updog*",".{0,1000}sc0tfree\/updog.{0,1000}","greyware_tool_keyword","updog","Updog is a replacement for SimpleHTTPServer. It allows uploading and downloading via HTTP/S can set ad hoc SSL certificates and use http basic auth.","T1567 - T1074.001 - T1020","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://github.com/sc0tfree/updog","1","1","N/A","N/A","9","10","3052","314","2024-03-13T15:52:39Z","2020-02-18T15:29:21Z","58094"
"*schkconfig off cbdaemon*","schkconfig\soff\scbdaemon","greyware_tool_keyword","shell","Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes* deleting Registry keys so that tools do not start at run time* or other methods to interfere with security tools scanning or reporting information.","T1055 - T1070.004 - T1218.011","TA0007 - TA0005 - TA0040","N/A","N/A","Defense Evasion","https://attack.mitre.org/techniques/T1562/001/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","58164"
"*schollz/croc*",".{0,1000}schollz\/croc.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","1","N/A","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","58166"
"*schtasks /Change /TN ""Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh"" /Disable*",".{0,1000}schtasks\s\/Change\s\/TN\s\""Microsoft\\Windows\\ExploitGuard\\ExploitGuard\sMDM\spolicy\sRefresh\""\s\/Disable.{0,1000}","greyware_tool_keyword","schtasks","disable scheduled tasks related to Windows Defender","T1562.001","TA0005","N/A","APT3 - Kimsuky - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58172"
"*schtasks /Change /TN ""Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance"" /Disable*",".{0,1000}schtasks\s\/Change\s\/TN\s\""Microsoft\\Windows\\Windows\sDefender\\Windows\sDefender\sCache\sMaintenance\""\s\/Disable.{0,1000}","greyware_tool_keyword","schtasks","disable scheduled tasks related to Windows Defender","T1562.001","TA0005","N/A","APT3 - Kimsuky - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58173"
"*schtasks /Change /TN ""Microsoft\Windows\Windows Defender\Windows Defender Cleanup"" /Disable*",".{0,1000}schtasks\s\/Change\s\/TN\s\""Microsoft\\Windows\\Windows\sDefender\\Windows\sDefender\sCleanup\""\s\/Disable.{0,1000}","greyware_tool_keyword","schtasks","disable scheduled tasks related to Windows Defender","T1562.001","TA0005","N/A","APT3 - Kimsuky - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58174"
"*schtasks /Change /TN ""Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan"" /Disable*",".{0,1000}schtasks\s\/Change\s\/TN\s\""Microsoft\\Windows\\Windows\sDefender\\Windows\sDefender\sScheduled\sScan\""\s\/Disable.{0,1000}","greyware_tool_keyword","schtasks","disable scheduled tasks related to Windows Defender","T1562.001","TA0005","N/A","APT3 - Kimsuky - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58175"
"*schtasks /Change /TN ""Microsoft\Windows\Windows Defender\Windows Defender Verification"" /Disable*",".{0,1000}schtasks\s\/Change\s\/TN\s\""Microsoft\\Windows\\Windows\sDefender\\Windows\sDefender\sVerification\""\s\/Disable.{0,1000}","greyware_tool_keyword","schtasks","disable scheduled tasks related to Windows Defender","T1562.001","TA0005","N/A","APT3 - Kimsuky - BRONZE BUTLER","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58176"
"*schtasks /Create /RU SYSTEM /XML c:\temp\*",".{0,1000}schtasks\s\/Create\s\/RU\sSYSTEM\s\/XML\sc\:\\temp\\.{0,1000}","greyware_tool_keyword","schtasks","SSH backdoor creation with schtasks","T1053 - T1059.004 - T1090","TA0003 - TA0005 - TA0011","N/A","Dispossessor","Persistence","https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58177"
"*schtasks /query /v /fo LIST*",".{0,1000}schtasks\s\/query\s\/v\s\/fo\sLIST.{0,1000}","greyware_tool_keyword","schtasks","view detailed information about all the scheduled tasks.","T1053.005 - T1082","TA0004 - TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","58181"
"*schtasks.exe /create /sc * /tr ""%programdata%\sshd\sshd.exe -f %programdata%\sshd\config\sshd_config\keys\id_rsa -N -R * -o StrictHostKeyChecking=no -o *",".{0,1000}schtasks\.exe\s\/create\s\/sc\s.{0,1000}\s\/tr\s\""\%programdata\%\\sshd\\sshd\.exe\s\-f\s\%programdata\%\\sshd\\config\\sshd_config\\keys\\id_rsa\s\-N\s\-R\s.{0,1000}\s\-o\sStrictHostKeyChecking\=no\s\-o\s.{0,1000}","greyware_tool_keyword","schtasks","SSH backdoor creation with schtasks","T1053 - T1059.004 - T1090","TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58182"
"*schtasks.exe /create /sc minute /mo 1 /tn * /rl highest /np /tr *\sshd\sshd.exe -f *\sshd\config\sshd_config*",".{0,1000}schtasks\.exe\s\/create\s\/sc\sminute\s\/mo\s1\s\/tn\s.{0,1000}\s\/rl\shighest\s\/np\s\/tr\s.{0,1000}\\sshd\\sshd\.exe\s\-f\s.{0,1000}\\sshd\\config\\sshd_config.{0,1000}","greyware_tool_keyword","schtasks","SSH backdoor creation with schtasks","T1053 - T1059.004 - T1090","TA0003 - TA0005 - TA0011","N/A","N/A","Persistence","https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58183"
"*scoop install croc*",".{0,1000}scoop\sinstall\scroc.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","#linux","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","58195"
"*scout aws --profile default -f*",".{0,1000}scout\saws\s\-\-profile\sdefault\s\-f.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","58196"
"*scout azure --cli*",".{0,1000}scout\sazure\s\-\-cli.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","58197"
"*scp * *@*:*",".{0,100}scp\s.{0,10}\s.{0,10}\@.{0,10}\:.{0,100}","greyware_tool_keyword","scp","Detects the use of tools that copy files from or to remote systems","T1041 - T1105 - T1106","TA0002 - TA0008 - TA0010","N/A","N/A","Data Exfiltration","https://attack.mitre.org/techniques/T1105/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","58198"
"*scp *@*:* *",".{0,100}scp\s.{0,10}\@.{0,10}\:.{0,10}\s.{0,100}","greyware_tool_keyword","scp","Detects the use of tools that copy files from or to remote systems","T1041 - T1105 - T1106","TA0002 - TA0008 - TA0010","N/A","N/A","Data Exfiltration","https://attack.mitre.org/techniques/T1105/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","58201"
"*screen /dev/ttyACM0 115200*",".{0,1000}screen\s\/dev\/ttyACM0\s115200.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","58203"
"*ScreenConnect Software*",".{0,1000}ScreenConnect\sSoftware.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58206"
"*ScreenConnect.Client.dll*",".{0,1000}ScreenConnect\.Client\.dll.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58207"
"*ScreenConnect.Client.exe.jar*",".{0,1000}ScreenConnect\.Client\.exe\.jar.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58208"
"*ScreenConnect.ClientService.dll*",".{0,1000}ScreenConnect\.ClientService\.dll.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58209"
"*ScreenConnect.ClientService.exe*",".{0,1000}ScreenConnect\.ClientService\.exe.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58210"
"*ScreenConnect.ClientSetup.exe*",".{0,1000}ScreenConnect\.ClientSetup\.exe.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58211"
"*SCREENCONNECT.CLIENTSETUP.EXE-*.pf*",".{0,1000}SCREENCONNECT\.CLIENTSETUP\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58212"
"*ScreenConnect.ClientUninstall.vbs*",".{0,1000}ScreenConnect\.ClientUninstall\.vbs.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58213"
"*ScreenConnect.Core.pdb*",".{0,1000}ScreenConnect\.Core\.pdb.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58214"
"*ScreenConnect.Server.dll*",".{0,1000}ScreenConnect\.Server\.dll.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58215"
"*ScreenConnect.Service.exe*",".{0,1000}ScreenConnect\.Service\.exe.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58216"
"*SCREENCONNECT.SERVICE.EXE-*.pf*",".{0,1000}SCREENCONNECT\.SERVICE\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58217"
"*ScreenConnect.WindowsBackstageShell.exe*",".{0,1000}ScreenConnect\.WindowsBackstageShell\.exe.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58218"
"*SCREENCONNECT.WINDOWSCLIENT.*.pf*",".{0,1000}SCREENCONNECT\.WINDOWSCLIENT\..{0,1000}\.pf.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58219"
"*ScreenConnect.WindowsClient.exe*",".{0,1000}ScreenConnect\.WindowsClient\.exe.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58220"
"*ScreenConnect.WindowsInstaller.dll*",".{0,1000}ScreenConnect\.WindowsInstaller\.dll.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58221"
"*ScreenConnect_*_Release.msi*",".{0,1000}ScreenConnect_.{0,1000}_Release\.msi.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58222"
"*ScreenConnect_*_Release.tar.gz*",".{0,1000}ScreenConnect_.{0,1000}_Release\.tar\.gz.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58223"
"*ScreenConnect_*_Release.zip*",".{0,1000}ScreenConnect_.{0,1000}_Release\.zip.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58224"
"*ScreenConnectClientNetworkDeployer.exe*",".{0,1000}ScreenConnectClientNetworkDeployer\.exe.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58225"
"*Search-AADIntTeamsUser*",".{0,1000}Search\-AADIntTeamsUser.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58260"
"*Search-AADIntUnifiedAuditLog*",".{0,1000}Search\-AADIntUnifiedAuditLog.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58261"
"*Search-ADAccount -PasswordNeverExpires -UsersOnly*",".{0,1000}Search\-ADAccount\s\-PasswordNeverExpires\s\-UsersOnly.{0,1000}","greyware_tool_keyword","adaudit","Powershell script to do domain auditing automation","T1482 - T1087","TA0007","N/A","N/A","Discovery","https://github.com/phillips321/adaudit","1","0","N/A","N/A","8","4","389","106","2025-04-08T06:17:54Z","2018-04-20T11:29:06Z","58262"
"*sed 's/#PermitRootLogin prohibit-password/PermitRootLogin Yes' /etc/ssh/sshd_config*",".{0,1000}sed\s\'s\/\#PermitRootLogin\sprohibit\-password\/PermitRootLogin\sYes\'\s\/etc\/ssh\/sshd_config.{0,1000}","greyware_tool_keyword","sed","allowing root login for ssh","T1078 - T1078.003 - T1021 - T1021.004","TA0005 - TA0001 - TA0003","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","9","10","N/A","N/A","N/A","N/A","58335"
"*Send-AADIntEASMessage*",".{0,1000}Send\-AADIntEASMessage.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58397"
"*Send-AADIntHybridHealthServiceEventBlob*",".{0,1000}Send\-AADIntHybridHealthServiceEventBlob.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58398"
"*Send-AADIntHybridHealthServiceEvents*",".{0,1000}Send\-AADIntHybridHealthServiceEvents.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58399"
"*Send-AADIntOneDriveFile*",".{0,1000}Send\-AADIntOneDriveFile.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58400"
"*Send-AADIntOutlookMessage*",".{0,1000}Send\-AADIntOutlookMessage.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58401"
"*Send-AADIntTeamsMessage*",".{0,1000}Send\-AADIntTeamsMessage.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58402"
"*Sending update request to Duck DNS*",".{0,1000}Sending\supdate\srequest\sto\sDuck\sDNS.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","0","N/A","N/A","5","10","N/A","N/A","N/A","N/A","58413"
"*Server running at http://localhost:*",".{0,1000}Server\srunning\sat\shttp\:\/\/localhost\:.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#content","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","58440"
"*server*-relay.screenconnect.com*",".{0,1000}server.{0,1000}\-relay\.screenconnect\.com.{0,1000}","greyware_tool_keyword","ScreenConnect","control remote servers - abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","screenconnect.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58441"
"*server.action1.com*",".{0,1000}server\.action1\.com.{0,1000}","greyware_tool_keyword","action1","Action1 remote administration tool abused buy attacker","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","LockBit - MONTI","RMM","https://app.action1.com/","1","0","#dnsquery","dns request","10","10","N/A","N/A","N/A","N/A","58442"
"*server.remoteutilities.com*",".{0,1000}server\.remoteutilities\.com.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58444"
"*serverinfo.alpemix.com*",".{0,1000}serverinfo\.alpemix\.com.{0,1000}","greyware_tool_keyword","Alpemix","connect to your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.alpemix.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58455"
"*service cbdaemon stop*","service\scbdaemon\sstop","greyware_tool_keyword","shell","Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes* deleting Registry keys so that tools do not start at run time* or other methods to interfere with security tools scanning or reporting information.","T1055 - T1070.004 - T1218.011","TA0007 - TA0005 - TA0040","N/A","N/A","Defense Evasion","https://attack.mitre.org/techniques/T1562/001/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","58474"
"*service ip6tables stop*","service\sip6tables\sstop","greyware_tool_keyword","iptables","Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes* deleting Registry keys so that tools do not start at run time* or other methods to interfere with security tools scanning or reporting information.","T1055 - T1070.004 - T1218.011","TA0007 - TA0005 - TA0040","N/A","N/A","Defense Evasion","https://attack.mitre.org/techniques/T1562/001/","1","0","N/A","greyware tool - risks of False positive !","3","6","N/A","N/A","N/A","N/A","58475"
"*service iptables stop*","service\siptables\sstop","greyware_tool_keyword","iptables","Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes* deleting Registry keys so that tools do not start at run time* or other methods to interfere with security tools scanning or reporting information.","T1055 - T1070.004 - T1218.011","TA0007 - TA0005 - TA0040","N/A","N/A","Defense Evasion","https://attack.mitre.org/techniques/T1562/001/","1","0","N/A","greyware tool - risks of False positive !","3","6","N/A","N/A","N/A","N/A","58476"
"*service pulseway start*",".{0,1000}service\spulseway\sstart.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58477"
"*service pulseway stop*",".{0,1000}service\spulseway\sstop.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58478"
"*service softether_server *",".{0,1000}service\ssoftether_server\s.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","58480"
"*service tailscaled *",".{0,1000}service\stailscaled\s.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","58481"
"*service.tunnelmole.com*",".{0,1000}service\.tunnelmole\.com.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","1","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","58482"
"*serviceName = 'SilkService*",".{0,1000}serviceName\s\=\s\'SilkService.{0,1000}","greyware_tool_keyword","Invoke-Maldaptive","MaLDAPtive is a framework for LDAP SearchFilter parsing - obfuscation - deobfuscation and detection.","T1027","TA0005 - TA0007","N/A","N/A","Discovery","https://github.com/MaLDAPtive/Invoke-Maldaptive","1","0","N/A","N/A","7","3","277","26","2024-08-07T21:12:45Z","2024-08-07T20:43:52Z","58494"
"*ServiceName"">Pulseway</Data>*",".{0,1000}ServiceName\""\>Pulseway\<\/Data\>.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58495"
"*ServiceName'>GoToMyPC*",".{0,1000}ServiceName\'\>GoToMyPC.{0,1000}","greyware_tool_keyword","GoToMyPC","GoToMyPC is remote desktop software that allows users to access computers remotely using a web browser","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","N/A","RMM","https://www.gotomypc.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58498"
"*'ServiceName'>VSA X</Data>*",".{0,1000}\'ServiceName\'\>VSA\sX\<\/Data\>.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58500"
"*'ServiceName'>VSAX</Data>*",".{0,1000}\'ServiceName\'\>VSAX\<\/Data\>.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58501"
"*'ServiceName'>Zoho Assist-Remote Support*",".{0,1000}\'ServiceName\'\>Zoho\sAssist\-Remote\sSupport.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58502"
"*Serving Tailscale web client on http://*",".{0,1000}Serving\sTailscale\sweb\sclient\son\shttp\:\/\/.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","58506"
"*set +o history*",".{0,1000}set\s\+o\shistory.{0,1000}","greyware_tool_keyword","set","Does not write any of the current session to the history log","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","58515"
"*set -g tmate-server-*",".{0,1000}set\s\-g\stmate\-server\-.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","58521"
"*set history +o*",".{0,1000}set\shistory\s\+o.{0,1000}","greyware_tool_keyword","bash","Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml","1","0","#linux","greyware tool - risks of False positive !","10","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","58523"
"*set tmate-api-key *",".{0,1000}set\stmate\-api\-key\s.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","58541"
"*set tmate-authorized-keys",".{0,1000}set\stmate\-authorized\-keys","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","58542"
"*set tmate-session-name *",".{0,1000}set\stmate\-session\-name\s.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","58543"
"*set xmrig start*",".{0,1000}set\sxmrig\sstart.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","58546"
"*Set-AADIntADFSConfiguration*",".{0,1000}Set\-AADIntADFSConfiguration.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58567"
"*Set-AADIntADFSPolicyStoreRules*",".{0,1000}Set\-AADIntADFSPolicyStoreRules.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58568"
"*Set-AADIntADSyncAccountPassword*",".{0,1000}Set\-AADIntADSyncAccountPassword.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58569"
"*Set-AADIntADSyncEnabled*",".{0,1000}Set\-AADIntADSyncEnabled.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58570"
"*Set-AADIntAzureADFeature*",".{0,1000}Set\-AADIntAzureADFeature.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58571"
"*Set-AADIntAzureADPolicyDetail*",".{0,1000}Set\-AADIntAzureADPolicyDetail.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58572"
"*Set-AADIntAzureRoleAssignment*",".{0,1000}Set\-AADIntAzureRoleAssignment.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58573"
"*Set-AADIntDesktopSSO*",".{0,1000}Set\-AADIntDesktopSSO.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58574"
"*Set-AADIntDesktopSSOEnabled*",".{0,1000}Set\-AADIntDesktopSSOEnabled.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58575"
"*Set-AADIntDeviceCompliant*",".{0,1000}Set\-AADIntDeviceCompliant.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58576"
"*Set-AADIntDeviceRegAuthMethods*",".{0,1000}Set\-AADIntDeviceRegAuthMethods.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58577"
"*Set-AADIntDeviceTransportKey*",".{0,1000}Set\-AADIntDeviceTransportKey.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58578"
"*Set-AADIntDeviceWHfBKey*",".{0,1000}Set\-AADIntDeviceWHfBKey.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58579"
"*Set-AADIntDiagnosticSettingsDetails*",".{0,1000}Set\-AADIntDiagnosticSettingsDetails.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58580"
"*Set-AADIntEASSettings*",".{0,1000}Set\-AADIntEASSettings.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58581"
"*Set-AADIntOfficeUpdateBranch*",".{0,1000}Set\-AADIntOfficeUpdateBranch.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58582"
"*Set-AADIntPassThroughAuthentication*",".{0,1000}Set\-AADIntPassThroughAuthentication.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58583"
"*Set-AADIntPasswordHashSyncEnabled*",".{0,1000}Set\-AADIntPasswordHashSyncEnabled.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58584"
"*Set-AADIntProxySettings*",".{0,1000}Set\-AADIntProxySettings.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58585"
"*Set-AADIntPTACertificate*",".{0,1000}Set\-AADIntPTACertificate.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58586"
"*Set-AADIntRolloutPolicy*",".{0,1000}Set\-AADIntRolloutPolicy.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58587"
"*Set-AADIntSelfServicePurchaseProduct*",".{0,1000}Set\-AADIntSelfServicePurchaseProduct.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58588"
"*Set-AADIntSetting*",".{0,1000}Set\-AADIntSetting.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58589"
"*Set-AADIntSPOSiteMembers*",".{0,1000}Set\-AADIntSPOSiteMembers.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58590"
"*Set-AADIntSPOUserProperty*",".{0,1000}Set\-AADIntSPOUserProperty.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58591"
"*Set-AADIntSyncFeature*",".{0,1000}Set\-AADIntSyncFeature.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58592"
"*Set-AADIntSyncFeatures*",".{0,1000}Set\-AADIntSyncFeatures.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58593"
"*Set-AADIntTeamsAvailability*",".{0,1000}Set\-AADIntTeamsAvailability.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58594"
"*Set-AADIntTeamsMessageEmotion*",".{0,1000}Set\-AADIntTeamsMessageEmotion.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58595"
"*Set-AADIntTeamsStatusMessage*",".{0,1000}Set\-AADIntTeamsStatusMessage.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58596"
"*Set-AADIntTenantGuestAccess*",".{0,1000}Set\-AADIntTenantGuestAccess.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58597"
"*Set-AADIntUnifiedAuditLogSettings*",".{0,1000}Set\-AADIntUnifiedAuditLogSettings.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58598"
"*Set-AADIntUserAgent*",".{0,1000}Set\-AADIntUserAgent.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58599"
"*Set-AADIntUserMFA*",".{0,1000}Set\-AADIntUserMFA.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58600"
"*Set-AADIntUserMFAApps*",".{0,1000}Set\-AADIntUserMFAApps.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58601"
"*Set-AADIntUserPassword*",".{0,1000}Set\-AADIntUserPassword.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","58602"
"*Set-ADObject -SamAccountName * -PropertyName scriptpath -PropertyValue *\*.exe*","Set\-ADObject\s\-SamAccountName\s.{0,1000}\s\-PropertyName\sscriptpath\s\-PropertyValue\s.{0,1000}\\.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","powershell","AD module Logon Script from remote IP","T1037.001 - T1078.003 - T1046","TA0002 - TA0007 - TA0040","N/A","N/A","Discovery","https://hideandsec.sh/books/cheatsheets-82c/page/active-directory","1","0","N/A","AD Enumeration","7","6","N/A","N/A","N/A","N/A","58603"
"*setcap cap_net_bind_service=+ep boringproxy*",".{0,1000}setcap\scap_net_bind_service\=\+ep\sboringproxy.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","58606"
"*Set-Clipboard -Value ' '*",".{0,1000}Set\-Clipboard\s\-Value\s\'\s\'.{0,1000}","greyware_tool_keyword","powershell","Clearing the clipboard is a deliberate attempt to cover tracks and make the attack less detectable","T1070","TA0005","N/A","N/A","Defense Evasion","https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-05-14-IOCs-for-DarkGate-activity.txt","1","0","N/A","N/A","10","3","293","20","2025-04-21T19:35:23Z","2023-08-29T22:32:38Z","58608"
"*Set-Clipboard -Value ''*",".{0,1000}Set\-Clipboard\s\-Value\s\'\'.{0,1000}","greyware_tool_keyword","powershell","Clearing the clipboard is a deliberate attempt to cover tracks and make the attack less detectable","T1070","TA0005","N/A","N/A","Defense Evasion","https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-05-14-IOCs-for-DarkGate-activity.txt","1","0","N/A","N/A","10","3","293","20","2025-04-21T19:35:23Z","2023-08-29T22:32:38Z","58609"
"*setextradata global GUI/SuppressMessages ""all""*",".{0,1000}setextradata\sglobal\sGUI\/SuppressMessages\s\""all\"".{0,1000}","greyware_tool_keyword","VirtualBox","hiding VirtualBox notifications - abused by attacker to hide their VM persistence","T1564.001 - T1053 - T1547","TA0005 - TA0003","N/A","RagnarLocker ","Defense Evasion","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","58626"
"*setextradata global GUI/SuppressMessages all*",".{0,1000}setextradata\sglobal\sGUI\/SuppressMessages\sall.{0,1000}","greyware_tool_keyword","VirtualBox","hiding VirtualBox notifications - abused by attacker to hide their VM persistence","T1564.001 - T1053 - T1547","TA0005 - TA0003","N/A","RagnarLocker ","Defense Evasion","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","58627"
"*Set-ItemProperty *\excel\security*pythonfunctionwarnings*0*",".{0,1000}Set\-ItemProperty\s.{0,1000}\\excel\\security.{0,1000}pythonfunctionwarnings.{0,1000}0.{0,1000}","greyware_tool_keyword","Excel","prevent any warnings or alerts when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet","T1112 - T1131 - T1204.002","TA0003 - TA0005","N/A","N/A","Defense Evasion","https://github.com/tsale/Sigma_rules/blob/main/MISC/pythonfunctionwarnings_disabled.yml","1","0","N/A","N/A","7","2","119","17","2025-01-29T17:41:49Z","2022-01-11T07:34:37Z","58635"
"*Set-ItemProperty*HKLM:\SOFTWARE\Policies\Microsoft\VisualStudio\Devtunnels*DisableDevTunnelsInVisualStudio*0*",".{0,1000}Set\-ItemProperty.{0,1000}HKLM\:\\SOFTWARE\\Policies\\Microsoft\\VisualStudio\\Devtunnels.{0,1000}DisableDevTunnelsInVisualStudio.{0,1000}0.{0,1000}","greyware_tool_keyword","powershell","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","Defense Evasion","https[://]87[.]120[.]120[.]56/crypt/xx.ps1","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","58637"
"*Set-MPPreference -DisableIntrusionPreventionSystem $true*",".{0,1000}Set\-MPPreference\s\-DisableIntrusionPreventionSystem\s\$true.{0,1000}","greyware_tool_keyword","powershell","Disable IPS","T1562.001 - T1562.002 - T1070.004","TA0007 - TA0040 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58645"
"*Set-MpPreference -DisableIOAVProtection $true*",".{0,1000}Set\-MpPreference\s\-DisableIOAVProtection\s\$true.{0,1000}","greyware_tool_keyword","powershell","Disable scanning all downloaded files and attachments","T1562.001 - T1562.002 - T1070.004","TA0007 - TA0040 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58646"
"*Set-MpPreference -DisableRealtimeMonitoring $true*",".{0,1000}Set\-MpPreference\s\-DisableRealtimeMonitoring\s\$true.{0,1000}","greyware_tool_keyword","powershell","Defense evasion technique In order to avoid detection at any point of the kill chain. attackers use several ways to disable anti-virus. disable Microsoft firewall and clear logs.","T1562.001 - T1562.002 - T1070.004","TA0007 - TA0040 - TA0005","N/A","Dispossessor - Black Basta","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58647"
"*Set-MpPreference -DisableScriptScanning 1 *",".{0,1000}Set\-MpPreference\s\-DisableScriptScanning\s1\s.{0,1000}","greyware_tool_keyword","powershell","Disable AMSI (set to 0 to enable)","T1562.001 - T1562.002 - T1070.004","TA0040 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","58649"
"*Set-MpPreference -ExclusionExtension exe*",".{0,1000}Set-MpPreference\s\-ExclusionExtension\sexe.{0,1000}","greyware_tool_keyword","powershell","exclude exe file extensions from AV detections","T1562.001 - T1059.001","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/Akabanwa-toma/hacke/blob/aaebb5cb188eb3a17bebfedfbde6b354e5522b92/installer.bat#L29C21-L29C63","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","58650"
"*set-option -g tmate-webhook-*",".{0,1000}set\-option\s\-g\stmate\-webhook\-.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","58655"
"*Set-Service -Name sshd -StartupType 'Automatic'*",".{0,1000}Set\-Service\s\-Name\ssshd\s\-StartupType\s\'Automatic\'.{0,1000}","greyware_tool_keyword","powershell","openssh server is used (critical on DC - must not be installed)","T1021.004 - T1133 - T1078.003","TA0008 - TA0005","N/A","N/A","Lateral Movement","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58669"
"*setspn.exe -F -Q */*",".{0,1000}setspn\.exe\s\-F\s\-Q\s.{0,1000}\/.{0,1000}","greyware_tool_keyword","setspn","Getting users with SPNs","T1003 - T1558.003","TA0007","N/A","N/A","Discovery","https://github.com/b401/Wiki/blob/main/Security/Windows/AD/enumeration.md?plain=1","1","0","N/A","N/A","7","1","1","0","2023-10-24T20:31:01Z","2022-11-12T17:18:05Z","58674"
"*setspn.exe* -T *-Q cifs/*",".{0,1000}setspn\.exe.{0,1000}\s\-T\s.{0,1000}\-Q\scifs\/.{0,1000}","greyware_tool_keyword","setspn","Getting users with SPNs","T1003 - T1558.003","TA0007","N/A","N/A","Discovery","https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/","1","0","N/A","N/A","7","10","N/A","N/A","N/A","N/A","58676"
"*Settings for Radmin Server.lnk*",".{0,1000}Settings\sfor\sRadmin\sServer\.lnk.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","58681"
"*setup and run in background Monero CPU miner*",".{0,1000}setup\sand\srun\sin\sbackground\sMonero\sCPU\sminer.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","58683"
"*sh >/dev/tcp/* <&1 2>&1*",".{0,1000}sh\s\>\/dev\/tcp\/.{0,1000}\s\<\&1\s2\>\&1.{0,1000}","greyware_tool_keyword","bash","Equation Group reverse shell method - simple bash reverse shell","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","1","0","#linux","greyware tool - risks of False positive !","10","10","64862","15261","2025-04-09T09:16:20Z","2016-10-18T07:29:07Z","58708"
"*sh -i >& /dev/udp/*/* 0>&1*",".{0,1000}sh\s\-i\s\>\&\s\/dev\/udp\/.{0,1000}\/.{0,1000}\s0\>\&1.{0,1000}","greyware_tool_keyword","bash","bash reverse shell ","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","1","0","#linux","greyware tool - risks of False positive !","10","10","64862","15261","2025-04-09T09:16:20Z","2016-10-18T07:29:07Z","58712"
"*shadawck/nse-install*",".{0,1000}shadawck\/nse\-install.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","1","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","58720"
"*Shadowsocks Local Service*",".{0,1000}Shadowsocks\sLocal\sService.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","N/A","Servicename","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","58743"
"*Shadowsocks started TCP*",".{0,1000}Shadowsocks\sstarted\sTCP.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","58744"
"*Shadowsocks started UDP*",".{0,1000}Shadowsocks\sstarted\sUDP.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","58745"
"*Shadowsocks.PAC.*",".{0,1000}Shadowsocks\.PAC\..{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","58746"
"*Shadowsocks.Protocol*",".{0,1000}Shadowsocks\.Protocol.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","1","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","58747"
"*Shadowsocks.WPF*",".{0,1000}Shadowsocks\.WPF.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","0","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","58748"
"*shadowsocks/shadowsocks-rust*",".{0,1000}shadowsocks\/shadowsocks\-rust.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","1","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","58749"
"*shadowsocks/shadowsocks-windows*",".{0,1000}shadowsocks\/shadowsocks\-windows.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","1","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","58750"
"*shadowsocks/ssserver-rust*",".{0,1000}shadowsocks\/ssserver\-rust.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","1","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","58751"
"*SHADOWSOCKS_CONFIG_PATH*",".{0,1000}SHADOWSOCKS_CONFIG_PATH.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","58752"
"*SHADOWSOCKS6_CONFIG_PATH*",".{0,1000}SHADOWSOCKS6_CONFIG_PATH.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","58754"
"*shadowsocks-local-service*",".{0,1000}shadowsocks\-local\-service.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","N/A","Servicename","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","58755"
"*shadowsocks-rust-local@*",".{0,1000}shadowsocks\-rust\-local\@.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","58756"
"*shadowsocks-rust-server@*",".{0,1000}shadowsocks\-rust\-server\@.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","58757"
"*share.zrok.io*",".{0,1000}share\.zrok\.io.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","1","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","58771"
"*sharkd -a tcp:*",".{0,1000}sharkd\s\-a\stcp\:.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","58786"
"*shred $HISTFILE*",".{0,1000}shred\s\$HISTFILE.{0,1000}","greyware_tool_keyword","shred","deleting bash history","T1070.006","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","59410"
"*shred -n * -u -z *_history*",".{0,1000}shred\s\-n\s.{0,1000}\s\-u\s\-z\s.{0,1000}_history.{0,1000}","greyware_tool_keyword","shred","Indicator Removal on Host","T1070.002 - T1562.004 - T1059.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59411"
"*shred -n * -z -u *_history*",".{0,1000}shred\s\-n\s.{0,1000}\s\-z\s\-u\s.{0,1000}_history.{0,1000}","greyware_tool_keyword","shred","Indicator Removal on Host","T1070.002 - T1562.004 - T1059.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59412"
"*shred --remove*",".{0,1000}shred\s\-\-remove.{0,1000}","greyware_tool_keyword","shred","Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.","T1070.004 - T1564.001 - T1027","TA0005 - TA0040 - TA0011","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_file_deletion_via_shred.toml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","59413"
"*shred -u -n * -z *_history*",".{0,1000}shred\s\-u\s\-n\s.{0,1000}\s\-z\s.{0,1000}_history.{0,1000}","greyware_tool_keyword","shred","Indicator Removal on Host","T1070.002 - T1562.004 - T1059.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59414"
"*shred -u -z -n *_history*",".{0,1000}shred\s\-u\s\-z\s\-n\s.{0,1000}_history.{0,1000}","greyware_tool_keyword","shred","Indicator Removal on Host","T1070.002 - T1562.004 - T1059.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59415"
"*shred -u*",".{0,1000}shred\s\-u.{0,1000}","greyware_tool_keyword","shred","Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.","T1070.004 - T1564.001 - T1027","TA0005 - TA0040 - TA0011","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_file_deletion_via_shred.toml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","59416"
"*shred -z -n * -u *_history*",".{0,1000}shred\s\-z\s\-n\s.{0,1000}\s\-u\s.{0,1000}_history.{0,1000}","greyware_tool_keyword","shred","Indicator Removal on Host","T1070.002 - T1562.004 - T1059.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59417"
"*shred -z -u -n *_history*",".{0,1000}shred\s\-z\s\-u\s\-n\s.{0,1000}_history.{0,1000}","greyware_tool_keyword","shred","Indicator Removal on Host","T1070.002 - T1562.004 - T1059.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59418"
"*shred -z*",".{0,1000}shred\s\-z.{0,1000}","greyware_tool_keyword","shred","Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.","T1070.004 - T1564.001 - T1027","TA0005 - TA0040 - TA0011","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_file_deletion_via_shred.toml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","59419"
"*shred --zero*",".{0,1000}shred\s\-\-zero.{0,1000}","greyware_tool_keyword","shred","Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.","T1070.004 - T1564.001 - T1027","TA0005 - TA0040 - TA0011","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_file_deletion_via_shred.toml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","59420"
"*'Signature'>Mega Limited</Data>*",".{0,1000}\'Signature\'\>Mega\sLimited\<\/Data\>.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59453"
"*silverf0x/RpcView*",".{0,1000}silverf0x\/RpcView.{0,1000}","greyware_tool_keyword","RpcView","RpcView is a free tool to explore and decompile Microsoft RPC interfaces","T1082 - T1016 - T1046 - T1622","TA0007 - TA0008","N/A","Dispossessor","Discovery","https://github.com/silverf0x/RpcView","1","0","N/A","N/A","6","10","965","255","2023-09-24T19:58:04Z","2017-03-14T19:14:45Z","59493"
"*SimpleHelp - simple-help.com*",".{0,1000}SimpleHelp\s\-\ssimple\-help\.com.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59516"
"*simplehelp remote work.exe*",".{0,1000}simplehelp\sremote\swork\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59517"
"*simplehelp remote workwinlauncher.exe*",".{0,1000}simplehelp\sremote\sworkwinlauncher\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59518"
"*SimpleHelp Remote WorkWinLauncher.exe*",".{0,1000}SimpleHelp\sRemote\sWorkWinLauncher\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59519"
"*SimpleHelp Technician.exe*",".{0,1000}SimpleHelp\sTechnician\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59520"
"*simplehelp technician.exe*",".{0,1000}simplehelp\stechnician\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59521"
"*SimpleHelp Technician-java-online.jar*",".{0,1000}SimpleHelp\sTechnician\-java\-online\.jar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59522"
"*SimpleHelp Technician-linux32arm-offline.tar*",".{0,1000}SimpleHelp\sTechnician\-linux32arm\-offline\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","59523"
"*SimpleHelp Technician-linux32arm-online.tar*",".{0,1000}SimpleHelp\sTechnician\-linux32arm\-online\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","59524"
"*SimpleHelp Technician-linux32-offline.tar*",".{0,1000}SimpleHelp\sTechnician\-linux32\-offline\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","59525"
"*SimpleHelp Technician-linux32-online.tar*",".{0,1000}SimpleHelp\sTechnician\-linux32\-online\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","59526"
"*SimpleHelp Technician-linux64arm-offline.tar*",".{0,1000}SimpleHelp\sTechnician\-linux64arm\-offline\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","59527"
"*SimpleHelp Technician-linux64arm-online.tar*",".{0,1000}SimpleHelp\sTechnician\-linux64arm\-online\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","59528"
"*SimpleHelp Technician-linux64-offline.tar*",".{0,1000}SimpleHelp\sTechnician\-linux64\-offline\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","59529"
"*SimpleHelp Technician-linux64-online.tar*",".{0,1000}SimpleHelp\sTechnician\-linux64\-online\.tar.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","59530"
"*SimpleHelp Technician-macos-intel-offline.dmg*",".{0,1000}SimpleHelp\sTechnician\-macos\-intel\-offline\.dmg.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","59531"
"*SimpleHelp Technician-macos-intel-online.dmg*",".{0,1000}SimpleHelp\sTechnician\-macos\-intel\-online\.dmg.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","59532"
"*SimpleHelp Technician-macos-offline.dmg*",".{0,1000}SimpleHelp\sTechnician\-macos\-offline\.dmg.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","59533"
"*SimpleHelp Technician-macos-online.dmg*",".{0,1000}SimpleHelp\sTechnician\-macos\-online\.dmg.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","#macos","N/A","10","10","N/A","N/A","N/A","N/A","59534"
"*SimpleHelp Technician-windows32-offline.exe*",".{0,1000}SimpleHelp\sTechnician\-windows32\-offline\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59535"
"*SimpleHelp Technician-windows32-online.exe*",".{0,1000}SimpleHelp\sTechnician\-windows32\-online\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59536"
"*SimpleHelp Technician-windows64-offline.exe*",".{0,1000}SimpleHelp\sTechnician\-windows64\-offline\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59537"
"*simplehelp technician-windows64-online.exe*",".{0,1000}simplehelp\stechnician\-windows64\-online\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59538"
"*SimpleHelp Technician-windows64-online.exe*",".{0,1000}SimpleHelp\sTechnician\-windows64\-online\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59539"
"*simplehelp technicianwinlauncher.exe*",".{0,1000}simplehelp\stechnicianwinlauncher\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59540"
"*SimpleHelp.exe*",".{0,1000}SimpleHelp\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59541"
"*simplehelp.technician.127_0_0_1*",".{0,1000}simplehelp\.technician\.127_0_0_1.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","59542"
"*SimpleHelp-allplatforms.zip*",".{0,1000}SimpleHelp\-allplatforms\.zip.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59543"
"*simplehelpcustomer.exe*",".{0,1000}simplehelpcustomer\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59544"
"*SimpleHelp-install-64.exe*",".{0,1000}SimpleHelp\-install\-64\.exe.{0,1000}","greyware_tool_keyword","SimpleHelp","SimpleHelp is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackCat","RMM","simple-help.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59545"
"*SimpleHTTPServer.SimpleHTTPRequestHandler*",".{0,1000}SimpleHTTPServer\.SimpleHTTPRequestHandler.{0,1000}","greyware_tool_keyword","simplehttpserver","quick web server in python","T1021.002 - T1059.006","TA0002 - TA0005","N/A","N/A","Data Exfiltration","https://docs.python.org/2/library/simplehttpserver.html","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","59546"
"*--single-argument https://www.solarwinds.com/*/remote-support-software*",".{0,1000}\-\-single\-argument\shttps\:\/\/www\.solarwinds\.com\/.{0,1000}\/remote\-support\-software.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","59562"
"*sish -x*",".{0,1000}sish\s\-x.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","0","N/A","N/A","10","10","4203","325","2025-04-10T20:04:08Z","2019-02-15T15:36:23Z","59570"
"*skx/tunneller*",".{0,1000}skx\/tunneller.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","1","N/A","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","59587"
"*SmbScanner.exe*",".{0,1000}SmbScanner\.exe.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner and Earth Lusca Operations Tools and commands","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf https://github.com/vletoux/pingcastle","1","1","N/A","N/A","10","","N/A","","","","59727"
"*smc -disable -mem*",".{0,1000}smc\s\-disable\s\-mem.{0,1000}","greyware_tool_keyword","smc","Symantec Client Management Component or (smc.exe) is a command-line utility that can manage (enable - disable - export) different components of SEP","T1562 - T1089","TA0005","N/A","N/A","Defense Evasion","https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Antivirus/Symantec%20Endpoint%20Protection#threat-actor-ops-taops","1","0","N/A","N/A","9","4","312","44","2023-01-10T11:57:23Z","2021-11-12T18:22:13Z","59742"
"*smc -disable -ntp*",".{0,1000}smc\s\-disable\s\-ntp.{0,1000}","greyware_tool_keyword","smc","Symantec Client Management Component or (smc.exe) is a command-line utility that can manage (enable - disable - export) different components of SEP","T1562 - T1089","TA0005","N/A","N/A","Defense Evasion","https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Antivirus/Symantec%20Endpoint%20Protection#threat-actor-ops-taops","1","0","N/A","N/A","9","4","312","44","2023-01-10T11:57:23Z","2021-11-12T18:22:13Z","59743"
"*smc -disable -wss*",".{0,1000}smc\s\-disable\s\-wss.{0,1000}","greyware_tool_keyword","smc","Symantec Client Management Component or (smc.exe) is a command-line utility that can manage (enable - disable - export) different components of SEP","T1562 - T1089","TA0005","N/A","N/A","Defense Evasion","https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Antivirus/Symantec%20Endpoint%20Protection#threat-actor-ops-taops","1","0","N/A","N/A","9","4","312","44","2023-01-10T11:57:23Z","2021-11-12T18:22:13Z","59744"
"*smc -enable -gem*",".{0,1000}smc\s\-enable\s\-gem.{0,1000}","greyware_tool_keyword","smc","Symantec Client Management Component or (smc.exe) is a command-line utility that can manage (enable - disable - export) different components of SEP","T1562 - T1089","TA0005","N/A","N/A","Defense Evasion","https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Antivirus/Symantec%20Endpoint%20Protection#threat-actor-ops-taops","1","0","N/A","N/A","9","4","312","44","2023-01-10T11:57:23Z","2021-11-12T18:22:13Z","59745"
"*smc.exe -disable -mem*",".{0,1000}smc\.exe\s\-disable\s\-mem.{0,1000}","greyware_tool_keyword","smc","Symantec Client Management Component or (smc.exe) is a command-line utility that can manage (enable - disable - export) different components of SEP","T1562 - T1089","TA0005","N/A","N/A","Defense Evasion","https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Antivirus/Symantec%20Endpoint%20Protection#threat-actor-ops-taops","1","0","N/A","N/A","9","4","312","44","2023-01-10T11:57:23Z","2021-11-12T18:22:13Z","59746"
"*smc.exe -disable -ntp*",".{0,1000}smc\.exe\s\-disable\s\-ntp.{0,1000}","greyware_tool_keyword","smc","Symantec Client Management Component or (smc.exe) is a command-line utility that can manage (enable - disable - export) different components of SEP","T1562 - T1089","TA0005","N/A","N/A","Defense Evasion","https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Antivirus/Symantec%20Endpoint%20Protection#threat-actor-ops-taops","1","0","N/A","N/A","9","4","312","44","2023-01-10T11:57:23Z","2021-11-12T18:22:13Z","59747"
"*smc.exe -disable -wss*",".{0,1000}smc\.exe\s\-disable\s\-wss.{0,1000}","greyware_tool_keyword","smc","Symantec Client Management Component or (smc.exe) is a command-line utility that can manage (enable - disable - export) different components of SEP","T1562 - T1089","TA0005","N/A","N/A","Defense Evasion","https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Antivirus/Symantec%20Endpoint%20Protection#threat-actor-ops-taops","1","0","N/A","N/A","9","4","312","44","2023-01-10T11:57:23Z","2021-11-12T18:22:13Z","59748"
"*smc.exe -enable -gem*",".{0,1000}smc\.exe\s\-enable\s\-gem.{0,1000}","greyware_tool_keyword","smc","Symantec Client Management Component or (smc.exe) is a command-line utility that can manage (enable - disable - export) different components of SEP","T1562 - T1089","TA0005","N/A","N/A","Defense Evasion","https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Antivirus/Symantec%20Endpoint%20Protection#threat-actor-ops-taops","1","0","N/A","N/A","9","4","312","44","2023-01-10T11:57:23Z","2021-11-12T18:22:13Z","59749"
"*snap install localxpose*",".{0,1000}snap\sinstall\slocalxpose.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","59786"
"*snap.shadowsocks-rust.sslocal-daemon.service*",".{0,1000}snap\.shadowsocks\-rust\.sslocal\-daemon\.service.{0,1000}","greyware_tool_keyword","shadowsocks","Rust port - shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-rust","1","0","N/A","N/A","10","10","9312","1273","2025-04-21T14:29:22Z","2014-10-15T11:02:36Z","59787"
"*snmp-check * -c public*",".{0,1000}snmp\-check\s.{0,1000}\s\-c\spublic.{0,1000}","greyware_tool_keyword","snmpcheck","automate the process of gathering information of any devices with SNMP protocol support. like snmpwalk - snmpcheck allows you to enumerate the SNMP devices and places the output in a very human readable friendly format. It could be useful for penetration testing or systems monitoring","T1046 - T1018","TA0007 - TA0005","N/A","N/A","Reconnaissance","http://www.nothink.org/codes/snmpcheck/index.php","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","59803"
"*snmpwalk  -v1 -cpublic *",".{0,1000}snmpwalk\s\s\-v1\s\-cpublic\s.{0,1000}","greyware_tool_keyword","snmpwalk","allows you to enumerate the SNMP devices and places the output in a very human readable friendly format","T1046 - T1018","TA0007 - TA0005","N/A","N/A","Reconnaissance","https://wiki.debian.org/SNMP","1","0","#linux","greyware tool - risks of False positive !","5","10","N/A","N/A","N/A","N/A","59804"
"*snmpwalk * public *1.3.6.1.*",".{0,1000}snmpwalk\s.{0,1000}\spublic\s.{0,1000}1\.3\.6\.1\..{0,1000}","greyware_tool_keyword","snmpwalk","allows you to enumerate the SNMP devices and places the output in a very human readable friendly format","T1046 - T1018","TA0007 - TA0005","N/A","N/A","Reconnaissance","https://wiki.debian.org/SNMP","1","0","N/A","greyware tool - risks of False positive !","5","10","N/A","N/A","N/A","N/A","59805"
"*snmpwalk -c public -v 1 *",".{0,1000}snmpwalk\s\-c\spublic\s\-v\s1\s.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","59806"
"*snmpwalk -c public -v 2c *",".{0,1000}snmpwalk\s\-c\spublic\s\-v\s2c\s.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","59807"
"*snmpwalk -c public -v1 *",".{0,1000}snmpwalk\s\-c\spublic\s\-v1\s.{0,1000}","greyware_tool_keyword","snmpwalk","allows you to enumerate the SNMP devices and places the output in a very human readable friendly format","T1046 - T1018","TA0007 - TA0005","N/A","N/A","Reconnaissance","https://wiki.debian.org/SNMP","1","0","#linux","greyware tool - risks of False positive !","5","10","N/A","N/A","N/A","N/A","59808"
"*snsinfu/reverse-tunnel*",".{0,1000}snsinfu\/reverse\-tunnel.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","1","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","59811"
"*socat exec:*",".{0,1000}socat\sexec\:.{0,1000}","greyware_tool_keyword","socat","Shell spawning socat usage ","T1059 - T1105 - T1046","TA0002 - TA0008 - TA0007","N/A","Scattered Spider*","C2","https://linuxfr.org/news/socat-un-outil-en-ligne-de-commande-pour-maitriser-vos-sockets","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","59816"
"*socat FILE:*tty*raw*echo=0 TCP*:*",".{0,1000}socat\sFILE\:.{0,1000}tty.{0,1000}raw.{0,1000}echo\=0\sTCP.{0,1000}\:.{0,1000}","greyware_tool_keyword","socat","socat bind shell","T1071 - T1573","TA0002 - TA0011","N/A","Scattered Spider*","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","59817"
"*socat file:*tty*raw*echo=0 tcp-listen:*",".{0,1000}socat\sfile\:.{0,1000}tty.{0,1000}raw.{0,1000}echo\=0\stcp\-listen\:.{0,1000}","greyware_tool_keyword","socat","socat reverse shell","T1071 - T1573","TA0002 - TA0011","N/A","Scattered Spider*","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","59818"
"*socat http://0x0*",".{0,1000}socat\shttp\:\/\/0x0.{0,1000}","greyware_tool_keyword","socat","contains an IP address as part of a URL or network destination formatted in an unconventional but technically valid way (hexa - octal - binary)","T1027 - T1059.004 - T1132.002","TA0011 - TA0005 - TA0002","N/A","N/A","Defense Evasion","https://x.com/CraigHRowland/status/1821176342999921040","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","59819"
"*socat -lp * http://0x0*",".{0,1000}socat\s\-lp\s.{0,1000}\shttp\:\/\/0x0.{0,1000}","greyware_tool_keyword","socat","contains an IP address as part of a URL or network destination formatted in an unconventional but technically valid way (hexa - octal - binary)","T1027 - T1059.004 - T1132.002","TA0011 - TA0005 - TA0002","N/A","N/A","Defense Evasion","https://x.com/CraigHRowland/status/1821176342999921040","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","59820"
"*socat -O /tmp/*",".{0,1000}socat\s\-O\s\/tmp\/.{0,1000}","greyware_tool_keyword","socat","Shell spawning socat usage ","T1059 - T1105 - T1046","TA0002 - TA0008 - TA0007","N/A","Scattered Spider*","C2","https://linuxfr.org/news/socat-un-outil-en-ligne-de-commande-pour-maitriser-vos-sockets","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","59821"
"*socat TCP4-LISTEN:* fork TCP4:*:*",".{0,1000}socat\sTCP4\-LISTEN\:.{0,1000}\sfork\sTCP4\:.{0,1000}\:.{0,1000}","greyware_tool_keyword","socat","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0011","N/A","Scattered Spider*","C2","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","59831"
"*socat tcp-connect*",".{0,1000}socat\stcp\-connect.{0,1000}","greyware_tool_keyword","socat","Shell spawning socat usage ","T1059 - T1105 - T1046","TA0002 - TA0008 - TA0007","N/A","Scattered Spider*","C2","https://linuxfr.org/news/socat-un-outil-en-ligne-de-commande-pour-maitriser-vos-sockets","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","59833"
"*socat tcp-connect:*:* exec:*bash -li**pty*stderr*setsid*sigint*sane*",".{0,1000}socat\stcp\-connect\:.{0,1000}\:.{0,1000}\sexec\:.{0,1000}bash\s\-li.{0,1000}.{0,1000}pty.{0,1000}stderr.{0,1000}setsid.{0,1000}sigint.{0,1000}sane.{0,1000}","greyware_tool_keyword","socat","socat reverse shell","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","Scattered Spider*","C2","https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","1","0","#linux","greyware tool - risks of False positive !","N/A","10","64862","15261","2025-04-09T09:16:20Z","2016-10-18T07:29:07Z","59834"
"*socat tcp-connect:*:* exec:/bin/sh*",".{0,1000}socat\stcp\-connect\:.{0,1000}\:.{0,1000}\sexec\:\/bin\/sh.{0,1000}","greyware_tool_keyword","socat","socat reverse shell","T1071 - T1573","TA0002 - TA0011","N/A","Scattered Spider*","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","59835"
"*socat TCP-LISTEN:**reuseaddr*fork EXEC:/bin/sh*",".{0,1000}socat\sTCP\-LISTEN\:.{0,1000}.{0,1000}reuseaddr.{0,1000}fork\sEXEC\:\/bin\/sh.{0,1000}","greyware_tool_keyword","socat","socat bind shell","T1071 - T1573","TA0002 - TA0011","N/A","Scattered Spider*","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","59836"
"*socket(S*PF_INET*SOCK_STREAM*getprotobyname(*tcp*))*if(connect(S*sockaddr_in($p*inet_aton($i))))*",".{0,1000}socket\(S.{0,1000}PF_INET.{0,1000}SOCK_STREAM.{0,1000}getprotobyname\(.{0,1000}tcp.{0,1000}\)\).{0,1000}if\(connect\(S.{0,1000}sockaddr_in\(\$p.{0,1000}inet_aton\(\$i\)\)\)\).{0,1000}","greyware_tool_keyword","shell","Reverse Shell Command Line","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/lnx_shell_susp_rev_shells.yml","1","1","N/A","greyware tool - risks of False positive !","N/A","10","9115","2316","2025-04-17T19:43:35Z","2016-12-24T09:48:49Z","59848"
"*SoftEtherVPN/SoftEtherVPN_Stable.git*",".{0,1000}SoftEtherVPN\/SoftEtherVPN_Stable\.git.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","59860"
"*SoftPerfect_*Patch_Keygen_v2*.exe*",".{0,1000}SoftPerfect_.{0,1000}Patch_Keygen_v2.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","softperfect networkscanner","SoftPerfect Network Scanner can ping computers scan ports discover shared folders and retrieve practically any information about network devices via WMI SNMP HTTP SSH and PowerShell","T1046 - T1065 - T1135 ","TA0007 ","N/A","Dispossessor - BlackSuit - Royal - Black Basta - Akira - LockBit - BianLian - Conti - BlackCat - Dagon Locker - Nokoyawa - Trigona - Hive - BlackByte - RansomHub - Cactus - Fog - Medusa - Avaddon - Cobalt Group - FIN7 - Anunak","Discovery","https://www.softperfect.com/products/networkscanner/","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","59861"
"*SOFTWARE\ATERA Networks\AlphaAgent*",".{0,1000}SOFTWARE\\ATERA\sNetworks\\AlphaAgent.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","59864"
"*Software\FileZilla*",".{0,1000}Software\\FileZilla.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","0","#registry","PUA risk of legitimate usage","5","7","N/A","N/A","N/A","N/A","59865"
"*SOFTWARE\Microsoft\QuickAssist*",".{0,1000}SOFTWARE\\Microsoft\\QuickAssist.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","#registry","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","59866"
"*SOFTWARE\Siber Systems\GoodSync\Profiles*",".{0,1000}SOFTWARE\\Siber\sSystems\\GoodSync\\Profiles.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","#registry","N/A","9","10","N/A","N/A","N/A","N/A","59868"
"*Software\Splashtop Inc.\Splashtop*",".{0,1000}Software\\Splashtop\sInc\.\\Splashtop.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://hybrid-analysis.com/sample/18c10b0235bd341e065ac5c53ca04b68eaeacd98a120e043fb4883628baf644e/6267eb693836e7217b1a3c72","1","0","#registry","N/A","10","10","N/A","N/A","N/A","N/A","59869"
"*SOFTWARE\TacticalRMM*",".{0,1000}SOFTWARE\\TacticalRMM.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","#registry","registry","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","59870"
"*SOFTWARE\WOW6432Node\FreeFileSync*",".{0,1000}SOFTWARE\\WOW6432Node\\FreeFileSync.{0,1000}","greyware_tool_keyword","freefilesync","freefilesync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","LockBit","Data Exfiltration","https://freefilesync.org/download.php","1","0","#registry","N/A","9","10","N/A","N/A","N/A","N/A","59871"
"*SolarWinds.MRC.Licensor*",".{0,1000}SolarWinds\.MRC\.Licensor.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","59873"
"*SolarWinds.Orion.MaintDateCheck*",".{0,1000}SolarWinds\.Orion\.MaintDateCheck.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","0","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","59874"
"*SolarWinds-Dameware-DRS-St.exe*",".{0,1000}SolarWinds\-Dameware\-DRS\-St\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","59875"
"*SolarWinds-Dameware-DRS-St-Eval.zip*",".{0,1000}SolarWinds\-Dameware\-DRS\-St\-Eval\.zip.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","Dameware Remote Support","10","10","N/A","N/A","N/A","N/A","59876"
"*SolarWinds-Dameware-MRC-32bit-St.exe*",".{0,1000}SolarWinds\-Dameware\-MRC\-32bit\-St\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","1","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","59877"
"*SolarWinds-Dameware-MRC-32bit-St-Eval.zip*",".{0,1000}SolarWinds\-Dameware\-MRC\-32bit\-St\-Eval\.zip.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","1","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","59878"
"*SolarWinds-Dameware-MRC-64bit-St.exe*",".{0,1000}SolarWinds\-Dameware\-MRC\-64bit\-St\.exe.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","1","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","59879"
"*SolarWinds-Dameware-MRC-64bit-St-Eval.zip*",".{0,1000}SolarWinds\-Dameware\-MRC\-64bit\-St\-Eval\.zip.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Mini Remote Control tool ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/dameware-mini-remote-control","1","1","N/A","Dameware Mini Remote Control","10","10","N/A","N/A","N/A","N/A","59880"
"*solo_mine_example.cmd*",".{0,1000}solo_mine_example\.cmd.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","59882"
"*somenonymous/OshiUpload*",".{0,1000}somenonymous\/OshiUpload.{0,1000}","greyware_tool_keyword","OshiUpload","Ephemeral file sharing engine","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Black Basta","Data Exfiltration","https://github.com/somenonymous/OshiUpload","1","1","#filehostingservice #P2P","N/A","10","2","195","25","2025-04-02T12:44:45Z","2019-05-11T02:08:51Z","59883"
"*sourceforge.net/projects/eraser/files/Eraser*/download*",".{0,1000}sourceforge\.net\/projects\/eraser\/files\/Eraser.{0,1000}\/download.{0,1000}","greyware_tool_keyword","eraser","It completely removes sensitive data from your hard drive by overwriting it several times with carefully selected patterns - abusedby attackers for anti forensic","T1070 - T1488 - T1561","TA0005","N/A","BlackSuit - Royal","Defense Evasion","https://sourceforge.net/projects/eraser","1","1","N/A","N/A","7","10","N/A","N/A","N/A","N/A","59902"
"*Splashtop Remote\Server\log\agent_log.txt*",".{0,1000}Splashtop\sRemote\\Server\\log\\agent_log\.txt.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59962"
"*Splashtop Remote\Server\log\SPLog.txt*",".{0,1000}Splashtop\sRemote\\Server\\log\\SPLog\.txt.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59963"
"*Splashtop Remote\Server\log\svcinfo.txt*",".{0,1000}Splashtop\sRemote\\Server\\log\\svcinfo\.txt.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59964"
"*Splashtop Remote\Server\log\sysinfo.txt*",".{0,1000}Splashtop\sRemote\\Server\\log\\sysinfo\.txt.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59965"
"*Splashtop_Streamer_Windows_*.exe*",".{0,1000}Splashtop_Streamer_Windows_.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://hybrid-analysis.com/sample/18c10b0235bd341e065ac5c53ca04b68eaeacd98a120e043fb4883628baf644e/6267eb693836e7217b1a3c72","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59966"
"*Splashtop-Splashtop Streamer-*",".{0,1000}Splashtop\-Splashtop\sStreamer\-.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://hybrid-analysis.com/sample/18c10b0235bd341e065ac5c53ca04b68eaeacd98a120e043fb4883628baf644e/6267eb693836e7217b1a3c72","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59967"
"*SplashtopStreamer.*.exe*",".{0,1000}SplashtopStreamer\..{0,1000}\.exe.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://ruler-project.github.io/ruler-project/RULER/remote/Splashtop/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59968"
"*SplashtopStreamer3500.exe* prevercheck *",".{0,1000}SplashtopStreamer3500\.exe.{0,1000}\sprevercheck\s.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","59969"
"*SPR/Ammyy.R*",".{0,1000}SPR\/Ammyy\.R.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","#Avsignature","N/A","10","10","N/A","N/A","N/A","N/A","60012"
"*src/gotunnelme/*",".{0,1000}src\/gotunnelme\/.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/NoahShen/gotunnelme","1","1","N/A","N/A","10","10","171","45","2018-01-06T04:41:15Z","2013-10-18T02:46:51Z","60093"
"*src/xmrig.cpp*",".{0,1000}src\/xmrig\.cpp.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","60106"
"*src\xmrig.cpp*",".{0,1000}src\\xmrig\.cpp.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","60112"
"*ss_privoxy.exe*",".{0,1000}ss_privoxy\.exe.{0,1000}","greyware_tool_keyword","shadowsocks","shadowsocks is a fast tunnel proxy that helps you bypass firewalls","T1572 - T1090","TA0011 - TA0005","N/A","N/A","C2","https://github.com/shadowsocks/shadowsocks-windows","1","1","N/A","N/A","10","10","58770","16368","2025-01-01T08:09:55Z","2013-01-14T07:54:16Z","60120"
"*ssh * .localhost.run*",".{0,1000}ssh\s.{0,1000}\s\.localhost\.run.{0,1000}","greyware_tool_keyword","localhost.run","Put a locally running HTTP HTTPS or TLS app on the internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://localhost.run/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60124"
"*ssh * localhost.run*",".{0,1000}ssh\s.{0,1000}\slocalhost\.run.{0,1000}","greyware_tool_keyword","localhost.run","Put a locally running HTTP HTTPS or TLS app on the internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://localhost.run/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60125"
"*ssh *.tmate.io*",".{0,1000}ssh\s.{0,1000}\.tmate\.io.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","60126"
"*ssh *@ssh-j.com*",".{0,1000}ssh\s.{0,1000}\@ssh\-j\.com.{0,1000}","greyware_tool_keyword","SSH-J.com","This is Dropbear SSH server modified to be used as a public SSH jump & port forwarding service","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://bitbucket.org/ValdikSS/dropbear-sshj/src/master/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60127"
"*ssh @ssh.*.devtunnels.ms*",".{0,1000}ssh\s\@ssh\..{0,1000}\.devtunnels\.ms.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","60128"
"*ssh -L * tuns.sh*",".{0,1000}ssh\s\-L\s.{0,1000}\stuns\.sh.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","0","N/A","N/A","10","10","4203","325","2025-04-10T20:04:08Z","2019-02-15T15:36:23Z","60129"
"*ssh -o *.telebit.io*",".{0,1000}ssh\s\-o\s.{0,1000}\.telebit\.io.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60132"
"*ssh -o 'proxycommand socat - *",".{0,1000}ssh\s\-o\s\'proxycommand\ssocat\s\-\s.{0,1000}","greyware_tool_keyword","frp","A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.","T1572 - T1090 - T1599","TA0010 - TA0040","N/A","N/A","Data Exfiltration","https://github.com/fatedier/frp","1","0","#linux","N/A","10","10","92956","13929","2025-04-16T17:34:14Z","2015-12-21T15:24:59Z","60133"
"*ssh -R * tuns.sh*",".{0,1000}ssh\s\-R\s.{0,1000}\stuns\.sh.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","0","N/A","N/A","10","10","4203","325","2025-04-10T20:04:08Z","2019-02-15T15:36:23Z","60139"
"*ssh*.telebit.cloud*",".{0,1000}ssh.{0,1000}\.telebit\.cloud.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60141"
"*ssh.exe -L 0.0.0.0:445:127.0.0.1:445 *",".{0,1000}ssh\.exe\s\-L\s0\.0\.0\.0\:445\:127\.0\.0\.1\:445\s.{0,1000}","greyware_tool_keyword","ssh","Binding to port 445 on Windows with ssh - useful for NTLM relaying","T1090.002 - T1071.001","TA0008","N/A","N/A","Lateral Movement","https://x.com/0x64616e/status/1817149974724956286","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60142"
"*sshjmpnoutfqotbj6r3acexiwoalgkth55y5kys7js3px2qqqrwuhqqd.onion*",".{0,1000}sshjmpnoutfqotbj6r3acexiwoalgkth55y5kys7js3px2qqqrwuhqqd\.onion.{0,1000}","greyware_tool_keyword","SSH-J.com","This is Dropbear SSH server modified to be used as a public SSH jump & port forwarding service","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://bitbucket.org/ValdikSS/dropbear-sshj/src/master/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60162"
"*sshtunnel.readthedocs.io*",".{0,1000}sshtunnel\.readthedocs\.io.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","1","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","60175"
"*sshtunnel.readthedocs.org*",".{0,1000}sshtunnel\.readthedocs\.org.{0,1000}","greyware_tool_keyword","sshtunnel","SSH tunnels to remote server","T1572 - T1219","TA0005 - TA0010 - TA0011","N/A","N/A","Defense Evasion","https://github.com/pahaz/sshtunnel","1","1","N/A","N/A","10","10","1256","186","2024-03-10T15:20:42Z","2014-06-11T21:14:05Z","60176"
"*sshuttle -*",".{0,1000}sshuttle\s\-.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","60177"
"*sshuttle.cmdline*",".{0,1000}sshuttle\.cmdline.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","60179"
"*sshuttle.firewall*",".{0,1000}sshuttle\.firewall.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","60180"
"*sshuttle.linux*",".{0,1000}sshuttle\.linux.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","60181"
"*sshuttle.methods.socket*",".{0,1000}sshuttle\.methods\.socket.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","60182"
"*sshuttle.server*",".{0,1000}sshuttle\.server.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","60183"
"*sshuttle.service*",".{0,1000}sshuttle\.service.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","60184"
"*sshuttle.ssh*",".{0,1000}sshuttle\.ssh.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","60185"
"*sshuttle/sshuttle*",".{0,1000}sshuttle\/sshuttle.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","1","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","60186"
"*SSHUTTLE0001*",".{0,1000}SSHUTTLE0001.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","60187"
"*sshx-server --listen*",".{0,1000}sshx\-server\s\-\-listen.{0,1000}","greyware_tool_keyword","sshx","Fast collaborative live terminal sharing over the web","T1021.004 - T1041 - T1059 - T1071.001","TA0002 - TA0009 - TA0011 - TA0010","N/A","N/A","C2","https://github.com/ekzhang/sshx","1","0","N/A","N/A","10","10","6379","220","2025-02-12T20:40:30Z","2022-02-12T23:29:33Z","60188"
"*sshx-server-*.tar.gz*",".{0,1000}sshx\-server\-.{0,1000}\.tar\.gz.{0,1000}","greyware_tool_keyword","sshx","Fast collaborative live terminal sharing over the web","T1021.004 - T1041 - T1059 - T1071.001","TA0002 - TA0009 - TA0011 - TA0010","N/A","N/A","C2","https://github.com/ekzhang/sshx","1","1","N/A","N/A","10","10","6379","220","2025-02-12T20:40:30Z","2022-02-12T23:29:33Z","60189"
"*staqlab-tunnel port=*",".{0,1000}staqlab\-tunnel\sport\=.{0,1000}","greyware_tool_keyword","staqlab-tunnel","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/cocoflan/Staqlab-tunnel","1","0","N/A","N/A","10","10","1","0","2020-05-19T06:43:14Z","2020-05-19T06:19:31Z","60283"
"*staqlab-tunnel.exe*",".{0,1000}staqlab\-tunnel\.exe.{0,1000}","greyware_tool_keyword","staqlab-tunnel","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/cocoflan/Staqlab-tunnel","1","1","N/A","N/A","10","10","1","0","2020-05-19T06:43:14Z","2020-05-19T06:19:31Z","60284"
"*staqlab-tunnel.zip*",".{0,1000}staqlab\-tunnel\.zip.{0,1000}","greyware_tool_keyword","staqlab-tunnel","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/cocoflan/Staqlab-tunnel","1","1","N/A","N/A","10","10","1","0","2020-05-19T06:43:14Z","2020-05-19T06:19:31Z","60285"
"*start /min ""C:\Program Files\Oracle\VirtualBox\VBoxManage.exe"" startvm * -type headless*",".{0,1000}start\s\/min\s\""C\:\\Program\sFiles\\Oracle\\VirtualBox\\VBoxManage\.exe\""\sstartvm\s.{0,1000}\s\-type\sheadless.{0,1000}","greyware_tool_keyword","VirtualBox","Starts VirtualBox in headless mode","T1202 - T1564.001 - T1072","TA0005 - TA0008","N/A","RagnarLocker ","Persistence","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60294"
"*start 'AutoIt3.exe' -a '*.a3x';attrib +h*",".{0,1000}start\s\'AutoIt3\.exe\'\s\-a\s\'.{0,1000}\.a3x\'\;attrib\s\+h.{0,1000}","greyware_tool_keyword","AutoIt","starting autoit script and hiding it","T1070","TA0005","N/A","N/A","Defense Evasion","https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-05-14-IOCs-for-DarkGate-activity.txt","1","0","N/A","N/A","8","3","293","20","2025-04-21T19:35:23Z","2023-08-29T22:32:38Z","60295"
"*start doing stuff: preparing miner*",".{0,1000}start\sdoing\sstuff\:\spreparing\sminer.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","60296"
"*start wmic /node:@C:\*.txt /user:*/password:* process call create *cmd.exe /c bitsadmin /transfer *.exe *",".{0,1000}start\swmic\s\/node\:\@C\:\\.{0,1000}\.txt\s\/user\:.{0,1000}\/password\:.{0,1000}\sprocess\scall\screate\s.{0,1000}cmd\.exe\s\/c\sbitsadmin\s\/transfer\s.{0,1000}\.exe\s.{0,1000}","greyware_tool_keyword","wmic","WMIC suspicious transfer ","T1105 - T1041 - T1048","TA0002 - TA0003 - TA0010","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Exploitation tool","N/A","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","60302"
"*Start-AADIntCloudShell*",".{0,1000}Start\-AADIntCloudShell.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","60307"
"*Start-AADIntDeviceIntuneCallback*",".{0,1000}Start\-AADIntDeviceIntuneCallback.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","60308"
"*Start-AADIntSpeech*",".{0,1000}Start\-AADIntSpeech.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","60309"
"*Starting tailscaled*",".{0,1000}Starting\stailscaled.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","#content","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60337"
"*StartRPCPerformanceService*",".{0,1000}StartRPCPerformanceService.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60354"
"*StartRPCPerformanceServiceOnStart*",".{0,1000}StartRPCPerformanceServiceOnStart.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60355"
"*Start-Service sshd*",".{0,1000}Start\-Service\ssshd.{0,1000}","greyware_tool_keyword","powershell","openssh server is used (critical on DC - must not be installed)","T1021.004 - T1133 - T1078.003","TA0008 - TA0005","N/A","N/A","Lateral Movement","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60359"
"*stascorp/rdpwrap*",".{0,1000}stascorp\/rdpwrap.{0,1000}","greyware_tool_keyword","rdpwrap","RDP Wrapper Library used by malwares","T1021","TA0008","N/A","N/A","Lateral Movement","https://github.com/stascorp/rdpwrap","1","1","N/A","N/A","10","10","15332","3911","2024-06-18T15:08:33Z","2014-10-22T23:18:28Z","60366"
"*static.remotepc.com*",".{0,1000}static\.remotepc\.com.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60367"
"*stderr.pl/oset*",".{0,1000}stderr\.pl\/oset.{0,1000}","greyware_tool_keyword","oset","Offline SAM Editor Tool to  access and edit SAM databases from offline OS disk","T1078 - T1003.002 - T1547.001","TA0003 - TA0006 - TA0007 - TA0005","N/A","N/A","Credential Access","https://x.com/0gtweet/status/1817859483445461406","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60376"
"*STDIN->fdopen($c*r)*$~->fdopen($c*w)*system$_ while<>*",".{0,1000}STDIN\-\>fdopen\(\$c.{0,1000}r\).{0,1000}\$\~\-\>fdopen\(\$c.{0,1000}w\).{0,1000}system\$_\swhile\<\>.{0,1000}","greyware_tool_keyword","shell","Reverse Shell Command Line","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/lnx_shell_susp_rev_shells.yml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","9115","2316","2025-04-17T19:43:35Z","2016-12-24T09:48:49Z","60377"
"*stop dameware remote everywhere agent.lnk*",".{0,1000}stop\sdameware\sremote\severywhere\sagent\.lnk.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60419"
"*Stop Radmin Server.lnk*",".{0,1000}Stop\sRadmin\sServer\.lnk.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60420"
"*Stop-Process -Force -Name remote_assistance_host*",".{0,1000}Stop\-Process\s\-Force\s\-Name\sremote_assistance_host.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","#windows","N/A","10","10","N/A","N/A","N/A","N/A","60425"
"*Stop-Process -Force -Name remote_assistance_host_uiaccess*",".{0,1000}Stop\-Process\s\-Force\s\-Name\sremote_assistance_host_uiaccess.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","#windows","N/A","10","10","N/A","N/A","N/A","N/A","60426"
"*Stop-Process -Force -Name remoting_native_messaging_host*",".{0,1000}Stop\-Process\s\-Force\s\-Name\sremoting_native_messaging_host.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","#windows","N/A","10","10","N/A","N/A","N/A","N/A","60427"
"*Stop-Process -Name ""Sophos *",".{0,1000}Stop\-Process\s\-Name\s\""Sophos\s.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60428"
"*Stop-Process -Name ""SQL Backups""*",".{0,1000}Stop\-Process\s\-Name\s\""SQL\sBackups\"".{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60429"
"*Stop-Process -Name ""SQLsafe Backup Service""*",".{0,1000}Stop\-Process\s\-Name\s\""SQLsafe\sBackup\sService\"".{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60430"
"*Stop-Process -Name ""storagecraft imagemanager*""",".{0,1000}Stop\-Process\s\-Name\s\""storagecraft\simagemanager.{0,1000}\""","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60431"
"*Stop-Process -Name ""Symantec System Recovery""*",".{0,1000}Stop\-Process\s\-Name\s\""Symantec\sSystem\sRecovery\"".{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60432"
"*Stop-Process -Name ""Veeam Backup Catalog Data Service""*",".{0,1000}Stop\-Process\s\-Name\s\""Veeam\sBackup\sCatalog\sData\sService\"".{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60433"
"*Stop-Process -Name ""Zoolz 2 Service""*",".{0,1000}Stop\-Process\s\-Name\s\""Zoolz\s2\sService\"".{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60434"
"*Stop-Process -Name acronisagent*",".{0,1000}Stop\-Process\s\-Name\sacronisagent.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60435"
"*Stop-Process -Name AcronisAgent*",".{0,1000}Stop\-Process\s\-Name\sAcronisAgent.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60436"
"*Stop-Process -Name acrsch2svc*",".{0,1000}Stop\-Process\s\-Name\sacrsch2svc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60437"
"*Stop-Process -Name AcrSch2Svc*",".{0,1000}Stop\-Process\s\-Name\sAcrSch2Svc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60438"
"*Stop-Process -Name agntsvc*",".{0,1000}Stop\-Process\s\-Name\sagntsvc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60439"
"*Stop-Process -Name Antivirus*",".{0,1000}Stop\-Process\s\-Name\sAntivirus.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60440"
"*Stop-Process -Name ARSM /y*",".{0,1000}Stop\-Process\s\-Name\sARSM\s\/y.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60441"
"*Stop-Process -Name arsm*",".{0,1000}Stop\-Process\s\-Name\sarsm.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60442"
"*Stop-Process -Name AVP*",".{0,1000}Stop\-Process\s\-Name\sAVP.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60443"
"*Stop-Process -Name backp*",".{0,1000}Stop\-Process\s\-Name\sbackp.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60444"
"*Stop-Process -Name backup*",".{0,1000}Stop\-Process\s\-Name\sbackup.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60445"
"*Stop-Process -Name BackupExec*",".{0,1000}Stop\-Process\s\-Name\sBackupExec.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60446"
"*Stop-Process -Name BackupExecAgent*",".{0,1000}Stop\-Process\s\-Name\sBackupExecAgent.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60447"
"*Stop-Process -Name bedbg /y*",".{0,1000}Stop\-Process\s\-Name\sbedbg\s\/y.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60448"
"*Stop-Process -Name cbservi*",".{0,1000}Stop\-Process\s\-Name\scbservi.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60449"
"*Stop-Process -Name cbvscserv*",".{0,1000}Stop\-Process\s\-Name\scbvscserv.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60450"
"*Stop-Process -Name DCAgent*",".{0,1000}Stop\-Process\s\-Name\sDCAgent.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60451"
"*Stop-Process -Name EhttpSrv*",".{0,1000}Stop\-Process\s\-Name\sEhttpSrv.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60452"
"*Stop-Process -Name ekrn*",".{0,1000}Stop\-Process\s\-Name\sekrn.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60453"
"*Stop-Process -Name EPSecurityService*",".{0,1000}Stop\-Process\s\-Name\sEPSecurityService.{0,1000}\s\s\s\s","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60454"
"*Stop-Process -Name EPUpdateService*",".{0,1000}Stop\-Process\s\-Name\sEPUpdateService.{0,1000}\s\s\s\s\s\s\s","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60455"
"*Stop-Process -Name EsgShKernel*",".{0,1000}Stop\-Process\s\-Name\sEsgShKernel.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60456"
"*Stop-Process -Name ESHASRV*",".{0,1000}Stop\-Process\s\-Name\sESHASRV.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60457"
"*Stop-Process -Name FA_Scheduler*",".{0,1000}Stop\-Process\s\-Name\sFA_Scheduler.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60458"
"*Stop-Process -Name IMAP4Svc*",".{0,1000}Stop\-Process\s\-Name\sIMAP4Svc.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60459"
"*Stop-Process -Name KAVFS*",".{0,1000}Stop\-Process\s\-Name\sKAVFS.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60460"
"*Stop-Process -Name KAVFSGT*",".{0,1000}Stop\-Process\s\-Name\sKAVFSGT.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60461"
"*Stop-Process -Name kavfsslp*",".{0,1000}Stop\-Process\s\-Name\skavfsslp.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60462"
"*Stop-Process -Name klnagent*",".{0,1000}Stop\-Process\s\-Name\sklnagent.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60463"
"*Stop-Process -Name macmnsvc*",".{0,1000}Stop\-Process\s\-Name\smacmnsvc.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60464"
"*Stop-Process -Name masvc*",".{0,1000}Stop\-Process\s\-Name\smasvc.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60465"
"*Stop-Process -Name MBAMService*",".{0,1000}Stop\-Process\s\-Name\sMBAMService.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60466"
"*Stop-Process -Name MBEndpointAgent*",".{0,1000}Stop\-Process\s\-Name\sMBEndpointAgent.{0,1000}\s\s\s\s","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60467"
"*Stop-Process -Name McAfeeEngineService*",".{0,1000}Stop\-Process\s\-Name\sMcAfeeEngineService.{0,1000}\s\s\s\s","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60468"
"*Stop-Process -Name McAfeeFramework*",".{0,1000}Stop\-Process\s\-Name\sMcAfeeFramework.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60469"
"*Stop-Process -Name McAfeeFrameworkMcAfeeFramework*",".{0,1000}Stop\-Process\s\-Name\sMcAfeeFrameworkMcAfeeFramework.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60470"
"*Stop-Process -Name McShield*",".{0,1000}Stop\-Process\s\-Name\sMcShield.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60471"
"*Stop-Process -Name mfefire*",".{0,1000}Stop\-Process\s\-Name\smfefire.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60472"
"*Stop-Process -Name mfemms*",".{0,1000}Stop\-Process\s\-Name\smfemms.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60473"
"*Stop-Process -Name mfevtp*",".{0,1000}Stop\-Process\s\-Name\smfevtp.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60474"
"*Stop-Process -Name mozyprobackup*",".{0,1000}Stop\-Process\s\-Name\smozyprobackup.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60475"
"*Stop-Process -Name MsDtsServer*",".{0,1000}Stop\-Process\s\-Name\sMsDtsServer.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60476"
"*Stop-Process -Name MsDtsServer100*",".{0,1000}Stop\-Process\s\-Name\sMsDtsServer100.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60477"
"*Stop-Process -Name MsDtsServer110*",".{0,1000}Stop\-Process\s\-Name\sMsDtsServer110.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60478"
"*Stop-Process -Name msftesql$PROD*",".{0,1000}Stop\-Process\s\-Name\smsftesql\$PROD.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60479"
"*Stop-Process -Name MSOLAP$SQL_2008*",".{0,1000}Stop\-Process\s\-Name\sMSOLAP\$SQL_2008.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60480"
"*Stop-Process -Name MSOLAP$SYSTEM_BGC*",".{0,1000}Stop\-Process\s\-Name\sMSOLAP\$SYSTEM_BGC.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60481"
"*Stop-Process -Name MSOLAP$TPS*",".{0,1000}Stop\-Process\s\-Name\sMSOLAP\$TPS.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60482"
"*Stop-Process -Name MSOLAP$TPSAMA*",".{0,1000}Stop\-Process\s\-Name\sMSOLAP\$TPSAMA.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60483"
"*Stop-Process -Name MSSQL$BKUPEXEC*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$BKUPEXEC.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60484"
"*Stop-Process -Name MSSQL$ECWDB2*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$ECWDB2.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60485"
"*Stop-Process -Name MSSQL$PRACTICEMGT*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$PRACTICEMGT.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60486"
"*Stop-Process -Name MSSQL$PRACTTICEBGC*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$PRACTTICEBGC.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60487"
"*Stop-Process -Name MSSQL$PROD*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$PROD.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60488"
"*Stop-Process -Name MSSQL$PROFXENGAGEMENT*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$PROFXENGAGEMENT.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60489"
"*Stop-Process -Name MSSQL$SBSMONITORING*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$SBSMONITORING.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60490"
"*Stop-Process -Name MSSQL$SHAREPOINT*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$SHAREPOINT.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60491"
"*Stop-Process -Name MSSQL$SOPHOS*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$SOPHOS.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60492"
"*Stop-Process -Name MSSQL$SQL_2008*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$SQL_2008.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60493"
"*Stop-Process -Name MSSQL$SQLEXPRESS*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$SQLEXPRESS.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60494"
"*Stop-Process -Name MSSQL$SYSTEM_BGC*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$SYSTEM_BGC.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60495"
"*Stop-Process -Name MSSQL$TPS*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$TPS.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60496"
"*Stop-Process -Name MSSQL$TPSAMA*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$TPSAMA.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60497"
"*Stop-Process -Name MSSQL$VEEAMSQL*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$VEEAMSQL.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60498"
"*Stop-Process -Name MSSQL$VEEAMSQL*",".{0,1000}Stop\-Process\s\-Name\sMSSQL\$VEEAMSQL.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60499"
"*Stop-Process -Name sacsvr*",".{0,1000}Stop\-Process\s\-Name\ssacsvr.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60500"
"*Stop-Process -Name SAVAdminService*",".{0,1000}Stop\-Process\s\-Name\sSAVAdminService.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60501"
"*Stop-Process -Name SAVService*",".{0,1000}Stop\-Process\s\-Name\sSAVService.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60502"
"*Stop-Process -Name shadowprotectsvc*",".{0,1000}Stop\-Process\s\-Name\sshadowprotectsvc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60503"
"*Stop-Process -Name ShMonitor*",".{0,1000}Stop\-Process\s\-Name\sShMonitor.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60504"
"*Stop-Process -Name Smcinst*",".{0,1000}Stop\-Process\s\-Name\sSmcinst.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60505"
"*Stop-Process -Name SmcService*",".{0,1000}Stop\-Process\s\-Name\sSmcService.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60506"
"*Stop-Process -Name sms_site_sql_backup*",".{0,1000}Stop\-Process\s\-Name\ssms_site_sql_backup.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60507"
"*Stop-Process -Name SntpService*",".{0,1000}Stop\-Process\s\-Name\sSntpService.{0,1000}\s\s\s\s","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60508"
"*Stop-Process -Name sophossps*",".{0,1000}Stop\-Process\s\-Name\ssophossps.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60509"
"*Stop-Process -Name spxservice*",".{0,1000}Stop\-Process\s\-Name\sspxservice.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60510"
"*Stop-Process -Name sqbcoreservice*",".{0,1000}Stop\-Process\s\-Name\ssqbcoreservice.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60511"
"*Stop-Process -Name SQLAgent$SOPH",".{0,1000}Stop\-Process\s\-Name\sSQLAgent\$SOPH","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60512"
"*Stop-Process -Name SQLAgent$VEEAMSQL*",".{0,1000}Stop\-Process\s\-Name\sSQLAgent\$VEEAMSQL.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60513"
"*Stop-Process -Name SQLAgent$VEEAMSQL*",".{0,1000}Stop\-Process\s\-Name\sSQLAgent\$VEEAMSQL.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60514"
"*Stop-Process -Name stc_endpt_svc*",".{0,1000}Stop\-Process\s\-Name\sstc_endpt_svc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60515"
"*Stop-Process -Name stop SepMasterService*",".{0,1000}Stop\-Process\s\-Name\sstop\sSepMasterService.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60516"
"*Stop-Process -Name svcGenericHost*",".{0,1000}Stop\-Process\s\-Name\ssvcGenericHost.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60517"
"*Stop-Process -Name swi_filter*",".{0,1000}Stop\-Process\s\-Name\sswi_filter.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60518"
"*Stop-Process -Name swi_service*",".{0,1000}Stop\-Process\s\-Name\sswi_service.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60519"
"*Stop-Process -Name swi_update*",".{0,1000}Stop\-Process\s\-Name\sswi_update.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60520"
"*Stop-Process -Name swi_update_64*",".{0,1000}Stop\-Process\s\-Name\sswi_update_64.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60521"
"*Stop-Process -Name TmCCSF*",".{0,1000}Stop\-Process\s\-Name\sTmCCSF.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60522"
"*Stop-Process -Name tmlisten*",".{0,1000}Stop\-Process\s\-Name\stmlisten.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60523"
"*Stop-Process -Name TrueKey*",".{0,1000}Stop\-Process\s\-Name\sTrueKey.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60524"
"*Stop-Process -Name TrueKeyScheduler*",".{0,1000}Stop\-Process\s\-Name\sTrueKeyScheduler.{0,1000}\s\s\s\s","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60525"
"*Stop-Process -Name TrueKeyServiceHel",".{0,1000}Stop\-Process\s\-Name\sTrueKeyServiceHel","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60526"
"*Stop-Process -Name vapiendpoint*",".{0,1000}Stop\-Process\s\-Name\svapiendpoint.{0,1000}\s\s\s\s\s\s\s","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60527"
"*Stop-Process -Name VeeamBackupSvc*",".{0,1000}Stop\-Process\s\-Name\sVeeamBackupSvc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60528"
"*Stop-Process -Name VeeamBrokerSvc *",".{0,1000}Stop\-Process\s\-Name\sVeeamBrokerSvc\s.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60529"
"*Stop-Process -Name VeeamCatalogSvc*",".{0,1000}Stop\-Process\s\-Name\sVeeamCatalogSvc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60530"
"*Stop-Process -Name VeeamCloudSvc*",".{0,1000}Stop\-Process\s\-Name\sVeeamCloudSvc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60531"
"*Stop-Process -Name VeeamDeploymentService*",".{0,1000}Stop\-Process\s\-Name\sVeeamDeploymentService.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60532"
"*Stop-Process -Name VeeamDeploySvc*",".{0,1000}Stop\-Process\s\-Name\sVeeamDeploySvc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60533"
"*Stop-Process -Name VeeamDeploySvc*",".{0,1000}Stop\-Process\s\-Name\sVeeamDeploySvc.{0,1000}\s\s\s\s","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60534"
"*Stop-Process -Name VeeamEnterpriseManagerSvc*",".{0,1000}Stop\-Process\s\-Name\sVeeamEnterpriseManagerSvc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60535"
"*Stop-Process -Name VeeamHvIntegrationSvc*",".{0,1000}Stop\-Process\s\-Name\sVeeamHvIntegrationSvc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60536"
"*Stop-Process -Name VeeamMountSvc*",".{0,1000}Stop\-Process\s\-Name\sVeeamMountSvc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60537"
"*Stop-Process -Name VeeamNFSSvc*",".{0,1000}Stop\-Process\s\-Name\sVeeamNFSSvc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60538"
"*Stop-Process -Name VeeamRESTSvc*",".{0,1000}Stop\-Process\s\-Name\sVeeamRESTSvc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60539"
"*Stop-Process -Name VeeamTransportSvc*",".{0,1000}Stop\-Process\s\-Name\sVeeamTransportSvc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60540"
"*Stop-Process -Name vsnapvss*",".{0,1000}Stop\-Process\s\-Name\svsnapvss.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60541"
"*Stop-Process -Name vssvc*",".{0,1000}Stop\-Process\s\-Name\svssvc.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60542"
"*Stop-Process -Name wbengine*",".{0,1000}Stop\-Process\s\-Name\swbengine.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60543"
"*Stop-Process -Name wbengine*",".{0,1000}Stop\-Process\s\-Name\swbengine.{0,1000}","greyware_tool_keyword","powershell","stopping backup services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60544"
"*Stop-Process -Name WRSVC*",".{0,1000}Stop\-Process\s\-Name\sWRSVC.{0,1000}","greyware_tool_keyword","powershell","stopping AV services","T1562.002 - T1489","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","#windows","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60545"
"*StorageExplorer-linux-x64.tar.gz*",".{0,1000}StorageExplorer\-linux\-x64\.tar\.gz.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","1","#linux","N/A","8","10","N/A","N/A","N/A","N/A","60546"
"*StorageExplorer-windows-x64.exe*",".{0,1000}StorageExplorer\-windows\-x64\.exe.{0,1000}","greyware_tool_keyword","Azure Storage Explorer","legitimate microsoft software - threat actors have been abusing Azure Storage Explorer for Data Exfiltration","T1030 - T1048 - T1078.004 - T1105 - T1567.001","TA0010","N/A","Rhysida","Data Exfiltration","https://azure.microsoft.com/en-us/products/storage/storage-explorer","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","60547"
"*strace -o /dev/null /bin/sh -p*",".{0,1000}strace\s\-o\s\/dev\/null\s\/bin\/sh\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","60550"
"*strings -n * /dev/mem | grep -i pass*",".{0,1000}strings\s\-n\s.{0,1000}\s\/dev\/mem\s\|\sgrep\s\-i\spass.{0,1000}","greyware_tool_keyword","grep","search for passwords in memory and core dumps","T1005 - T1083 - T1213","TA0006","N/A","N/A","Credential Access","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","#linux","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","60555"
"*stun.syncthing.net*",".{0,1000}stun\.syncthing\.net.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","1","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","60563"
"*su - tactical*",".{0,1000}su\s\-\stactical.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","60565"
"*su ehorus -s /bin/bash -c ""kill -9 -1""*",".{0,1000}su\sehorus\s\-s\s\/bin\/bash\s\-c\s\""kill\s\-9\s\-1\"".{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","60566"
"*subprocess.Popen(MEGACMDSHELL*",".{0,1000}subprocess\.Popen\(MEGACMDSHELL.{0,1000}","greyware_tool_keyword","MEGAcmd","Command Line Interactive and Scriptable Application to access MEGA (hosting service abused by attackers)","T1071 - T1041 - T1105","TA0010 - TA0009","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://github.com/meganz/MEGAcmd","1","0","N/A","N/A","10","10","2022","410","2025-04-09T07:52:26Z","2017-08-28T16:58:54Z","60593"
"*sudo ./tmate-ssh-server*",".{0,1000}sudo\s\.\/tmate\-ssh\-server.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","60623"
"*sudo apache2 -f /etc/shadow*",".{0,1000}sudo\sapache2\s\-f\s\/etc\/shadow.{0,1000}","greyware_tool_keyword","sudo","access sensitive files by abusing sudo permissions","T1548.001 - T1059.004","TA0004 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","60624"
"*sudo awk 'BEGIN {system(""/bin/bash"")}'*",".{0,1000}sudo\sawk\s\'BEGIN\s\{system\(\""\/bin\/bash\""\)\}\'.{0,1000}","greyware_tool_keyword","awk","commonly used to upgrade a restricted shell","T1059.006 - T1059 - T1070.004","TA0004","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","60625"
"*sudo dd if=/dev/zero bs=1000 count=5 of=*log*",".{0,1000}sudo\sdd\sif\=\/dev\/zero\sbs\=1000\scount\=5\sof\=.{0,1000}log.{0,1000}","greyware_tool_keyword","dd","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","60627"
"*sudo LD_LIBRARY_PATH=. apache2*",".{0,1000}sudo\sLD_LIBRARY_PATH\=\.\sapache2.{0,1000}","greyware_tool_keyword","sudo","abusing LD_LIBRARY_PATH sudo option  to escalade privilege","T1546.009 - T1059.004 - T1548.002","TA0004 - TA0002 - TA0003","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","60630"
"*sudo LD_PRELOAD=/tmp/preload.so find*",".{0,1000}sudo\sLD_PRELOAD\=\/tmp\/preload\.so\sfind.{0,1000}","greyware_tool_keyword","sudo","abusinf LD_PREDLOAD option to escalade privilege","T1546.009 - T1059.004 - T1548.002","TA0004 - TA0002 - TA0003","N/A","N/A","Privilege Escalation","N/A","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","60631"
"*sudo log erase --all*",".{0,1000}sudo\slog\serase\s\-\-all.{0,1000}","greyware_tool_keyword","sudo","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","60632"
"*sudo rmmod -r*",".{0,1000}sudo\srmmod\s\-r.{0,1000}","greyware_tool_keyword","rmmod","Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.","T1547.006 - T1070.006","TA0005 - TA0003","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_kernel_module_removal.toml","1","0","#linux","greyware tool - risks of False positive !","7","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","60636"
"*sudo -s /bin/bash tactical*",".{0,1000}sudo\s\-s\s\/bin\/bash\stactical.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","#linux","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","60637"
"*sudo systemctl edit --full cloudflared.service*",".{0,1000}sudo\ssystemctl\sedit\s\-\-full\scloudflared\.service.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","0","#linux","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","60639"
"*sudo tailscale up*",".{0,1000}sudo\stailscale\sup.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","#linux","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60640"
"*sudoers.d/sshuttle_auto*",".{0,1000}sudoers\.d\/sshuttle_auto.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","60644"
"*support.radmin.com*",".{0,1000}support\.radmin\.com.{0,1000}","greyware_tool_keyword","Radmin","Radmin is a remote control program that lets you work on another computer through your own","T1021 - T1076 - T1563","TA0008 - TA0009 - TA0002","N/A","Akira","RMM","https://www.radmin.com/download/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60659"
"*support@c3pool.com*",".{0,1000}support\@c3pool\.com.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","0","#email","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","60660"
"*support@dataplicity.com*",".{0,1000}support\@dataplicity\.com.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#email","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","60661"
"*Support-LogMeInRescue.exe*",".{0,1000}Support\-LogMeInRescue\.exe.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60662"
"*Support-LogMeInRescue.exe*",".{0,1000}Support\-LogMeInRescue\.exe.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60663"
"*SUPPORT-LOGMEINRESCUE.EXE-*",".{0,1000}SUPPORT\-LOGMEINRESCUE\.EXE\-.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60664"
"*supremo remote control*",".{0,1000}supremo\sremote\scontrol.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","#registry","registry value","10","10","N/A","N/A","N/A","N/A","60666"
"*Supremo.00.Client.log*",".{0,1000}Supremo\.00\.Client\.log.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60667"
"*Supremo.00.FileTransfer.log*",".{0,1000}Supremo\.00\.FileTransfer\.log.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60668"
"*Supremo.exe *",".{0,1000}Supremo\.exe\s.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60669"
"*supremogw*.nanosystems.it*",".{0,1000}supremogw.{0,1000}\.nanosystems\.it.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","1","N/A","agent network connection ","10","10","N/A","N/A","N/A","N/A","60670"
"*supremohelper.exe*",".{0,1000}supremohelper\.exe.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60671"
"*SupremoRemoteDesktop\History.txt*",".{0,1000}SupremoRemoteDesktop\\History\.txt.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60672"
"*SupremoService.00.Service.log*",".{0,1000}SupremoService\.00\.Service\.log.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60673"
"*SupremoService.exe*",".{0,1000}SupremoService\.exe.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60674"
"*SupremoSystem.exe*",".{0,1000}SupremoSystem\.exe.{0,1000}","greyware_tool_keyword","Supremo","Supremo - Remote access software","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta","RMM","https://www.supremocontrol.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60675"
"*swarleysez/AD-common-queries*",".{0,1000}swarleysez\/AD\-common\-queries.{0,1000}","greyware_tool_keyword","AD-common-queries","Collection of common ADSI queries for Domain Account enumeration","T1087 - T1087.002 - T1018 - T1069 - T1069.002 - T1069.003 - T1133 - T1139","TA0007 - TA0009","N/A","N/A","Discovery","https://github.com/swarleysez/AD-common-queries","1","1","N/A","N/A","8","1","7","3","2020-05-24T03:23:09Z","2020-03-10T19:43:51Z","60698"
"*swarm.meshcentral.com*",".{0,1000}swarm\.meshcentral\.com.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","60699"
"*switch.ehorus.com*",".{0,1000}switch\.ehorus\.com.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60715"
"*SyncthingFirewallRule.js*",".{0,1000}SyncthingFirewallRule\.js.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","0","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","60736"
"*SyncthingLogonTask.js*",".{0,1000}SyncthingLogonTask\.js.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","0","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","60737"
"*syncthing-windows-setup.exe*",".{0,1000}syncthing\-windows\-setup\.exe.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","1","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","60738"
"*sysctl -w net.ipv4.icmp_echo_ignore_all=1*",".{0,1000}sysctl\s\-w\snet\.ipv4\.icmp_echo_ignore_all\=1.{0,1000}","greyware_tool_keyword","sysctl","Disable echo reply for icmpsh C2","T1040 - T1095 - T1090.001","TA0010 - TA0005 - TA0011","N/A","N/A","C2","https://github.com/bdamele/icmpsh","1","0","N/A","N/A","4","10","1573","415","2018-04-06T17:15:44Z","2011-04-15T10:04:12Z","60759"
"*SYSLOG_IDENTIFIER=chrome-remote-desktop*",".{0,1000}SYSLOG_IDENTIFIER\=chrome\-remote\-desktop.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60763"
"*sysrc softether_server_enable=yes*",".{0,1000}sysrc\ssoftether_server_enable\=yes.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","0","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","60768"
"*System.IO.MemoryStream(,[System.Convert]::FromBase64String(*",".{0,1000}System\.IO\.MemoryStream\(,\[System\.Convert\]\:\:FromBase64String\(.{0,1000}","greyware_tool_keyword","powershell","suspicious pattern used by poshC2 and many other offensive tools (false positives possible)","T1059.001","TA0005","PoshC2","N/A","Defense Evasion","N/A","1","0","N/A","risk of False positive","9","9","N/A","N/A","N/A","N/A","60776"
"*systemctl * rmm.service*",".{0,1000}systemctl\s.{0,1000}\srmm\.service.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","60783"
"*systemctl disable auditd*",".{0,1000}systemctl\sdisable\sauditd.{0,1000}","greyware_tool_keyword","auditd","disabling auditd","T1562.001 - T1070.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","#linux","N/A","10","8","N/A","N/A","N/A","N/A","60784"
"*systemctl disable cbdaemon*",".{0,1000}systemctl\sdisable\scbdaemon.{0,1000}","greyware_tool_keyword","systemctl","Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes* deleting Registry keys so that tools do not start at run time* or other methods to interfere with security tools scanning or reporting information.","T1055 - T1070.004 - T1218.011","TA0007 - TA0005 - TA0040","N/A","N/A","Defense Evasion","https://attack.mitre.org/techniques/T1562/001/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","60785"
"*systemctl disable falcon-sensor.service*",".{0,1000}systemctl\sdisable\sfalcon\-sensor\.service.{0,1000}","greyware_tool_keyword","systemctl","Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes* deleting Registry keys so that tools do not start at run time* or other methods to interfere with security tools scanning or reporting information.","T1055 - T1070.004 - T1218.011","TA0007 - TA0005 - TA0040","N/A","N/A","Defense Evasion","https://attack.mitre.org/techniques/T1562/001/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","60786"
"*systemctl enable connectd*",".{0,1000}systemctl\senable\sconnectd.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","N/A","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","60788"
"*systemctl enable --now tailscaled*",".{0,1000}systemctl\senable\s\-\-now\stailscaled.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60790"
"*systemctl restart remotemoe*",".{0,1000}systemctl\srestart\sremotemoe.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","0","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","60792"
"*systemctl start connectd_schannel*",".{0,1000}systemctl\sstart\sconnectd_schannel.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","N/A","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","60793"
"*systemctl start pulseway*",".{0,1000}systemctl\sstart\spulseway.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60796"
"*systemctl start remotemoe*",".{0,1000}systemctl\sstart\sremotemoe.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","0","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","60797"
"*systemctl start sshuttle*",".{0,1000}systemctl\sstart\ssshuttle.{0,1000}","greyware_tool_keyword","sshuttle","Transparent proxy server that works as a poor man's VPN. Forwards over ssh","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/sshuttle/sshuttle","1","0","#linux","N/A","10","10","12200","754","2025-04-04T20:48:27Z","2014-09-15T04:51:13Z","60799"
"*systemctl status pulseway*",".{0,1000}systemctl\sstatus\spulseway.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60803"
"*systemctl status remotemoe*",".{0,1000}systemctl\sstatus\sremotemoe.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","0","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","60804"
"*systemctl stop cbdaemon*",".{0,1000}systemctl\sstop\scbdaemon.{0,1000}","greyware_tool_keyword","systemctl","Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes* deleting Registry keys so that tools do not start at run time* or other methods to interfere with security tools scanning or reporting information.","T1055 - T1070.004 - T1218.011","TA0007 - TA0005 - TA0040","N/A","N/A","Defense Evasion","https://attack.mitre.org/techniques/T1562/001/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","60806"
"*systemctl stop connectd_schannel*",".{0,1000}systemctl\sstop\sconnectd_schannel.{0,1000}","greyware_tool_keyword","remoteit","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/remoteit/installer","1","0","N/A","N/A","10","10","24","9","2024-04-17T00:45:45Z","2019-01-29T21:06:02Z","60807"
"*systemctl stop falcon-sensor.service*",".{0,1000}systemctl\sstop\sfalcon\-sensor\.service.{0,1000}","greyware_tool_keyword","systemctl","Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes* deleting Registry keys so that tools do not start at run time* or other methods to interfere with security tools scanning or reporting information.","T1055 - T1070.004 - T1218.011","TA0007 - TA0005 - TA0040","N/A","N/A","Defense Evasion","https://attack.mitre.org/techniques/T1562/001/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","60808"
"*systemctl stop pulseway*",".{0,1000}systemctl\sstop\spulseway.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60810"
"*systemctl stop remotemoe*",".{0,1000}systemctl\sstop\sremotemoe.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","0","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","60811"
"*systemctl stop usbguard.service*",".{0,1000}systemctl\sstop\susbguard\.service.{0,1000}","greyware_tool_keyword","systemctl","Adversaries may disable security tools to avoid possible detection of their tools and activities.","T1089 - T1562 - T1489","TA0005 - TA0007","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60812"
"*systemctl --user start remotemoe.service*",".{0,1000}systemctl\s\-\-user\sstart\sremotemoe\.service.{0,1000}","greyware_tool_keyword","remotemoe","remotemoe is a software daemon for exposing ad-hoc services to the internet without having to deal with the regular network stuff such as configuring VPNs - changing firewalls - or adding port forwards","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/fasmide/remotemoe","1","0","N/A","N/A","10","10","288","32","2024-06-03T14:00:47Z","2020-06-11T07:41:03Z","60813"
"*systemprofile\AppData\Roaming\freerdp\server*",".{0,1000}systemprofile\\AppData\\Roaming\\freerdp\\server.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60814"
"*Szybka pomoc Installer.exe*",".{0,1000}Szybka\spomoc\sInstaller\.exe.{0,1000}","greyware_tool_keyword","QuickAssist","Sharing remote desktop with Microsoft Quick assit","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","LokiBot","Black Basta","RMM","https://apps.microsoft.com/detail/9p7bp5vnwkx5","1","0","N/A","Quick assist could be preinstalled in some Windows versions","10","10","N/A","N/A","N/A","N/A","60827"
"*Tactical RMM Agent*",".{0,1000}Tactical\sRMM\sAgent.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","#registry","registry","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","60841"
"*tacticalrmm.utils*",".{0,1000}tacticalrmm\.utils.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","0","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","60842"
"*tacticalrmm-develop*",".{0,1000}tacticalrmm\-develop.{0,1000}","greyware_tool_keyword","tacticalrmm","A remote monitoring & management tool","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","AvosLocker - Scattered Spider* - Black Basta","RMM","https://github.com/amidaware/tacticalrmm","1","1","N/A","N/A","10","10","3538","484","2025-04-22T19:24:13Z","2019-10-22T22:19:12Z","60843"
"*taf.teamviewer.com*",".{0,1000}taf\.teamviewer\.com.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","1","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","60844"
"*tags.zrokShareToken=*",".{0,1000}tags\.zrokShareToken\=.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","60845"
"*tailscale ip -4*",".{0,1000}tailscale\sip\s\-4.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60853"
"*Tailscale is not running*",".{0,1000}Tailscale\sis\snot\srunning.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60854"
"*tailscale ping -*",".{0,1000}tailscale\sping\s\-.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60855"
"*tailscale serve -*",".{0,1000}tailscale\sserve\s\-.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60856"
"*tailscale set --auto-update*",".{0,1000}tailscale\sset\s\-\-auto\-update.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60857"
"*Tailscale SSH is *",".{0,1000}Tailscale\sSSH\sis\s.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60858"
"*tailscale up --advertise-routes=*/24*",".{0,1000}tailscale\sup\s\-\-advertise\-routes\=.{0,1000}\/24.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","60859"
"*tailscale up --login-server=*",".{0,1000}tailscale\sup\s\-\-login\-server\=.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60860"
"*Tailscale was already stopped*",".{0,1000}Tailscale\swas\salready\sstopped.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60861"
"*tailscale.com/install.sh*",".{0,1000}tailscale\.com\/install\.sh.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60862"
"*tailscale.com/logger.Logf*",".{0,1000}tailscale\.com\/logger\.Logf.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60863"
"*tailscale.exe *",".{0,1000}tailscale\.exe\s.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60864"
"*tailscale/go/releases/download/*",".{0,1000}tailscale\/go\/releases\/download\/.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60865"
"*tailscale/net/dns/",".{0,1000}tailscale\/net\/dns\/","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60866"
"*tailscale/tailscale.go*",".{0,1000}tailscale\/tailscale\.go.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60867"
"*tailscale\net\dns*",".{0,1000}tailscale\\net\\dns.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60868"
"*tailscale\scripts\installer.sh*",".{0,1000}tailscale\\scripts\\installer\.sh.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60869"
"*tailscale\tailscale.go*",".{0,1000}tailscale\\tailscale\.go.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60870"
"*Tailscaled exited*",".{0,1000}Tailscaled\sexited.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60871"
"*tailscaled --tun=userspace-networking --socks5-server=*",".{0,1000}tailscaled\s\-\-tun\=userspace\-networking\s\-\-socks5\-server\=.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","60872"
"*tailscaled.exe*",".{0,1000}tailscaled\.exe.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60873"
"*tailscaled.log*",".{0,1000}tailscaled\.log.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","#logfile","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60874"
"*tailscaled.openrc*",".{0,1000}tailscaled\.openrc.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60875"
"*tailscaled.sh*",".{0,1000}tailscaled\.sh.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60876"
"*tailscaled.stdout.log*",".{0,1000}tailscaled\.stdout\.log.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","#logfile","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60877"
"*tailscaled_notwindows.go*",".{0,1000}tailscaled_notwindows\.go.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60878"
"*tailscale-ipn.exe*",".{0,1000}tailscale\-ipn\.exe.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60879"
"*tailscale-ipn.log.conf*",".{0,1000}tailscale\-ipn\.log\.conf.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60880"
"*tailscale-setup-*.exe *",".{0,1000}tailscale\-setup\-.{0,1000}\.exe\s.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60881"
"*tailscale-setup-full-*.exe*",".{0,1000}tailscale\-setup\-full\-.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","1","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","60882"
"*TakeDump -SentinelHelper * -ProcessId * -User * -Kernel *",".{0,1000}TakeDump\s\-SentinelHelper\s.{0,1000}\s\-ProcessId\s.{0,1000}\s\-User\s.{0,1000}\s\-Kernel\s.{0,1000}","greyware_tool_keyword","SentinelAgent","dump a process with SentinelAgent.exe","T1003 - T1055","TA0006 - TA0005","N/A","N/A","Credential Access","https://gist.github.com/adamsvoboda/8e248c6b7fb812af5d04daba141c867e","1","0","N/A","N/A","8","7","N/A","N/A","N/A","N/A","60885"
"*takeown /f ""C:\windows\system32\config\SAM""*",".{0,1000}takeown\s\/f\s\""C\:\\windows\\system32\\config\\SAM\"".{0,1000}","greyware_tool_keyword","takeown","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/ice-wzl/wmiexec2","1","0","N/A","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","60896"
"*takeown /f C:\Windows\System32\amsi.dll /a*",".{0,1000}takeown\s\/f\sC\:\\Windows\\System32\\amsi\.dll\s\/a.{0,1000}","greyware_tool_keyword","takeown","Spartacus DLL/COM Hijacking Toolkit","T1574.001 - T1055.001 - T1027.002","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://www.pavel.gr/blog/neutralising-amsi-system-wide-as-an-admin","1","0","N/A","N/A","10","8","N/A","N/A","N/A","N/A","60897"
"*takeown /f c:\windows\system32\sethc.exe*",".{0,1000}takeown\s\/f\sc\:\\windows\\system32\\sethc\.exe.{0,1000}","greyware_tool_keyword","takeown","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z","60898"
"*takeown /f c:\windows\system32\sethcold.exe*",".{0,1000}takeown\s\/f\sc\:\\windows\\system32\\sethcold\.exe.{0,1000}","greyware_tool_keyword","takeown","automated sticky keys backdoor + credentials harvesting","T1547.001 - T1546.008 - T1555.003 - T1059 - T1573 - T1070.004 - T1003","TA0003 - TA0005 - TA0006","N/A","N/A","Persistence","https://github.com/l3m0n/WinPirate","1","0","N/A","N/A","9","1","13","32","2016-07-17T20:02:07Z","2016-07-18T03:40:13Z","60900"
"*takeshixx/nmap-scripts*",".{0,1000}takeshixx\/nmap\-scripts.{0,1000}","greyware_tool_keyword","nmap","Install and update external NSE script for nmap","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/shadawck/nse-install","1","1","N/A","N/A","7","1","7","1","2020-08-28T11:27:08Z","2020-08-24T16:55:55Z","60903"
"*TASKKILL /F /FI ""PID ge 1000"" /FI ""WINDOWTITLE ne untitled*",".{0,1000}TASKKILL\s\/F\s\/FI\s\""PID\sge\s1000\""\s\/FI\s\""WINDOWTITLE\sne\suntitled.{0,1000}","greyware_tool_keyword","taskkill","forcefully kills processes based on a process ID (PID greater than or equal to 1000) has been used to disrupt various processes while avoiding certain window","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60923"
"*taskkill /F /IM ""ehorus_agent.exe""*",".{0,1000}taskkill\s\/F\s\/IM\s\""ehorus_agent\.exe\"".{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60924"
"*taskkill /F /IM ""ehorus_cmd.exe""*",".{0,1000}taskkill\s\/F\s\/IM\s\""ehorus_cmd\.exe\"".{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60925"
"*taskkill /F /IM ""ehorus_display.exe""*",".{0,1000}taskkill\s\/F\s\/IM\s\""ehorus_display\.exe\"".{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60926"
"*taskkill /f /im AgentPackageAgentInformation.exe*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageAgentInformation\.exe.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60927"
"*taskkill /f /im AgentPackageEventViewer.exe*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageEventViewer\.exe.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60928"
"*taskkill /f /im AgentPackageHeartbeat.exe*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageHeartbeat\.exe.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60929"
"*taskkill /f /im AgentPackageInformation*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageInformation.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60930"
"*taskkill /f /im AgentPackageInternalPoller.exe*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageInternalPoller\.exe.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60931"
"*taskkill /f /im AgentPackageMonitoring*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageMonitoring.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60932"
"*taskkill /f /im AgentPackageProgramManagement*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageProgramManagement.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60933"
"*taskkill /f /im AgentPackageRegistryExplorer.exe*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageRegistryExplorer\.exe.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60934"
"*taskkill /f /im AgentPackageRunCommande.exe*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageRunCommande\.exe.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60935"
"*taskkill /f /im AgentPackageRunCommandInteractive*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageRunCommandInteractive.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60936"
"*taskkill /f /im AgentPackageSTRemote.exe*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageSTRemote\.exe.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60937"
"*taskkill /f /im AgentPackageSystemTools.exe*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageSystemTools\.exe.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60938"
"*taskkill /f /im AgentPackageUpgradeAgent*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageUpgradeAgent.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60939"
"*taskkill /f /im AgentPackageWindowsUpdate.exe*",".{0,1000}taskkill\s\/f\s\/im\sAgentPackageWindowsUpdate\.exe.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60940"
"*taskkill /f /im ALMon.exe*",".{0,1000}taskkill\s\/f\s\/im\sALMon\.exe.{0,1000}","greyware_tool_keyword","taskkill","Kill All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60941"
"*taskkill /f /im ALMon.exe*",".{0,1000}taskkill\s\/f\s\/im\sALMon\.exe.{0,1000}","greyware_tool_keyword","taskkill","command used in the Dispossessor ransomware group notes","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60942"
"*taskkill /f /im ALsvc.exe*",".{0,1000}taskkill\s\/f\s\/im\sALsvc\.exe.{0,1000}","greyware_tool_keyword","taskkill","Kill All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60943"
"*taskkill /f /im ALsvc.exe*",".{0,1000}taskkill\s\/f\s\/im\sALsvc\.exe.{0,1000}","greyware_tool_keyword","taskkill","command used in the Dispossessor ransomware group notes","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60944"
"*taskkill /f /im AteraAgent.exe*",".{0,1000}taskkill\s\/f\s\/im\sAteraAgent\.exe.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60945"
"*taskkill /F /IM lsass.exe*",".{0,1000}taskkill\.exe\s\/F\s\/IM\slsass\.exe.{0,1000}","greyware_tool_keyword","taskkill","killing lsass process","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://x.com/malmoeb/status/1741114854037987437","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60946"
"*taskkill /F /IM msiexec.exe*",".{0,1000}taskkill\s\/F\s\/IM\smsiexec\.exe.{0,1000}","greyware_tool_keyword","taskkill","evade EDR/AV by repairing with msiexec and killing the process","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://badoption.eu/blog/2024/03/23/cortex.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60947"
"*taskkill /f /im spa.exe*",".{0,1000}taskkill\s\/f\s\/im\sspa\.exe.{0,1000}","greyware_tool_keyword","taskkill","Kill All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60950"
"*taskkill /f /im spa.exe*",".{0,1000}taskkill\s\/f\s\/im\sspa\.exe.{0,1000}","greyware_tool_keyword","taskkill","command used in the Dispossessor ransomware group notes","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60951"
"*taskkill /f /im sql**",".{0,1000}taskkill\s\/f\s\/im\ssql.{0,1000}.{0,1000}","greyware_tool_keyword","taskkill","stop running processes associated with SQL","T1489","TA0040","N/A","LockBit","Defense Evasion","https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A","60952"
"*taskkill /f /im swi_fc.exe*",".{0,1000}taskkill\s\/f\s\/im\sswi_fc\.exe.{0,1000}","greyware_tool_keyword","taskkill","Kill All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60953"
"*taskkill /f /im swi_fc.exe*",".{0,1000}taskkill\s\/f\s\/im\sswi_fc\.exe.{0,1000}","greyware_tool_keyword","taskkill","command used in the Dispossessor ransomware group notes","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60954"
"*taskkill /f /im swi_filter.exe*",".{0,1000}taskkill\s\/f\s\/im\sswi_filter\.exe.{0,1000}","greyware_tool_keyword","taskkill","Kill All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60955"
"*taskkill /f /im swi_filter.exe*",".{0,1000}taskkill\s\/f\s\/im\sswi_filter\.exe.{0,1000}","greyware_tool_keyword","taskkill","command used in the Dispossessor ransomware group notes","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60956"
"*taskkill /f /im TicketingTray.exe*",".{0,1000}taskkill\s\/f\s\/im\sTicketingTray\.exe.{0,1000}","greyware_tool_keyword","Atera","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","BlackSuit - Royal - AvosLocker - BianLian - Conti - Hive - Quantum - RansomHub - Black Basta - Dispossessor","RMM","https://www.atera.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","60957"
"*taskkill /im agntsvc.exe /F*",".{0,1000}taskkill\s\/im\sagntsvc\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Backup Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60959"
"*taskkill /IM CNTAoSMgr.exe /F*",".{0,1000}taskkill\s\/IM\sCNTAoSMgr\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Network Management","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60960"
"*taskkill /im dbeng50.exe /F*",".{0,1000}taskkill\s\/im\sdbeng50\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60961"
"*taskkill /im dbsnmp.exe /F*",".{0,1000}taskkill\s\/im\sdbsnmp\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60962"
"*taskkill /im encsvc.exe /F*",".{0,1000}taskkill\s\/im\sencsvc\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Encryption Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60963"
"*taskkill /im excel.exe /F*",".{0,1000}taskkill\s\/im\sexcel\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Office Application","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60964"
"*taskkill /im firefoxconfig.exe /F*",".{0,1000}taskkill\s\/im\sfirefoxconfig\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Browser Configuration","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60965"
"*taskkill /im infopath.exe /F*",".{0,1000}taskkill\s\/im\sinfopath\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Office Application","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60966"
"*taskkill /im isqlplussvc.exe /F*",".{0,1000}taskkill\s\/im\sisqlplussvc\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60967"
"*taskkill /IM mbamtray.exe /F*",".{0,1000}taskkill\s\/IM\smbamtray\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Antivirus","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60968"
"*taskkill /im msaccess.exe /F*",".{0,1000}taskkill\s\/im\smsaccess\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Application","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60969"
"*taskkill /im msftesql.exe /F*",".{0,1000}taskkill\s\/im\smsftesql\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60970"
"*taskkill /im mspub.exe /F*",".{0,1000}taskkill\s\/im\smspub\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Office Application","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60971"
"*taskkill /im mydesktopqos.exe /F*",".{0,1000}taskkill\s\/im\smydesktopqos\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Remote Desktop Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60972"
"*taskkill /im mydesktopservice.exe /F*",".{0,1000}taskkill\s\/im\smydesktopservice\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Remote Desktop Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60973"
"*taskkill /im mysqld.exe /F*",".{0,1000}taskkill\s\/im\smysqld\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60974"
"*taskkill /im mysqld-nt.exe /F*",".{0,1000}taskkill\s\/im\smysqld\-nt\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60975"
"*taskkill /im mysqld-opt.exe /F*",".{0,1000}taskkill\s\/im\smysqld\-opt\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60976"
"*taskkill /IM Ntrtsc*",".{0,1000}taskkill\s\/IM\sNtrtsc.{0,1000}","greyware_tool_keyword","taskkill","stopping Antivirus","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60977"
"*taskkill /im ocautoupds.exe /F*",".{0,1000}taskkill\s\/im\socautoupds\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60978"
"*taskkill /im ocomm.exe /F*",".{0,1000}taskkill\s\/im\socomm\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60979"
"*taskkill /im ocssd.exe /F*",".{0,1000}taskkill\s\/im\socssd\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60980"
"*taskkill /im onenote.exe /F*",".{0,1000}taskkill\s\/im\sonenote\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Office Application","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60981"
"*taskkill /im oracle.exe /F*",".{0,1000}taskkill\s\/im\soracle\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60982"
"*taskkill /im outlook.exe /F*",".{0,1000}taskkill\s\/im\soutlook\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Email Client","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60983"
"*taskkill /IM PccNTMon.exe /F*",".{0,1000}taskkill\s\/IM\sPccNTMon\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Antivirus","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60984"
"*taskkill /im powerpnt.exe /F*",".{0,1000}taskkill\s\/im\spowerpnt\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Office Application","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60985"
"*taskkill /im savfmsesp.exe /f*",".{0,1000}taskkill\s\/im\ssavfmsesp\.exe\s\/f.{0,1000}","greyware_tool_keyword","taskkill","stopping Antivirus","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60986"
"*taskkill /im sqbcoreservice.exe /F*",".{0,1000}taskkill\s\/im\ssqbcoreservice\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Backup","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60987"
"*taskkill /im sqlagent.exe /F*",".{0,1000}taskkill\s\/im\ssqlagent\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60988"
"*taskkill /im sqlbrowser.exe /F*",".{0,1000}taskkill\s\/im\ssqlbrowser\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60989"
"*taskkill /im sqlservr.exe /F*",".{0,1000}taskkill\s\/im\ssqlservr\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Database Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60990"
"*taskkill /im synctime.exe /F*",".{0,1000}taskkill\s\/im\ssynctime\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Synchronization Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60991"
"*taskkill /im tbirdconfig.exe /F*",".{0,1000}taskkill\s\/im\stbirdconfig\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Email Client Configuration","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60992"
"*taskkill /im thebat.exe /F*",".{0,1000}taskkill\s\/im\sthebat\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Email Client","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60993"
"*taskkill /im thebat64.exe /F*",".{0,1000}taskkill\s\/im\sthebat64\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Email Client","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60994"
"*taskkill /im thunderbird.exe /F*",".{0,1000}taskkill\s\/im\sthunderbird\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Email Client","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60995"
"*taskkill /IM tmlisten.exe /F*",".{0,1000}taskkill\s\/IM\stmlisten\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Antivirus","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60996"
"*taskkill /im visio.exe /F*",".{0,1000}taskkill\s\/im\svisio\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Office Application","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60998"
"*taskkill /im winword.exe /F*",".{0,1000}taskkill\s\/im\swinword\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Office Application","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","60999"
"*taskkill /im wordpad.exe /F*",".{0,1000}taskkill\s\/im\swordpad\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Text Editor","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","61000"
"*taskkill /im xfssvccon.exe /F*",".{0,1000}taskkill\s\/im\sxfssvccon\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Financial Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","61001"
"*taskkill /im zoolz.exe /F*",".{0,1000}taskkill\s\/im\szoolz\.exe\s\/F.{0,1000}","greyware_tool_keyword","taskkill","stopping Backup Service","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","8","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","61002"
"*taskkill -f -im fdhost.exe*",".{0,1000}taskkill\s\-f\s\-im\sfdhost\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61011"
"*taskkill -f -im fdlauncher.exe*",".{0,1000}taskkill\s\-f\s\-im\sfdlauncher\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61012"
"*taskkill -f -im fdlauncher.exe*",".{0,1000}taskkill\s\-f\s\-im\sfdlauncher\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61013"
"*taskkill -f -im MsDtsSrvr.exe*",".{0,1000}taskkill\s\-f\s\-im\sMsDtsSrvr\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61014"
"*taskkill -f -im msftesql.exe*",".{0,1000}taskkill\s\-f\s\-im\smsftesql\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61015"
"*taskkill -f -im msmdsrv.exe*",".{0,1000}taskkill\s\-f\s\-im\smsmdsrv\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61016"
"*taskkill -f -im pg_ctl.exe*",".{0,1000}taskkill\s\-f\s\-im\spg_ctl\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61017"
"*taskkill -f -im postgres.exe*",".{0,1000}taskkill\s\-f\s\-im\spostgres\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61018"
"*taskkill -f -im ReportingServicesService.exe*",".{0,1000}taskkill\s\-f\s\-im\sReportingServicesService\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61019"
"*taskkill -f -im SQLAGENT.EXE*",".{0,1000}taskkill\s\-f\s\-im\sSQLAGENT\.EXE.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61020"
"*taskkill -f -im sqlbrowser.exe*",".{0,1000}taskkill\s\-f\s\-im\ssqlbrowser\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61021"
"*taskkill -f -im sqlceip.exe*",".{0,1000}taskkill\s\-f\s\-im\ssqlceip\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61022"
"*taskkill -f -im sqlservr.exe*",".{0,1000}taskkill\s\-f\s\-im\ssqlservr\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61023"
"*taskkill -f -im sqlservr.exe*",".{0,1000}taskkill\s\-f\s\-im\ssqlservr\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61024"
"*taskkill -f -im sqlwriter.exe*",".{0,1000}taskkill\s\-f\s\-im\ssqlwriter\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61025"
"*taskkill -f -im Ssms.exe*",".{0,1000}taskkill\s\-f\s\-im\sSsms\.exe.{0,1000}","greyware_tool_keyword","taskkill","terminate processes related to SQL servers","T1489","TA0040","N/A","N/A","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61026"
"*taskkill.exe /F /IM lsass.exe*",".{0,1000}taskkill\.exe\s\/F\s\/IM\slsass\.exe.{0,1000}","greyware_tool_keyword","taskkill","killing lsass process","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://x.com/malmoeb/status/1741114854037987437","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61027"
"*taskkill.exe /F /IM msiexec.exe*",".{0,1000}taskkill\.exe\s\/F\s\/IM\smsiexec\.exe.{0,1000}","greyware_tool_keyword","taskkill","evade EDR/AV by repairing with msiexec and killing the process","T1489 - T1569.002","TA0040 - TA0005","N/A","N/A","Defense Evasion","https://badoption.eu/blog/2024/03/23/cortex.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61028"
"*tasklist /fi *Imagename eq lsass.exe*",".{0,1000}tasklist\s\/fi\s.{0,1000}Imagename\seq\slsass\.exe.{0,1000}","greyware_tool_keyword","tasklist","This might indicate an attempt to dump credentials. Investigate the process tree.","T1555","TA0006 - TA0007","N/A","APT5 - APT29 - OilRig - Ke3chang - Earth Lusca - Volt Typhoon - APT1 - Threat Group-3390 - Deep Panda - Turla - Naikon","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61030"
"*tasklist /svc | findstr /i ""vmtoolsd.exe""*",".{0,1000}tasklist\s\/svc\s\|\sfindstr\s\/i\s\""vmtoolsd\.exe\"".{0,1000}","greyware_tool_keyword","tasklist","commands from wmiexec2.0 -  is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines.","T1047 - T1027 - T1059","TA0005 - TA0002","N/A","APT5 - APT29 - OilRig - Ke3chang - Earth Lusca - Volt Typhoon - APT1 - Threat Group-3390 - Deep Panda - Turla - Naikon","Discovery","https://github.com/ice-wzl/wmiexec2","1","0","N/A","N/A","9","1","34","1","2024-06-12T17:56:15Z","2023-02-07T22:10:08Z","61032"
"*tasklist /v /fi ""username eq system""*",".{0,1000}tasklist\s\/v\s\/fi\s\""username\seq\ssystem\"".{0,1000}","greyware_tool_keyword","taskkill","outputs a verbose list of all running processes associated with the SYSTEM account","T1057","TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","8","8","N/A","N/A","N/A","N/A","61033"
"*tasklist | findstr lsass*",".{0,1000}tasklist\s\|\sfindstr\slsass.{0,1000}","greyware_tool_keyword","tasklist","get LSASS process ID","T1057 - T1018","TA0007 - TA0006 - TA0005","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61034"
"*tasklist.exe"" /v /fi ""username eq system""*",".{0,1000}tasklist\.exe\""\s\/v\s\/fi\s\""username\seq\ssystem\"".{0,1000}","greyware_tool_keyword","taskkill","outputs a verbose list of all running processes associated with the SYSTEM account","T1057","TA0007","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","8","8","N/A","N/A","N/A","N/A","61035"
"*'TaskName'>\Bomgar Task *",".{0,1000}\'TaskName\'\>\\Bomgar\sTask\s.{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61036"
"*taskset 1 /bin/sh -p*",".{0,1000}taskset\s1\s\/bin\/sh\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","61037"
"*tcp://0.tcp.ngrok.io:*",".{0,1000}tcp\:\/\/0\.tcp\.ngrok\.io\:.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","61046"
"*tcpdump *",".{0,1000}tcpdump\s.{0,1000}","greyware_tool_keyword","tcpdump","A powerful command-line packet analyzer.and libpcap. a portable C/C++ library for network traffic capture","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","N/A","Sniffing & Spoofing","http://www.tcpdump.org/","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","61049"
"*tdsskiller -dcsvc *",".{0,1000}tdsskiller\s\-dcsvc\s.{0,1000}","greyware_tool_keyword","TDSKiller","TDSKiller detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","LockBit - Avaddon - Dispossessor","Defense Evasion","https://www.majorgeeks.com/files/details/kaspersky_tdsskiller.html","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","61053"
"*TeamViewer VPN Adapter*",".{0,1000}TeamViewer\sVPN\sAdapter.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61081"
"*TEAMVIEWER.EXE-*.pf*",".{0,1000}TEAMVIEWER\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61082"
"*TeamViewer\tv_w32.exe*",".{0,1000}TeamViewer\\tv_w32\.exe.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61083"
"*TeamViewer\tv_x64.dll*",".{0,1000}TeamViewer\\tv_x64\.dll.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61084"
"*TeamViewer\tv_x64.exe*",".{0,1000}TeamViewer\\tv_x64\.exe.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61085"
"*TeamViewer\TVNetwork.log*",".{0,1000}TeamViewer\\TVNetwork\.log.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61086"
"*TEAMVIEWER_.EXE-*.pf*",".{0,1000}TEAMVIEWER_\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61087"
"*TeamViewer_Desktop.exe*",".{0,1000}TeamViewer_Desktop\.exe.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","1","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61088"
"*TEAMVIEWER_DESKTOP.EXE-*.pf*",".{0,1000}TEAMVIEWER_DESKTOP\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61089"
"*TeamViewer_Hooks.log*",".{0,1000}TeamViewer_Hooks\.log.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61090"
"*TeamViewer_LogMutex*",".{0,1000}TeamViewer_LogMutex.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","#mutex","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61091"
"*TeamViewer_Service.exe*",".{0,1000}TeamViewer_Service\.exe.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61094"
"*TEAMVIEWER_SERVICE.EXE-*.pf*",".{0,1000}TEAMVIEWER_SERVICE\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61095"
"*TeamViewer_Setup_x64.exe*",".{0,1000}TeamViewer_Setup_x64\.exe.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","1","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61096"
"*TEAMVIEWER_SETUP_X64.EXE-*.pf*",".{0,1000}TEAMVIEWER_SETUP_X64\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61097"
"*TeamViewer_VirtualDeviceDriver*",".{0,1000}TeamViewer_VirtualDeviceDriver.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61098"
"*TeamViewer_XPSDriverFilter*",".{0,1000}TeamViewer_XPSDriverFilter.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61099"
"*TeamViewer15_Logfile.log*",".{0,1000}TeamViewer15_Logfile\.log.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61100"
"*TeamViewer3_Win32_Instance_Mutex*",".{0,1000}TeamViewer3_Win32_Instance_Mutex.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","#mutex","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61101"
"*TeamViewerHooks_DynamicMemMutex*",".{0,1000}TeamViewerHooks_DynamicMemMutex.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","#mutex","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61103"
"*TeamViewerMeetingAddIn.dll*",".{0,1000}TeamViewerMeetingAddIn\.dll.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","1","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61104"
"*TeamViewerMeetingAddinShim.dll*",".{0,1000}TeamViewerMeetingAddinShim\.dll.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","1","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61105"
"*TeamViewerMeetingAddinShim64.dll*",".{0,1000}TeamViewerMeetingAddinShim64\.dll.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","1","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61106"
"*teamviewervpn.sys*",".{0,1000}teamviewervpn\.sys.{0,1000}","greyware_tool_keyword","teamviewer","TeamViewer Remote is software for remote assistance - control and access to computers and other terminals - abused by attackers","T1021.001 - T1059 - T1078 - T1133 - T1563","TA0001 - TA0002 - TA0005 - TA0008 - TA0011 - TA0010","N/A","LockBit - BERSERK BEAR - MUSTANG PANDA - TeamSpy Crew - BianLian - Scattered Spider* - Trigona - Yanluowang - FIN7 - LOTUS PANDA","RMM","https://www.teamviewer.com/","1","0","N/A","FP risk - teamviewer usage","10","10","N/A","N/A","N/A","N/A","61107"
"*techws.*.swi-rc.com*",".{0,1000}techws\..{0,1000}\.swi\-rc\.com.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61111"
"*telebit ssh auto*",".{0,1000}telebit\sssh\sauto.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61115"
"*telebit tcp *",".{0,1000}telebit\stcp\s.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61116"
"*telnet * | /bin/bash | telnet *",".{0,1000}telnet\s.{0,1000}\s\|\s\/bin\/bash\s\|\stelnet\s.{0,1000}","greyware_tool_keyword","telnet","telnet reverse shell ","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md","1","0","#linux","greyware tool - risks of False positive !","N/A","10","64862","15261","2025-04-09T09:16:20Z","2016-10-18T07:29:07Z","61123"
"*temp*\gsync.exe*",".{0,1000}temp.{0,1000}\\gsync\.exe.{0,1000}","greyware_tool_keyword","Goodsync","GoodSync is a backup and file synchronization program abused by attacker for data exfiltration","T1567.002 - T1020 - T1039","TA0010 ","N/A","N/A","Data Exfiltration","https://www.goodsync.com/","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","61125"
"*Temp*_WinSCP--Portable.zip*",".{0,1000}Temp.{0,1000}_WinSCP\-\-Portable\.zip.{0,1000}","greyware_tool_keyword","WinSCP","SFTP connexion with winscp - legit tool abused by threat actors to exfiltrate data","T1105","TA0010","N/A","Akia - Unit 29155","Data Exfiltration","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","61127"
"*Temp\iprange.log*",".{0,1000}Temp\\iprange\.log.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","61135"
"*teSlortnoCtnerruC*",".{0,1000}teSlortnoCtnerruC.{0,1000}","greyware_tool_keyword","_","reversed string for obfuscation","T1027","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61151"
"*test.endpoint.rapid7.com*",".{0,1000}test\.endpoint\.rapid7\.com.{0,1000}","greyware_tool_keyword","rapid7","Vulnerability scanner","T1046 - T1068 - T1190 - T1201 - T1222 - T1592","TA0001 - TA0002 - TA0007 - TA0011","N/A","Black Basta","Vulnerability Scanner","https://www.rapid7.com/","1","1","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","61152"
"*test-cloudflare-tunnel-cert-json.pem*",".{0,1000}test\-cloudflare\-tunnel\-cert\-json\.pem.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","1","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","61163"
"*testing.ssi.sh*",".{0,1000}testing\.ssi\.sh.{0,1000}","greyware_tool_keyword","sish","HTTP(S)/WS(S)/TCP Tunnels to localhost using only SSH.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/antoniomika/sish","1","1","N/A","N/A","10","10","4203","325","2025-04-10T20:04:08Z","2019-02-15T15:36:23Z","61176"
"*The database engine created a new database*temp\Active Directory\ntds.dit*",".{0,1000}The\sdatabase\sengine\screated\sa\snew\sdatabase.{0,1000}temp\\Active\sDirectory\\ntds\.dit.{0,1000}","greyware_tool_keyword","ntdsutil","creating a full backup of the Active Directory database and saving it to the \temp directory","T1003.001 - T1070.004 - T1059","TA0006","N/A","Rhysida - Conti - Yanluowang - Lapsus$ - APT41","Credential Access","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","61218"
"*the zrok environment was successfully enabled*",".{0,1000}the\szrok\senvironment\swas\ssuccessfully\senabled.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","61227"
"*thebookisclosed/AmperageKit*",".{0,1000}thebookisclosed\/AmperageKit.{0,1000}","greyware_tool_keyword","AmperageKit","enabling Recall in Windows 11 version 24H2 on unsupported devices","T1005 - T1113 - T1056.001 - T1003","TA0009 - TA0010 - TA0006 - TA0007","N/A","N/A","Sniffing & Spoofing","https://github.com/thebookisclosed/AmperageKit","1","1","N/A","N/A","8","5","406","26","2024-06-21T16:37:12Z","2024-05-30T23:00:45Z","61229"
"*TightVNC Service*",".{0,1000}TightVNC\sService.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61329"
"*TightVNC Web Site.url*",".{0,1000}TightVNC\sWeb\sSite\.url.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61330"
"*timwhitez/killProcessPOC*",".{0,1000}timwhitez\/killProcessPOC.{0,1000}","greyware_tool_keyword","killProcessPOC","use  Avast (aswArPot.sys) to kill process - exploited by MONTI ransomware","T1055 - T1106 - T1560.002 - T1569","TA0005","Monti ransomware","N/A","Defense Evasion","https://github.com/timwhitez/killProcessPOC","1","0","N/A","https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf","10","1","67","8","2022-08-26T03:20:09Z","2022-04-27T08:25:50Z","61356"
"*tmate -a ~/.ssh/authorized_keys*",".{0,1000}tmate\s\-a\s\~\/\.ssh\/authorized_keys.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","61367"
"*tmate -F -n *",".{0,1000}tmate\s\-F\s\-n\s.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","0","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","61368"
"*tmate -S /tmp*",".{0,1000}tmate\s\-S\s\/tmp.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate","1","0","#linux","N/A","10","10","5786","315","2023-10-16T11:59:37Z","2013-06-12T20:29:22Z","61369"
"*tmate/tmate-ssh-server*",".{0,1000}tmate\/tmate\-ssh\-server.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","1","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","61370"
"*tmate-io/tmate*",".{0,1000}tmate\-io\/tmate.{0,1000}","greyware_tool_keyword","tmate","Instant terminal sharing","T1071 - T1105 - T1573 - T1021","TA0010 - TA0011 - TA0008 - TA0002","N/A","WatchDog","C2","https://github.com/tmate-io/tmate-ssh-server","1","1","#linux","N/A","10","10","642","148","2024-06-21T11:52:24Z","2013-06-09T23:58:55Z","61371"
"*tmole - Share your local server with a Public URL*",".{0,1000}tmole\s\-\sShare\syour\slocal\sserver\swith\sa\sPublic\sURL.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","61374"
"*tmole --set-api-key *",".{0,1000}tmole\s\-\-set\-api\-key\s.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","61375"
"*To: All Representatives  From: Remote Support * has added a note to this session.*",".{0,1000}To\:\sAll\sRepresentatives\s\sFrom\:\sRemote\sSupport\s.{0,1000}\shas\sadded\sa\snote\sto\sthis\ssession\..{0,1000}","greyware_tool_keyword","Bomgar","Bomgar beyoundtrust Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.beyondtrust.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61384"
"*tonyseek/rsocks*",".{0,1000}tonyseek\/rsocks.{0,1000}","greyware_tool_keyword","rsocks","A SOCKS 4/5 reverse proxy server","T1090 - T1571 - T1071 - T1095","TA0011 - TA0001 - TA0008","N/A","Scattered Spider*","C2","https://github.com/tonyseek/rsocks","1","1","N/A","N/A","10","10","131","13","2022-09-20T07:11:29Z","2015-03-08T22:31:31Z","61461"
"*tools/adfind*",".{0,1000}tools\/adfind.{0,1000}","greyware_tool_keyword","adfind","Adfind is a command-line tool often used by administrators for Active Directory queries. However. attackers can misuse it to gather valuable information about the network environment. including user accounts. group memberships. domain controllers. and domain trusts. This gathered intelligence can aid in Lateral Movement. privilege escalation. or even data exfiltration. Such reconnaissance activities often precede more damaging attacks.","T1087 - T1016 - T1482","TA0007 - TA0008 - TA0043","N/A","APT29 - Akira - Black Basta - BlackSuit - Conti - COZY BEAR - Dagon Locker - Diavol - FIN6 - FIN7 - INC Ransom - LockBit - MAZE - MUSTANG PANDA - NetWalker - Nokoyawa - PLAY - Quantum - REvil - Royal - Ryuk - TA505 - TRAVELING SPIDER - Unit 29155 - WIZARD SPIDER - Wizard Spider - XingLocker - menuPass - Dispossessor","Discovery","https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/","1","1","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","61465"
"*touch -a*",".{0,1000}touch\s\-a.{0,1000}","greyware_tool_keyword","touch","Timestomping is an anti-forensics technique which is used to modify the timestamps of a file* often to mimic files that are in the same folder.","T1070.006 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_timestomp_touch.toml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","61528"
"*touch -m*",".{0,1000}touch\s\-m.{0,1000}","greyware_tool_keyword","touch","Timestomping is an anti-forensics technique which is used to modify the timestamps of a file* often to mimic files that are in the same folder.","T1070.006 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_timestomp_touch.toml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","61529"
"*touch -t *",".{0,1000}touch\s\-t\s.{0,1000}","greyware_tool_keyword","touch","Timestomping is an anti-forensics technique which is used to modify the timestamps of a file* often to mimic files that are in the same folder.","T1070.006 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_timestomp_touch.toml","1","0","N/A","greyware tool - risks of False positive !","N/A","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","61530"
"*Trojan.RemoteUtilitiesRAT*",".{0,1000}Trojan\.RemoteUtilitiesRAT.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","#Avsignature","N/A","10","10","N/A","N/A","N/A","N/A","61585"
"*truncate -s 0 /var/log/messages*",".{0,1000}truncate\s\-s\s0\s\/var\/log\/messages.{0,1000}","greyware_tool_keyword","truncate","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","61653"
"*truncate -s0 *bash_history'*",".{0,1000}truncate\s\-s0\s.{0,1000}bash_history\'.{0,1000}","greyware_tool_keyword","bash","Clear command history in linux which is used for defense evasion. ","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1146/T1146.yaml","1","0","#linux","greyware tool - risks of False positive !","10","10","10466","2904","2025-04-21T13:09:54Z","2017-10-11T17:23:32Z","61654"
"*truncate --size=0 /var/log/security*",".{0,1000}truncate\s\-\-size\=0\s\/var\/log\/security.{0,1000}","greyware_tool_keyword","truncate","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","61655"
"*Trying to dump SentinelAgent to *",".{0,1000}Trying\sto\sdump\sSentinelAgent\sto\s.{0,1000}","greyware_tool_keyword","SentinelAgent","dump a process with SentinelAgent.exe","T1003 - T1055","TA0006 - TA0005","N/A","N/A","Credential Access","https://gist.github.com/adamsvoboda/8e248c6b7fb812af5d04daba141c867e","1","0","N/A","N/A","8","7","N/A","N/A","N/A","N/A","61671"
"*tshark *-i *",".{0,1000}tshark\s.{0,1000}\-i\s.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","61682"
"*tshark -f *",".{0,1000}tshark\s\-f\s.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","61683"
"*tshark -Q*",".{0,1000}tshark\s\-Q.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","61684"
"*tshark -r *",".{0,1000}tshark\s\-r\s.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","61685"
"*tshark*.deb*",".{0,1000}tshark.{0,1000}\.deb.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","61686"
"*ttyd -i 0.0.0.0 -p 7681 *",".{0,1000}ttyd\s\-i\s0\.0\.0\.0\s\-p\s7681\s.{0,1000}","greyware_tool_keyword","supershell","Supershell is a C2 remote control platform accessed through WEB services. By establishing a reverse SSH tunnel it obtains a fully interactive Shell and supports multi-platform architecture Payload","T1090 - T1059 - T1021","TA0011 - TA0005 - TA0002","N/A","N/A","C2","https://github.com/tdragon6/Supershell","1","0","N/A","N/A","10","10","1561","196","2023-09-26T13:53:55Z","2023-03-25T15:02:43Z","61690"
"*ttyd -i 0.0.0.0 -p 7682 *",".{0,1000}ttyd\s\-i\s0\.0\.0\.0\s\-p\s7682\s.{0,1000}","greyware_tool_keyword","supershell","Supershell is a C2 remote control platform accessed through WEB services. By establishing a reverse SSH tunnel it obtains a fully interactive Shell and supports multi-platform architecture Payload","T1090 - T1059 - T1021","TA0011 - TA0005 - TA0002","N/A","N/A","C2","https://github.com/tdragon6/Supershell","1","0","N/A","N/A","10","10","1561","196","2023-09-26T13:53:55Z","2023-03-25T15:02:43Z","61691"
"*tunnel -config *tunnel.yml*",".{0,1000}tunnel\s\-config\s.{0,1000}tunnel\.yml.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","N/A","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","61696"
"*tunnel.ap.ngrok.com*",".{0,1000}tunnel\.ap\.ngrok\.com.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","also seen in https://github.com/Velocidex/velociraptor-sigma-rules/blob/master/rules%2Flinux%2Fgeneric%2Fnetwork_connection%2Fnet_connection_lnx_ngrok_tunnel.yaml","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","61697"
"*tunnel.au.ngrok.com*",".{0,1000}tunnel\.au\.ngrok\.com.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","also seen in https://github.com/Velocidex/velociraptor-sigma-rules/blob/master/rules%2Flinux%2Fgeneric%2Fnetwork_connection%2Fnet_connection_lnx_ngrok_tunnel.yaml","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","61698"
"*tunnel.eu.ngrok.com*",".{0,1000}tunnel\.eu\.ngrok\.com.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","also seen in https://github.com/Velocidex/velociraptor-sigma-rules/blob/master/rules%2Flinux%2Fgeneric%2Fnetwork_connection%2Fnet_connection_lnx_ngrok_tunnel.yaml","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","61699"
"*tunnel.in.ngrok.com*",".{0,1000}tunnel\.in\.ngrok\.com.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","also seen in https://github.com/Velocidex/velociraptor-sigma-rules/blob/master/rules%2Flinux%2Fgeneric%2Fnetwork_connection%2Fnet_connection_lnx_ngrok_tunnel.yaml","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","61700"
"*tunnel.jp.ngrok.com*",".{0,1000}tunnel\.jp\.ngrok\.com.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","also seen in https://github.com/Velocidex/velociraptor-sigma-rules/blob/master/rules%2Flinux%2Fgeneric%2Fnetwork_connection%2Fnet_connection_lnx_ngrok_tunnel.yaml","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","61701"
"*tunnel.pyjam.as*",".{0,1000}tunnel\.pyjam\.as.{0,1000}","greyware_tool_keyword","tunnel.pyjam.as","SSL-terminated ephemeral HTTP tunnels to your local machine - no custom software required (thanks to wireguard)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","1","#linux","N/A","10","10","N/A","N/A","N/A","N/A","61702"
"*tunnel.sa.ngrok.com*",".{0,1000}tunnel\.sa\.ngrok\.com.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","also seen in https://github.com/Velocidex/velociraptor-sigma-rules/blob/master/rules%2Flinux%2Fgeneric%2Fnetwork_connection%2Fnet_connection_lnx_ngrok_tunnel.yaml","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","61703"
"*tunnel.staqlab.com*",".{0,1000}tunnel\.staqlab\.com.{0,1000}","greyware_tool_keyword","staqlab-tunnel","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/cocoflan/Staqlab-tunnel","1","1","N/A","N/A","10","10","1","0","2020-05-19T06:43:14Z","2020-05-19T06:19:31Z","61704"
"*tunnel.us.ngrok.com*",".{0,1000}tunnel\.us\.ngrok\.com.{0,1000}","greyware_tool_keyword","ngrok","ngrok - abused by attackers for C2 usage","T1090 - T1095 - T1008 - T1102 - T1572 - T1567 - T1568.002","TA0011 - TA0010 - TA0005","N/A","Akira - BlackCat - Karakurt - Scattered Spider* - LockBit - Fox Kitten - LazyScripter - Unit 29155 - Common Raven - FoxKitten - Gamaredon - Dispossessor","C2","https://github.com/inconshreveable/ngrok","1","1","N/A","also seen in https://github.com/Velocidex/velociraptor-sigma-rules/blob/master/rules%2Flinux%2Fgeneric%2Fnetwork_connection%2Fnet_connection_lnx_ngrok_tunnel.yaml","10","10","24316","4287","2024-04-26T18:11:18Z","2013-03-20T09:37:43Z","61705"
"*tunnel/httpproxy.go*",".{0,1000}tunnel\/httpproxy\.go.{0,1000}","greyware_tool_keyword","tunnel","Tunnel is a server/client package that enables to proxy public connections to your local machine over a tunnel connection from the local machine to the public server. What this means is, you can share your localhost even if it doesn't have a Public IP or if it's not reachable from outside","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/koding/tunnel","1","0","N/A","N/A","10","10","328","72","2023-10-20T13:43:58Z","2015-05-28T07:26:42Z","61706"
"*TUNNEL_WG_INTERFACE_NAME=*",".{0,1000}TUNNEL_WG_INTERFACE_NAME\=.{0,1000}","greyware_tool_keyword","tunnel.pyjam.as","SSL-terminated ephemeral HTTP tunnels to your local machine - no custom software required (thanks to wireguard)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","61707"
"*tunnel-api.staqlab.com*",".{0,1000}tunnel\-api\.staqlab\.com.{0,1000}","greyware_tool_keyword","staqlab-tunnel","Expose localhost to internet","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/cocoflan/Staqlab-tunnel","1","1","N/A","N/A","10","10","1","0","2020-05-19T06:43:14Z","2020-05-19T06:19:31Z","61708"
"*tunneld -tlsCrt *",".{0,1000}tunneld\s\-tlsCrt\s.{0,1000}","greyware_tool_keyword","go-http-tunnel","Fast and secure tunnels over HTTP/2","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/mmatczuk/go-http-tunnel","1","0","N/A","N/A","10","10","3261","308","2025-04-16T21:49:57Z","2016-10-12T12:59:38Z","61709"
"*Tunneling remote connection from * to *",".{0,1000}Tunneling\sremote\sconnection\sfrom\s.{0,1000}\sto\s.{0,1000}","greyware_tool_keyword","reverse-tunnel","rtun is a tool for exposing TCP and UDP ports to the Internet via a public gateway server. You can expose ssh and mosh server on a machine behind firewall and NAT.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/snsinfu/reverse-tunnel","1","0","N/A","N/A","10","10","217","42","2023-10-15T07:29:32Z","2018-07-09T21:41:50Z","61712"
"*'Tunnelmole Service listening on http port *",".{0,1000}\'Tunnelmole\sService\slistening\son\shttp\sport\s.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","61713"
"*Tunnelmole Service listening on websocket port *",".{0,1000}Tunnelmole\sService\slistening\son\swebsocket\sport\s.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","61714"
"*tunnelmole/cjs*",".{0,1000}tunnelmole\/cjs.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","61715"
"*TUNNELMOLE_TELEMETRY*",".{0,1000}TUNNELMOLE_TELEMETRY.{0,1000}","greyware_tool_keyword","tunnelmole-client","tmole - Share your local server with a Public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/robbie-cahill/tunnelmole-client/","1","0","N/A","N/A","10","10","1382","86","2025-04-04T09:06:21Z","2023-02-08T08:27:57Z","61716"
"*tunnels-prod-rel-tm.trafficmanager.net*",".{0,1000}tunnels\-prod\-rel\-tm\.trafficmanager\.net.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","61717"
"*tunnels-prod-rel-tm.trafficmanager.net*",".{0,1000}tunnels\-prod\-rel\-tm\.trafficmanager\.net.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","0","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","61718"
"*tunnelto inspector*",".{0,1000}tunnelto\sinspector.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","61719"
"*tunnelto --port *",".{0,1000}tunnelto\s\-\-port\s.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","0","#linux","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","61720"
"*tunnelto_server/src/*",".{0,1000}tunnelto_server\/src\/.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","1","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","61721"
"*tunnelto-linux.tar.gz*",".{0,1000}tunnelto\-linux\.tar\.gz.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","1","#linux","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","61722"
"*tunnelto-windows.exe*",".{0,1000}tunnelto\-windows\.exe.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","1","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","61723"
"*tunwg --forward*",".{0,1000}tunwg\s\-\-forward.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","61725"
"*tunwg -p *",".{0,1000}tunwg\s\-p\s.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","61726"
"*tunwg*wireguard.go*",".{0,1000}tunwg.{0,1000}wireguard\.go.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","1","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","61727"
"*tunwg: initiating handshake to server*",".{0,1000}tunwg\:\sinitiating\shandshake\sto\sserver.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","61728"
"*TUNWG_IP=*",".{0,1000}TUNWG_IP\=.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","61729"
"*TUNWG_RELAY*",".{0,1000}TUNWG_RELAY.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","61730"
"*TUNWG_RUN_SERVER*",".{0,1000}TUNWG_RUN_SERVER.{0,1000}","greyware_tool_keyword","tunwg","End to end encrypted secure tunnel to local servers","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/ntnj/tunwg","1","0","N/A","N/A","10","10","236","8","2024-09-18T15:03:45Z","2023-01-16T17:51:13Z","61731"
"*turn-*.zohomeeting.com*",".{0,1000}turn\-.{0,1000}\.zohomeeting\.com.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61732"
"*turn.console.gotoassist.com*",".{0,1000}turn\.console\.gotoassist\.com.{0,1000}","greyware_tool_keyword","LogMeIn","LogMeIn is a legitimate remote support software that allows IT and customer support teams to remotely access and control devices to provide support - abused by threat actors ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","BlackSuit - Royal - Trigona - Yanluowang","RMM","https://www.logmein.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61733"
"*tvnserver*",".{0,1000}tvnserver.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61735"
"*tvnserver.exe*",".{0,1000}tvnserver\.exe.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61736"
"*tvnviewer.exe*",".{0,1000}tvnviewer\.exe.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61737"
"*typeperf.exe ""\System\Processor Queue Length"" -si * -sc 1*",".{0,1000}typeperf\.exe\s\""\\System\\Processor\sQueue\sLength\""\s\-si\s.{0,1000}\s\-sc\s1.{0,1000}","greyware_tool_keyword","typeperf","checks how many processes are waiting for CPU time every 120 seconds, capturing it onc - most likely for sandbox evasion or timing mechanism","T1057 - T1202","TA0005","More_eggs","Akira - FIN6","Defense Evasion","https://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/","1","0","N/A","N/A","7","9","N/A","N/A","N/A","N/A","61755"
"*UCCAPI/16.0.13328.20130 OC/16.0.13426.20234*",".{0,1000}UCCAPI\/16\.0\.13328\.20130\sOC\/16\.0\.13426\.20234.{0,1000}","greyware_tool_keyword","lyncsmash","default user agent used by lyncsmash.py - a collection of tools to enumerate and attack self-hosted Skype for Business and Microsoft Lync installations ","T1190 - T1087 - T1110","TA0006 - TA0007","N/A","N/A","Credential Access","https://github.com/nyxgeek/lyncsmash","1","1","#useragent","greyware_tools high risks of false positives","8","4","337","63","2024-10-01T11:22:01Z","2016-05-20T04:32:41Z","61796"
"*ui/rest/download/xeoxagentgeneric/*",".{0,1000}ui\/rest\/download\/xeoxagentgeneric\/.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61804"
"*uks1.rel.tunnels.api.visualstudio.com*",".{0,1000}uks1\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","61815"
"*ulm.aeroadmin.com/*",".{0,1000}ulm\.aeroadmin\.com\/.{0,1000}","greyware_tool_keyword","aeroadmin","RMM software - full remote control / file transfer","T1021.001 - T1048.003","TA0008 - TA0011 - TA0009 - TA0010","N/A","N/A","RMM","https://ulm.aeroadmin.com/AeroAdmin.exe","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61819"
"*UltraVNC Launcher.lnk*",".{0,1000}UltraVNC\sLauncher\.lnk.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61823"
"*ultravnc mslogonacl*",".{0,1000}ultravnc\smslogonacl.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61824"
"*UltraVNC Repeater.lnk*",".{0,1000}UltraVNC\sRepeater\.lnk.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61825"
"*UltraVNC Server Settings.lnk*",".{0,1000}UltraVNC\sServer\sSettings\.lnk.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61826"
"*UltraVNC Server.lnk*",".{0,1000}UltraVNC\sServer\.lnk.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61827"
"*ultravnc testauth*",".{0,1000}ultravnc\stestauth.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61828"
"*UltraVNC Viewer.lnk*",".{0,1000}UltraVNC\sViewer\.lnk.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61829"
"*UltraVNC_*_X86_Setup*",".{0,1000}UltraVNC_.{0,1000}_X86_Setup.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61830"
"*ULTRAVNC_1*_X86_SETUP.EXE-*.pf*",".{0,1000}ULTRAVNC_1.{0,1000}_X86_SETUP\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61831"
"*ultravnc_repeater*",".{0,1000}ultravnc_repeater.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61832"
"*ultravnc_server*",".{0,1000}ultravnc_server.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61833"
"*ultravnc_viewer*",".{0,1000}ultravnc_viewer.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61834"
"*umount /usr/share/ehorus/.gvfs -r >/dev/null 2>&1*",".{0,1000}umount\s\/usr\/share\/ehorus\/\.gvfs\s\-r\s\>\/dev\/null\s2\>\&1.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61837"
"*uname -a* w* id* /bin/bash -i*",".{0,1000}uname\s\-a.{0,1000}\sw.{0,1000}\sid.{0,1000}\s\/bin\/bash\s\-i.{0,1000}","greyware_tool_keyword","shell","Reverse Shell Command Line","T1105 - T1021.001 - T1021.002","TA0002 - TA0008","N/A","N/A","C2","https://github.com/SigmaHQ/sigma/blob/master/rules/linux/lnx_shell_susp_rev_shells.yml","1","0","#linux","greyware tool - risks of False positive !","N/A","10","9115","2316","2025-04-17T19:43:35Z","2016-12-24T09:48:49Z","61848"
"*Uninstall Remote Utilities - Viewer.lnk*",".{0,1000}Uninstall\sRemote\sUtilities\s\-\sViewer\.lnk.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61867"
"*Uninstall Remote Utilities Server.lnk*",".{0,1000}Uninstall\sRemote\sUtilities\sServer\.lnk.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61868"
"*Uninstall Remote Utilities.lnk*",".{0,1000}Uninstall\sRemote\sUtilities\.lnk.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61869"
"*Uninstall RemotePC.lnk*",".{0,1000}Uninstall\sRemotePC\.lnk.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61870"
"*Uninstall-WindowsFeature -Name Windows-Defender*",".{0,1000}Uninstall\-WindowsFeature\s\-Name\sWindows\-Defender.{0,1000}","greyware_tool_keyword","powershell","powershell command to uninstall defender AV","T1562.001 - T1112 - T1059 - T1036","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61873"
"*Universal.Virus.Sniffer.4.15.zip*",".{0,1000}Universal\.Virus\.Sniffer\.4\.15\.zip.{0,1000}","greyware_tool_keyword","Universal Virus Sniffer","Universal Virus Sniffer detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","Phobos","Defense Evasion","https://www.majorgeeks.com/files/details/universal_virus_sniffer.html","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","61875"
"*unlink /var/log/*",".{0,1000}unlink\s\/var\/log\/.{0,1000}","greyware_tool_keyword","unlink","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","61884"
"*unlink ~/.bash_history*",".{0,1000}unlink\s\~\/\.bash_history.{0,1000}","greyware_tool_keyword","unlink","Indicator Removal on Host","T1070.002 - T1562.004 - T1059.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61885"
"*unlink ~/.zsh_history*",".{0,1000}unlink\s\~\/\.zsh_history.{0,1000}","greyware_tool_keyword","unlink","Indicator Removal on Host","T1070.002 - T1562.004 - T1059.004","TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61886"
"*unlink -f /var/log/*",".{0,1000}unlink\s\-f\s\/var\/log\/.{0,1000}","greyware_tool_keyword","unlink","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","61887"
"*unlink -r /var/log/*",".{0,1000}unlink\s\-r\s\/var\/log\/.{0,1000}","greyware_tool_keyword","unlink","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","61888"
"*unlink -rf /var/log/*",".{0,1000}unlink\s\-rf\s\/var\/log\/.{0,1000}","greyware_tool_keyword","unlink","Indicator Removal on Host - clearing logs","T1070.002","TA0005","N/A","N/A","Defense Evasion","https://github.com/mthcht/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md","1","0","#linux","N/A","10","1","0","0","2025-03-01T22:20:20Z","2025-03-01T21:01:46Z","61889"
"*unset HISTFILE && HISTSIZE=0 && rm -f $HISTFILE && unset HISTFILE*",".{0,1000}unset\sHISTFILE\s\&\&\sHISTSIZE\=0\s\&\&\srm\s\-f\s\$HISTFILE\s\&\&\sunset\sHISTFILE.{0,1000}","greyware_tool_keyword","unset","disable history logging","T1056.001 - T1562.001","TA0004 - TA0010 - TA0040","N/A","N/A","Credential Access","https://github.com/hak5/omg-payloads/tree/master/payloads/library/credentials/OMGLogger","1","0","#linux","N/A","10","10","904","310","2024-09-14T02:34:26Z","2021-09-08T20:33:18Z","61906"
"*unset HISTFILE*",".{0,1000}unset\sHISTFILE.{0,1000}","greyware_tool_keyword","bash","Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml","1","0","#linux","greyware tool - risks of False positive !","10","10","2262","557","2025-04-22T18:32:29Z","2020-06-17T21:48:18Z","61907"
"*unset HISTFILE*",".{0,1000}unset\sHISTFILE.{0,1000}","greyware_tool_keyword","unset","linux commands abused by attackers","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","61908"
"*unset HISTFILE*",".{0,1000}unset\sHISTFILE.{0,1000}","greyware_tool_keyword","unset","covering history tracks on linux system","T1070 - T1070.001 - T1070.004 - T1070.003 - T1070.002","TA0005 - TA0043","N/A","N/A","Defense Evasion","https://rosesecurity.gitbook.io/red-teaming-ttps/linux","1","0","#linux","risk of False positive","5","8","N/A","N/A","N/A","N/A","61909"
"*unset HISTFILESIZE*",".{0,1000}unset\sHISTFILESIZE.{0,1000}","greyware_tool_keyword","unset","covering history tracks on linux system","T1070 - T1070.001 - T1070.004 - T1070.003 - T1070.002","TA0005 - TA0043","N/A","N/A","Defense Evasion","https://rosesecurity.gitbook.io/red-teaming-ttps/linux","1","0","#linux","risk of False positive","5","8","N/A","N/A","N/A","N/A","61910"
"*unset HISTSIZE*",".{0,1000}unset\sHISTSIZE.{0,1000}","greyware_tool_keyword","unset","covering history tracks on linux system","T1070 - T1070.001 - T1070.004 - T1070.003 - T1070.002","TA0005 - TA0043","N/A","N/A","Defense Evasion","https://rosesecurity.gitbook.io/red-teaming-ttps/linux","1","0","#linux","risk of False positive","5","8","N/A","N/A","N/A","N/A","61911"
"*unshadow passwd shadow > *",".{0,1000}unshadow\spasswd\sshadow\s\>\s.{0,1000}","greyware_tool_keyword","unshadow","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Credential Access","N/A","1","0","#linux","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","61917"
"*update.argotunnel.com*",".{0,1000}update\.argotunnel\.com.{0,1000}","greyware_tool_keyword","cloudflared","cloudfared Contains the command-line client for Cloudflare Tunnel - a tunneling daemon that proxies traffic from the Cloudflare network to your origins","T1572 - T1090 - T1071","TA0001 - TA0011","N/A","BlackSuit - Royal - Akira - Scattered Spider* - Gamaredon - TA4557 - FIN6","C2","https://github.com/cloudflare/cloudflared","1","1","N/A","N/A","10","10","10383","927","2025-04-10T16:59:49Z","2017-10-13T19:54:47Z","61924"
"*update.remoteutilities.net*",".{0,1000}update\.remoteutilities\.net.{0,1000}","greyware_tool_keyword","RemoteUtilities","RemoteUtilities Remote Access softwares","T1021 - T1083 - T1113 - T1218.007 - T1105 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","RagnarLocker - MuddyWater - UAC-0050","RMM","https://www.remoteutilities.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","61925"
"*Update-AADIntADFSFederationSettings!""*",".{0,1000}Update\-AADIntADFSFederationSettings!\"".{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","61927"
"*Update-AADIntADFSFederationSettings*",".{0,1000}Update\-AADIntADFSFederationSettings.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","61928"
"*Update-AADIntSPOSiteFile*",".{0,1000}Update\-AADIntSPOSiteFile.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","61929"
"*Update-AADIntSyncCredentials*",".{0,1000}Update\-AADIntSyncCredentials.{0,1000}","greyware_tool_keyword","AADInternals","AADInternals PowerShell module for administering Azure AD and Office 365","T1583 - T1558 - T1078 - T1136 - T1087 - T1114 - T1566 - T1056 - T1199 - T1098 - T1649 - T1621 - T1649","TA0006 - TA0003 - TA0004 - TA0005 - TA0007 - TA0009 - TA0011","N/A","APT29 - COZY BEAR","Exploitation tool","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","9","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","61930"
"*update-check.softether-network.net*",".{0,1000}update\-check\.softether\-network\.net.{0,1000}","greyware_tool_keyword","SoftEtherVPN","Cross-platform multi-protocol VPN software abused by attackers","T1133 - T1210 - T1573 - T1219 - T1571","TA0001 - TA0002 - TA0003 - TA0005 - TA0010","N/A","GALLIUM","Defense Evasion","https://github.com/SoftEtherVPN/SoftEtherVPN","1","1","#VPN","N/A","8","10","12183","2647","2025-04-13T22:05:51Z","2014-01-02T12:40:57Z","61931"
"*Updating Tailscale from *",".{0,1000}Updating\sTailscale\sfrom\s.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","61935"
"*updog --*",".{0,1000}updog\s\-\-.{0,1000}","greyware_tool_keyword","updog","Updog is a replacement for SimpleHTTPServer. It allows uploading and downloading via HTTP/S can set ad hoc SSL certificates and use http basic auth.","T1567 - T1074.001 - T1020","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://github.com/sc0tfree/updog","1","0","N/A","N/A","9","10","3052","314","2024-03-13T15:52:39Z","2020-02-18T15:29:21Z","61936"
"*updog -d /*",".{0,1000}updog\s\-d\s\/.{0,1000}","greyware_tool_keyword","updog","Updog is a replacement for SimpleHTTPServer. It allows uploading and downloading via HTTP/S can set ad hoc SSL certificates and use http basic auth.","T1567 - T1074.001 - T1020","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://github.com/sc0tfree/updog","1","0","N/A","N/A","9","10","3052","314","2024-03-13T15:52:39Z","2020-02-18T15:29:21Z","61937"
"*updog -p *",".{0,1000}updog\s\-p\s.{0,1000}","greyware_tool_keyword","updog","Updog is a replacement for SimpleHTTPServer. It allows uploading and downloading via HTTP/S can set ad hoc SSL certificates and use http basic auth.","T1567 - T1074.001 - T1020","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://github.com/sc0tfree/updog","1","0","N/A","N/A","9","10","3052","314","2024-03-13T15:52:39Z","2020-02-18T15:29:21Z","61938"
"*updog-master.zip*",".{0,1000}updog\-master\.zip.{0,1000}","greyware_tool_keyword","updog","Updog is a replacement for SimpleHTTPServer. It allows uploading and downloading via HTTP/S can set ad hoc SSL certificates and use http basic auth.","T1567 - T1074.001 - T1020","TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://github.com/sc0tfree/updog","1","1","N/A","N/A","9","10","3052","314","2024-03-13T15:52:39Z","2020-02-18T15:29:21Z","61939"
"*upgrades.syncthing.net*",".{0,1000}upgrades\.syncthing\.net.{0,1000}","greyware_tool_keyword","syncthing","Open Source Continuous File Synchronization - abused by attackers for data exfiltration","T1046 - T1041 - T1020 - T1567","TA0043 - TA0007  - TA0010 ","N/A","Dispossessor - UAC-0020","Data Exfiltration","https://github.com/syncthing/syncthing","1","1","N/A","https://cert.gov.ua/article/6279600","9","10","69579","4486","2025-04-22T01:30:11Z","2013-11-26T09:48:21Z","61940"
"*upload.box.com*",".{0,1000}upload\.box\.com.{0,1000}","greyware_tool_keyword","Box","Attackers have used box to store malicious files and then share them with targets - box can also be used for data exfiltration by attackers","T1567.002 - T1071.001 - T1036 - T1048.002","TA0005 - TA0010 - TA0009","N/A","N/A","Data Exfiltration","https://app.box.com/","1","1","#filehostingservice","N/A","9","7","N/A","N/A","N/A","N/A","61942"
"*upload4.easyupload.io*",".{0,1000}upload4\.easyupload\.io.{0,1000}","greyware_tool_keyword","easyupload.io","file hosting platform abused by attackers to host malicious - url used when uploading a file on the site","T1567.002 - T1071.001 - T1041 - T1036.002","TA0010","N/A","Black Basta","Data Exfiltration","N/A","1","1","#filehostingservice","N/A","8","10","N/A","N/A","N/A","N/A","61945"
"*Uploading MeshCommander*",".{0,1000}Uploading\sMeshCommander.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","0","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","61953"
"*use localtunnel_client::*",".{0,1000}use\slocaltunnel_client\:\:.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#content","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","61991"
"*use localtunnel_server::*",".{0,1000}use\slocaltunnel_server\:\:.{0,1000}","greyware_tool_keyword","Rust Localtunnels","Localtunnel implementation in Rust - exposes your localhost endpoint to the world","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/kaichaosun/rlt","1","0","#content","N/A","7","2","119","13","2024-12-16T09:09:34Z","2022-06-27T05:57:34Z","61992"
"*use.rel.tunnels.api.visualstudio.com*",".{0,1000}use\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","61999"
"*use2.rel.tunnels.api.visualstudio.com*",".{0,1000}use2\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","62000"
"*USER_AGENT = 'Lomond/*",".{0,1000}USER_AGENT\s\=\s\'Lomond\/.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","0","#useragent","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","62014"
"*useradd -d /usr/share/ehorus -p * ehorus*",".{0,1000}useradd\s\-d\s\/usr\/share\/ehorus\s\-p\s.{0,1000}\sehorus.{0,1000}","greyware_tool_keyword","EHORUS RMM","Pandora RC (formerly called eHorus) is a computer management system for MS Windows - Linux and MacOS that allows access to registered computers wherever they are from a browser without direct connectivity to their devices from the outside. (server based on VNC)","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Blacksuit - Royal","RMM","https://pandorafms.com/en/remote-control/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62021"
"*useradd -rm crowbar*",".{0,1000}useradd\s\-rm\scrowbar.{0,1000}","greyware_tool_keyword","crowbar","Tunnel TCP over a plain HTTP session","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","Dispossessor","C2","https://github.com/q3k/crowbar","1","0","N/A","N/A","10","10","476","41","2021-01-24T08:21:05Z","2015-02-03T18:40:00Z","62022"
"*UserAgent*PingCastleAutoUpdater*",".{0,1000}UserAgent.{0,1000}PingCastleAutoUpdater.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://github.com/netwrix/pingcastle","1","0","#useragent","N/A","10","10","2486","303","2025-02-28T10:16:24Z","2018-08-31T17:42:48Z","62027"
"*usermod -a -G boringproxy boringproxy*",".{0,1000}usermod\s\-a\s\-G\sboringproxy\sboringproxy.{0,1000}","greyware_tool_keyword","boringproxy","Simple tunneling reverse proxy with a fast web UI and auto HTTPS. Designed for self-hosters.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/boringproxy/boringproxy","1","0","N/A","N/A","10","10","1276","121","2024-07-06T10:13:37Z","2020-09-26T21:58:07Z","62038"
"*--user-unit=telebit*",".{0,1000}\-\-user\-unit\=telebit.{0,1000}","greyware_tool_keyword","telebit.cloud","Access your devices - Share your stuff (shell from telebit.cloud)","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://telebit.cloud/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62065"
"*usw2.rel.tunnels.api.visualstudio.com*",".{0,1000}usw2\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","62103"
"*usw3.rel.tunnels.api.visualstudio.com*",".{0,1000}usw3\.rel\.tunnels\.api\.visualstudio\.com.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","62104"
"*uTorrent (1).exe*",".{0,1000}uTorrent\s\(1\)\.exe.{0,1000}","greyware_tool_keyword","utorrent","popular BitTorrent client used for downloading files over the BitTorrent network. a peer-to-peer file sharing protocol. Can be used for collection and exfiltration. Not something we want to see installed in a enterprise network","T1193 - T1204 - T1486 - T1048","TA0005 - TA0011 - TA0010 - TA0040","N/A","N/A","Data Exfiltration","https[://]www[.]utorrent[.]com/intl/fr/","1","0","#P2P","N/A","N/A","N/A","N/A","N/A","N/A","N/A","62110"
"*uTorrent.exe*",".{0,1000}uTorrent\.exe.{0,1000}","greyware_tool_keyword","utorrent","popular BitTorrent client used for downloading files over the BitTorrent network. a peer-to-peer file sharing protocol. Can be used for collection and exfiltration. Not something we want to see installed in a enterprise network","T1193 - T1204 - T1486 - T1048","TA0005 - TA0011 - TA0010 - TA0040","N/A","N/A","Data Exfiltration","https[://]www[.]utorrent[.]com/intl/fr/","1","1","#P2P","N/A","N/A","N/A","N/A","N/A","N/A","N/A","62111"
"*utorrent_installer.exe*",".{0,1000}utorrent_installer\.exe.{0,1000}","greyware_tool_keyword","utorrent","popular BitTorrent client used for downloading files over the BitTorrent network. a peer-to-peer file sharing protocol. Can be used for collection and exfiltration. Not something we want to see installed in a enterprise network","T1193 - T1204 - T1486 - T1048","TA0005 - TA0011 - TA0010 - TA0040","N/A","N/A","Data Exfiltration","https[://]www[.]utorrent[.]com/intl/fr/","1","1","#P2P","N/A","N/A","N/A","N/A","N/A","N/A","N/A","62112"
"*utweb_installer.exe*",".{0,1000}utweb_installer\.exe.{0,1000}","greyware_tool_keyword","utorrent","popular BitTorrent client used for downloading files over the BitTorrent network. a peer-to-peer file sharing protocol. Can be used for collection and exfiltration. Not something we want to see installed in a enterprise network","T1193 - T1204 - T1486 - T1048","TA0005 - TA0009 - TA0011 - TA0010 - TA0040","N/A","N/A","Data Exfiltration","https[://]www[.]utorrent[.]com/intl/fr/","1","1","#P2P","N/A","N/A","N/A","N/A","N/A","N/A","N/A","62113"
"*ValdikSS/dropbear-sshj*",".{0,1000}ValdikSS\/dropbear\-sshj.{0,1000}","greyware_tool_keyword","SSH-J.com","This is Dropbear SSH server modified to be used as a public SSH jump & port forwarding service","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://bitbucket.org/ValdikSS/dropbear-sshj/src/master/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62120"
"*vaults.*.swi-rc.com*",".{0,1000}vaults\..{0,1000}\.swi\-rc\.com.{0,1000}","greyware_tool_keyword","Dameware","Solarwind Dameware Remote Control utilities","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.solarwinds.com/fr/remote-support-software","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62124"
"*VboxHeadless.exe -startvm * -v off*",".{0,1000}VboxHeadless\.exe\s\-startvm\s.{0,1000}\s\-v\soff.{0,1000}","greyware_tool_keyword","VirtualBox","Starts VirtualBox in headless mode","T1202 - T1564.001 - T1072","TA0005 - TA0008","N/A","RagnarLocker ","Defense Evasion","https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","62136"
"*VBoxManage startvm * --type headless*",".{0,1000}VBoxManage\sstartvm\s.{0,1000}\s\-\-type\sheadless.{0,1000}","greyware_tool_keyword","VirtualBox","Starts VirtualBox in headless mode","T1202 - T1564.001 - T1072","TA0005 - TA0008","N/A","RagnarLocker ","Defense Evasion","https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","62137"
"*VBoxManage*setextradata global GUI/SuppressMessages *",".{0,1000}VBoxManage.{0,1000}setextradata\sglobal\sGUI\/SuppressMessages\s.{0,1000}","greyware_tool_keyword","VirtualBox","hiding VirtualBox notifications - abused by attacker to hide their VM persistence","T1564.001 - T1053 - T1547","TA0005 - TA0003","N/A","RagnarLocker ","Defense Evasion","https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","62138"
"*VBoxManage.exe startvm * --type headless*",".{0,1000}VBoxManage\.exe\sstartvm\s.{0,1000}\s\-\-type\sheadless.{0,1000}","greyware_tool_keyword","VirtualBox","Starts VirtualBox in headless mode","T1202 - T1564.001 - T1072","TA0005 - TA0008","N/A","RagnarLocker ","Defense Evasion","https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","62139"
"*VBoxManage.exe startvm * -v off*",".{0,1000}VBoxManage\.exe\sstartvm\s.{0,1000}\s\-v\soff.{0,1000}","greyware_tool_keyword","VirtualBox","Starts VirtualBox in headless mode","T1202 - T1564.001 - T1072","TA0005 - TA0008","N/A","RagnarLocker ","Defense Evasion","https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","62140"
"*VBoxManage.exe"" startvm * --type headless*",".{0,1000}VBoxManage\.exe\""\sstartvm\s.{0,1000}\s\-\-type\sheadless.{0,1000}","greyware_tool_keyword","VirtualBox","Starts VirtualBox in headless mode","T1202 - T1564.001 - T1072","TA0005 - TA0008","N/A","RagnarLocker ","Defense Evasion","https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/","1","0","N/A","N/A","7","7","N/A","N/A","N/A","N/A","62141"
"*vbs2exe.exe *",".{0,1000}vbs2exe\.exe\s.{0,1000}","greyware_tool_keyword","redpill","Assist reverse tcp shells in post-exploration tasks","T1082 - T1016 - T1049 - T1057 - T1489 - T1070 - T1562 - T1563 - T1119 - T1518 - T1602 - T1530 - T1113 - T1125 - T1105 - T1133 - T1056 - T1114 - T1539 - T1552 - T1214 - T1110 - T1040 - T1436 - T1068 - T1088 - T1564 - T1112 - T1547 - T1574 - T1204 - T1215 - T1046 - T1557 - T1136 - T1059 - T1127 - T1555 - T1548 - T1115 - T1003","TA0007 - TA0003 - TA0005 - TA0009 - TA0002 - TA0006 - TA0004 - TA0010 - TA0011","N/A","N/A","Exploitation tool","https://github.com/r00t-3xp10it/redpill","1","0","N/A","N/A","10","3","218","52","2024-03-19T15:03:16Z","2021-02-20T23:59:07Z","62145"
"*viewerhostkeypopup.exe *",".{0,1000}viewerhostkeypopup\.exe\s.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC RMM tool - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.remotedesktop.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62184"
"*vim /etc/ssh/sshd_config*",".{0,1000}vim\s\/etc\/ssh\/sshd_config.{0,1000}","greyware_tool_keyword","ssh","modification of the sshd configuration file - couldbe an attacker establishing persistence or a legitimate admin behavior","T1059.004 - T1078 - T1053","TA0005 - TA0003 - TA0006","N/A","N/A","Persistence","https://x.com/mthcht/status/1827714529687658796","1","0","#linux","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","62189"
"*vim -c ':py3 import os* os.execl(\""/bin/sh\*",".{0,1000}vim\s\-c\s\'\:py3\simport\sos.{0,1000}\sos\.execl\(\\\""\/bin\/sh\\.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","62190"
"*vimdiff -c ':py3 import os* os.execl(\""/bin/sh\*",".{0,1000}vimdiff\s\-c\s\'\:py3\simport\sos.{0,1000}\sos\.execl\(\\\""\/bin\/sh\\.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","#linux","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","62191"
"*vivaldi* --headless * --dump-dom http*",".{0,1000}vivaldi.{0,1000}\s\-\-headless\s.{0,1000}\s\-\-dump\-dom\shttp.{0,1000}","greyware_tool_keyword","chromium","Headless Chromium allows running Chromium in a headless/server environment - downloading a file - abused by attackers","T1553.002 - T1059.005 - T1071.001 - T1561","TA0002","N/A","N/A","Defense Evasion","https://redcanary.com/blog/intelligence-insights-june-2023/","1","0","N/A","N/A","4","5","N/A","N/A","N/A","N/A","62229"
"*vivaldi.exe* --load-extension=""*\Users\*\Appdata\Local\Temp\*",".{0,1000}vivaldi\.exe.{0,1000}\s\-\-load\-extension\=\"".{0,1000}\\Users\\.{0,1000}\\Appdata\\Local\\Temp\\.{0,1000}","greyware_tool_keyword","chromium","The --load-extension switch allows the source to specify a target directory to load as an extension. This gives malware the opportunity to start a new browser window with their malicious extension loaded.","T1136.001 - T1176 - T1059.007","TA0003 - TA0004 - TA0005","N/A","N/A","Exploitation tool","https://www.mandiant.com/resources/blog/lnk-between-browsers","1","0","N/A","risk of false positives","7","10","N/A","N/A","N/A","N/A","62230"
"*vncviewer *.*:5901*",".{0,1000}vncviewer\s.{0,1000}\..{0,1000}\:5901.{0,1000}","greyware_tool_keyword","vncviewer","linux commands abused by attackers - find guid and suid sensitives perm","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","RMM","N/A","1","0","#linux","greyware_tools high risks of false positives","10","10","N/A","N/A","N/A","N/A","62254"
"*VNCviewer Config File*",".{0,1000}VNCviewer\sConfig\sFile.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","#registry","registry value","10","10","N/A","N/A","N/A","N/A","62255"
"*VncViewer.Config*",".{0,1000}VncViewer\.Config.{0,1000}","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","0","#registry","registry","10","10","N/A","N/A","N/A","N/A","62256"
"*VncViewer.Config*",".{0,1000}VncViewer\.Config.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","#registry","registry path","10","10","N/A","N/A","N/A","N/A","62257"
"*VNCViewer.exe*",".{0,1000}VNCViewer\.exe.{0,1000}","greyware_tool_keyword","vncviewer","VNCViewer is an RMM tool that has been exploited by attackers to gain unauthorized remote access ","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62259"
"*VNCVIEWER.EXE-*.pf*",".{0,1000}VNCVIEWER\.EXE\-.{0,1000}\.pf.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62260"
"*volatility2 --profile=*",".{0,1000}volatility2\s\-\-profile\=.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","62263"
"*volatility3 -f *.dmp*",".{0,1000}volatility3\s\-f\s.{0,1000}\.dmp.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","62264"
"*'VSA X Manager*",".{0,1000}\'VSA\sX\sManager.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62276"
"*'VSA X Remote Control'*",".{0,1000}\'VSA\sX\sRemote\sControl\'.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62277"
"*'VSA X Service'*",".{0,1000}\'VSA\sX\sService\'.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62278"
"*'VSA X User Agent'*",".{0,1000}\'VSA\sX\sUser\sAgent\'.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62279"
"*vssadmin create shadow /for=C:*",".{0,1000}vssadmin\screate\sshadow\s\/for\=C\:.{0,1000}","greyware_tool_keyword","vssadmin","the command is used to create a new Volume Shadow Copy for a specific volume which can be utilized by an attacker to collect data from the local system","T1005","TA0009","N/A","N/A","Collection","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62281"
"*vssadmin create shadow /for=C:* \Temp\*.tmp*",".{0,1000}vssadmin\screate\sshadow\s\/for\=C\:.{0,1000}\s\\Temp\\.{0,1000}\.tmp.{0,1000}","greyware_tool_keyword","vssadmin","the actor creating a Shadow Copy and then extracting a copy of the ntds.dit file from it.","T1003.001 - T1567.001 - T1070.004","TA0005 - TA0003 - TA0007","N/A","Volt Typhoon","Credential Access","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62282"
"*vssadmin delete shadows /all /quiet*",".{0,1000}vssadmin\sdelete\sshadows\s\/all\s\/quiet.{0,1000}","greyware_tool_keyword","vssadmin","executes a command to delete the targeted PC volume shadow copies so victims cannot restore older unencrypted versions of their files","T1486 - T1562.001 - T1213 - T1070.004 - T1070.006 - T1105","TA0040 - TA0009 - TA0011 - TA0005","N/A","Ragnar Locker","Defense Evasion","https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62285"
"*vssadmin delete shadows*",".{0,1000}vssadmin\sdelete\sshadows.{0,1000}","greyware_tool_keyword","vssadmin","inhibiting recovery by deleting backup and recovery data to prevent system recovery after an attack","T1490","TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62288"
"*vssadmin list shadows*",".{0,1000}vssadmin\slist\sshadows.{0,1000}","greyware_tool_keyword","vssadmin","List shadow copies using vssadmin","T1059.003 - T1059.001 - T1005","TA0002 - TA0005 - TA0010","N/A","N/A","discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62289"
"*vssadmin* Delete Shadows /All /Quiet*",".{0,1000}vssadmin.{0,1000}\sDelete\sShadows\s\/All\s\/Quiet.{0,1000}","greyware_tool_keyword","vssadmin","Deletes all Volume Shadow Copies from the system quietly (without prompts).","T1490","TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62290"
"*vssadmin*resize shadowstorage /for=c: /on=c: /maxsize=1*",".{0,1000}vssadmin.{0,1000}resize\sshadowstorage\s\/for\=c\:\s\/on\=c\:\s\/maxsize\=1.{0,1000}","greyware_tool_keyword","vssadmin","inhibiting recovery by deleting backup and recovery data to prevent system recovery after an attack","T1490","TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62291"
"*vssadmin.exe Create Shadow /for=*",".{0,1000}vssadmin\.exe\screate\sshadow\s\/for\=.{0,1000}","greyware_tool_keyword","vssadmin","the command is used to create a new Volume Shadow Copy for a specific volume which can be utilized by an attacker to collect data from the local system","T1005","TA0009","N/A","N/A","Collection","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62292"
"*vsxrc-client.dll*",".{0,1000}vsxrc\-client\.dll.{0,1000}","greyware_tool_keyword","kaseya VSA","Kaseya VSA (Virtual System Administrator) is a cloud-based IT management and remote monitoring software designed for managed service providers (MSPs) and IT departments -it is abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.kaseya.com/products/vsa/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62295"
"*vulny-code-static-analysis --dir *",".{0,1000}vulny\-code\-static\-analysis\s\-\-dir\s.{0,1000}","greyware_tool_keyword","exegol","Fully featured and community-driven hacking environment with hundreds of offensive tools","T1218 - T1140 - T1543 - T1095 - T1571 - T1547 - T1078 - T1559","TA0043 - TA0002 - TA0004 - TA0011 - TA0003","N/A","Black Basta","Exploitation tool","https://github.com/ThePorgs/Exegol","1","0","N/A","N/A","10","10","2354","209","2025-04-09T16:56:24Z","2020-03-09T19:12:11Z","62307"
"*w32tm /config */manualpeerlist:*",".{0,1000}w32tm\s\/config\s.{0,1000}\/manualpeerlist\:.{0,1000}","greyware_tool_keyword","w32times","changes the NTP source - potentially redirecting time synchronization to malicious or compromised NTP servers.","T1619","TA0005 - TA0008","N/A","APT3","Defense Evasion","N/A","1","0","N/A","N/A","5","7","N/A","N/A","N/A","N/A","62338"
"*wbadmin delete backup*",".{0,1000}wbadmin\sdelete\sbackup.{0,1000}","greyware_tool_keyword","wbadmin","hinder recovery efforts with wbadmin","T1485 - T1490","TA0040 - TA0005","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62377"
"*wbadmin delete catalog -quiet*",".{0,1000}wbadmin\sdelete\scatalog\s\-quiet.{0,1000}","greyware_tool_keyword","wbadmin","delete the Windows backup utility catalog","T1565.001 - T1070 - T1490","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62378"
"*wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest*",".{0,1000}wbadmin\sDELETE\sSYSTEMSTATEBACKUP\s\-deleteOldest.{0,1000}","greyware_tool_keyword","wbadmin","Wbadmin allows administrators to manage and automate backup and recovery operations in Windows systems. Adversaries may abuse wbadmin to manipulate backups and restore points as part of their evasion tactics. This can include deleting backup files. disabling backup tasks. or tampering with backup configurations to hinder recovery efforts and potentially erase traces of their malicious activities. By interfering with backups. adversaries can make it more challenging for defenders to restore systems and detect their presence.","T1490 - T1562.001","TA0040 - TA0007","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62379"
"*wbadmin DELETE SYSTEMSTATEBACKUP*",".{0,1000}wbadmin\sDELETE\sSYSTEMSTATEBACKUP.{0,1000}","greyware_tool_keyword","wbadmin","Wbadmin allows administrators to manage and automate backup and recovery operations in Windows systems. Adversaries may abuse wbadmin to manipulate backups and restore points as part of their evasion tactics. This can include deleting backup files. disabling backup tasks. or tampering with backup configurations to hinder recovery efforts and potentially erase traces of their malicious activities. By interfering with backups. adversaries can make it more challenging for defenders to restore systems and detect their presence.","T1490 - T1562.001","TA0040 - TA0007","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62380"
"*-web.screenconnect.com*",".{0,1000}\-web\.screenconnect\.com.{0,1000}","greyware_tool_keyword","ScreenConnect","ConnectWise Control formerly known as Screenconnect is a remote desktop software application.","T1021.001 - T1133","TA0008 - TA0009 - TA0010 - TA0011","N/A","Black Basta - BlackCat - LockBit - Scattered Spider* - Hive - Trigona - Medusa - Yanluowang - GOLD SOUTHFIELD - MuddyWater ","RMM","https://screenconnect.connectwise.com/download","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62415"
"*web1.remotepc.com*",".{0,1000}web1\.remotepc\.com.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62417"
"*webhooksite/webhook.site*",".{0,1000}webhooksite\/webhook\.site.{0,1000}","greyware_tool_keyword","webhook.site","test HTTP webhooks with this handy tool that displays requests instantly - abused by attacker for payload callback confirmation","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/webhooksite/webhook.site","1","1","N/A","N/A","10","10","5806","457","2025-04-04T10:42:59Z","2016-03-21T08:45:42Z","62434"
"*wevtutil cl *",".{0,1000}wevtutil\scl\s.{0,1000}","greyware_tool_keyword","wevtutil","adversaries can delete specific event logs or clear their contents. erasing potentially valuable information that could aid in detection. incident response. or forensic investigations. This tactic aims to hinder forensic analysis efforts and make it more challenging for defenders to reconstruct the timeline of events or identify malicious activities.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62459"
"*wevtutil clear-log*",".{0,1000}wevtutil\sclear\-log.{0,1000}","greyware_tool_keyword","wevtutil","adversaries can delete specific event logs or clear their contents. erasing potentially valuable information that could aid in detection. incident response. or forensic investigations. This tactic aims to hinder forensic analysis efforts and make it more challenging for defenders to reconstruct the timeline of events or identify malicious activities.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62460"
"*wevtutil* cl ""Microsoft-Windows-Storage-ATAPort/*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Storage\-ATAPort\/.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62463"
"*wevtutil* cl ""Microsoft-Windows-Storage-ClassPnP/A*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Storage\-ClassPnP\/A.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62464"
"*wevtutil* cl ""Microsoft-Windows-Storage-Disk/*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Storage\-Disk\/.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62465"
"*wevtutil* cl ""Microsoft-Windows-StorageManagement/*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-StorageManagement\/.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62466"
"*wevtutil* cl ""Microsoft-Windows-StorageSpaces-Driver/*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-StorageSpaces\-Driver\/.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62467"
"*wevtutil* cl ""Microsoft-Windows-StorageSpaces-ManagementAgent/WHC*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-StorageSpaces\-ManagementAgent\/WHC.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62468"
"*wevtutil* cl ""Microsoft-Windows-StorageSpaces-SpaceManager/*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-StorageSpaces\-SpaceManager\/.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62469"
"*wevtutil* cl ""Microsoft-Windows-Storage-Storport/*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Storage\-Storport\/.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62470"
"*wevtutil* cl ""Microsoft-Windows-Storage-Tiering/Admin*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Storage\-Tiering\/Admin.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62471"
"*wevtutil* cl ""Microsoft-Windows-Storage-Tiering-IoHeat/Heat*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Storage\-Tiering\-IoHeat\/Heat.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62472"
"*wevtutil* cl ""Microsoft-Windows-Store/Operational*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Store\/Operational.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62473"
"*wevtutil* cl ""Microsoft-Windows-Subsys-Csr/Operational*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Subsys\-Csr\/Operational.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62474"
"*wevtutil* cl ""Microsoft-Windows-Subsys-SMSS/Operational*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Subsys\-SMSS\/Operational.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62475"
"*wevtutil* cl ""Microsoft-Windows-Superfetch/Main*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Superfetch\/Main.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62476"
"*wevtutil* cl ""Microsoft-Windows-Superfetch/PfApLog*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Superfetch\/PfApLog.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62477"
"*wevtutil* cl ""Microsoft-Windows-Superfetch/StoreLog*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Superfetch\/StoreLog.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62478"
"*wevtutil* cl ""Microsoft-Windows-Sysmon/Operational*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Sysmon\/Operational.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62479"
"*wevtutil* cl ""Microsoft-Windows-Sysprep/Analytic*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Sysprep\/Analytic.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62480"
"*wevtutil* cl ""Microsoft-Windows-System-Profile-HardwareId/Diagnostic*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-System\-Profile\-HardwareId\/Diagnostic.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62481"
"*wevtutil* cl ""Microsoft-Windows-SystemSettingsHandlers/Debug*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-SystemSettingsHandlers\/Debug.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62482"
"*wevtutil* cl ""Microsoft-Windows-SystemSettingsThreshold/*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-SystemSettingsThreshold\/.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62483"
"*wevtutil* cl ""Microsoft-Windows-TaskbarCPL/Diagnostic*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-TaskbarCPL\/Diagnostic.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62484"
"*wevtutil* cl ""Microsoft-Windows-TaskScheduler/*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-TaskScheduler\/.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62485"
"*wevtutil* cl ""Microsoft-Windows-TCPIP/*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-TCPIP\/.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62486"
"*wevtutil* cl ""Microsoft-Windows-TerminalServices-*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-TerminalServices\-.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62487"
"*wevtutil* cl ""Microsoft-Windows-Tethering-Manager/Analytic*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Tethering\-Manager\/Analytic.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62488"
"*wevtutil* cl ""Microsoft-Windows-Tethering-Station/Analytic*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Tethering\-Station\/Analytic.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62489"
"*wevtutil* cl ""Microsoft-Windows-ThemeCPL/Diagnostic*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-ThemeCPL\/Diagnostic.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62490"
"*wevtutil* cl ""Microsoft-Windows-ThemeUI/Diagnostic*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-ThemeUI\/Diagnostic.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62491"
"*wevtutil* cl ""Microsoft-Windows-Threat-Intelligence/Analytic*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Threat\-Intelligence\/Analytic.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62492"
"*wevtutil* cl ""Microsoft-Windows-Time-Service/Operational*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-Time\-Service\/Operational.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62493"
"*wevtutil* cl ""Microsoft-Windows-TSF-msctf/*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-TSF\-msctf\/.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62494"
"*wevtutil* cl ""Microsoft-Windows-TTS/Diagnostic*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-TTS\/Diagnostic.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62495"
"*wevtutil* cl ""Microsoft-Windows-TunnelDriver*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-TunnelDriver.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62496"
"*wevtutil* cl ""Microsoft-Windows-TWinUI/*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-TWinUI\/.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62497"
"*wevtutil* cl ""Microsoft-Windows-TZSync/*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-TZSync\/.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62498"
"*wevtutil* cl ""Microsoft-Windows-TZUtil/Operational*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-TZUtil\/Operational.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62499"
"*wevtutil* cl ""Microsoft-Windows-UAC/Operational*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-UAC\/Operational.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62500"
"*wevtutil* cl ""Microsoft-Windows-UAC-FileVirtualization/Operational*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-UAC\-FileVirtualization\/Operational.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62501"
"*wevtutil* cl ""Microsoft-Windows-UIAnimation/Diagnostic*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-UIAnimation\/Diagnostic.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62502"
"*wevtutil* cl ""Microsoft-Windows-UI-Shell/Diagnostic*",".{0,1000}wevtutil.{0,1000}\scl\s\""Microsoft\-Windows\-UI\-Shell\/Diagnostic.{0,1000}","greyware_tool_keyword","wevtutil","observed used by lslsass sample (dump active logon session password hashes from the lsass process (old tool for vista and older))","T1003.001","TA0006","N/A","APT1","Credential Access","https://www.virustotal.com/gui/file/b24ab1f8cb68547932dd8a5c81e9b2133763a7ddf48aa431456530c1340b939e/details","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62503"
"*wevtutil.exe cl *",".{0,1000}wevtutil\.exe\scl\s.{0,1000}","greyware_tool_keyword","wevtutil","adversaries can delete specific event logs or clear their contents. erasing potentially valuable information that could aid in detection. incident response. or forensic investigations. This tactic aims to hinder forensic analysis efforts and make it more challenging for defenders to reconstruct the timeline of events or identify malicious activities.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62504"
"*wevtutil.exe clear-log*",".{0,1000}wevtutil\.exe\sclear\-log.{0,1000}","greyware_tool_keyword","wevtutil","adversaries can delete specific event logs or clear their contents. erasing potentially valuable information that could aid in detection. incident response. or forensic investigations. This tactic aims to hinder forensic analysis efforts and make it more challenging for defenders to reconstruct the timeline of events or identify malicious activities.","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62505"
"*wevtutil.exe sl * /e:false*",".{0,1000}wevtutil\.exe\ssl\s.{0,1000}\s\/e\:false.{0,1000}","greyware_tool_keyword","wevtutil","disable a specific eventlog","T1070.004 - T1562.001","TA0005 - TA0040","N/A","N/A","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62506"
"*wget -O - -q http://*.jpg|sh*",".{0,1000}wget\s\-O\s\-\s\-q\shttp\:\/\/.{0,1000}\.jpg\|sh.{0,1000}","greyware_tool_keyword","wget","potential malicious command with wget (|sh)","T1566","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://x.com/CraigHRowland/status/1782938242108837896","1","0","#linux","risk of false positive","9","10","N/A","N/A","N/A","N/A","62528"
"*wget -O - -q https://*.jpg|sh*",".{0,1000}wget\s\-O\s\-\s\-q\shttps\:\/\/.{0,1000}\.jpg\|sh.{0,1000}","greyware_tool_keyword","wget","potential malicious command with wget (|sh)","T1566","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://x.com/CraigHRowland/status/1782938242108837896","1","0","#linux","risk of false positive","9","10","N/A","N/A","N/A","N/A","62529"
"*wget*.interact.sh*",".{0,1000}wget.{0,1000}\.interact\.sh.{0,1000}","greyware_tool_keyword","interactsh","Interactsh is an open-source tool for detecting out-of-band interactions. It is a tool designed to detect vulnerabilities that cause external interactions but abused by attackers as C2","T1566.002 - T1566.001 - T1071 - T1102","TA0011 - TA0001","N/A","N/A","C2","https://github.com/projectdiscovery/interactsh","1","1","N/A","FP risk - legitimate service abused by attackers","10","10","3718","388","2025-04-22T12:41:45Z","2021-01-29T14:31:51Z","62532"
"*wg-quick down ./tunnel.conf*",".{0,1000}wg\-quick\sdown\s\.\/tunnel\.conf.{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","62534"
"*wg-quick up ./tunnel.conf*",".{0,1000}wg\-quick\sup\s\.\/tunnel\.conf.{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","#linux","N/A","10","10","N/A","N/A","N/A","N/A","62535"
"*whatsmyip.ccrmm.avg.com*",".{0,1000}whatsmyip\.ccrmm\.avg\.com.{0,1000}","greyware_tool_keyword","BarracudaRMM","Deliver remote support services - formely AVG","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://www.barracudamsp.com/products/rmm/barracuda-rmm","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62546"
"*whcli forward --token=*-*-* --target=https://localhost*",".{0,1000}whcli\sforward\s\-\-token\=.{0,1000}\-.{0,1000}\-.{0,1000}\s\-\-target\=https\:\/\/localhost.{0,1000}","greyware_tool_keyword","webhook.site","test HTTP webhooks with this handy tool that displays requests instantly - abused by attacker for payload callback confirmation","T1102 - T1071 - T1560.001","TA0011 - TA0042","N/A","N/A","C2","https://github.com/webhooksite/webhook.site","1","0","#linux","N/A","10","10","5806","457","2025-04-04T10:42:59Z","2016-03-21T08:45:42Z","62547"
"*whether to download the 64bit version of PowerTool?*",".{0,1000}whether\sto\sdownload\sthe\s64bit\sversion\sof\sPowerTool\?.{0,1000}","greyware_tool_keyword","Powertool","tool abused by threat actors to desactive Antivirus","T1562.001 - T1089 - T1562.009","TA0005","N/A","Play - Dispossessor","Defense Evasion","https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml","1","0","#content","N/A","10","10","N/A","N/A","N/A","N/A","62554"
"*whoami /all*",".{0,1000}whoami\s\/all.{0,1000}","greyware_tool_keyword","whoami","whoami is a legitimate command used to identify the current user executing the command in a terminal or command prompt.whoami can be used to gather information about the current user's privileges. credentials. and account name. which can then be used for Lateral Movement. privilege escalation. or targeted attacks within the compromised network.","T1033 - T1087 - T1069 - T1078","TA0007","N/A","Black Basta","Discovery","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","62566"
"*whoami /domain*",".{0,1000}whoami\s\/domain.{0,1000}","greyware_tool_keyword","whoami","whoami is a legitimate command used to identify the current user executing the command in a terminal or command prompt.whoami can be used to gather information about the current user's privileges. credentials. and account name. which can then be used for Lateral Movement. privilege escalation. or targeted attacks within the compromised network.","T1033 - T1087 - T1069 - T1078","TA0007","N/A","Black Basta","Discovery","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","62567"
"*whoami /groups*",".{0,1000}whoami\s\/groups.{0,1000}","greyware_tool_keyword","whoami","whoami is a legitimate command used to identify the current user executing the command in a terminal or command prompt.whoami can be used to gather information about the current user's privileges. credentials. and account name. which can then be used for Lateral Movement. privilege escalation. or targeted attacks within the compromised network.","T1033 - T1087 - T1069 - T1078","TA0007","N/A","Black Basta","Discovery","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","62568"
"*whoami /priv*",".{0,1000}whoami\s\/priv.{0,1000}","greyware_tool_keyword","whoami","whoami is a legitimate command used to identify the current user executing the command in a terminal or command prompt.whoami can be used to gather information about the current user's privileges. credentials. and account name. which can then be used for Lateral Movement. privilege escalation. or targeted attacks within the compromised network.","T1033 - T1087 - T1069 - T1078","TA0007","N/A","Black Basta","Discovery","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","62570"
"*whoami*",".{0,1000}whoami.{0,1000}","greyware_tool_keyword","whoami","whoami is a legitimate command used to identify the current user executing the command in a terminal or command prompt.whoami can be used to gather information about the current user's privileges. credentials. and account name. which can then be used for Lateral Movement. privilege escalation. or targeted attacks within the compromised network.","T1003.001 - T1087 - T1057 ","TA0007","N/A","Black Basta","Discovery","https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml","1","0","N/A","greyware tool - risks of False positive !","1","10","10466","2904","2025-04-21T13:09:54Z","2017-10-11T17:23:32Z","62572"
"*whoami.exe* /groups*",".{0,1000}whoami\.exe.{0,1000}\s\/groups.{0,1000}","greyware_tool_keyword","whoami","whoami is a legitimate command used to identify the current user executing the command in a terminal or command prompt.whoami can be used to gather information about the current user's privileges. credentials. and account name. which can then be used for Lateral Movement. privilege escalation. or targeted attacks within the compromised network.","T1003.001 - T1087 - T1057 ","TA0007","N/A","Black Basta","Collection","https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml","1","0","N/A","greyware tool - risks of False positive !","8","10","10466","2904","2025-04-21T13:09:54Z","2017-10-11T17:23:32Z","62573"
"*wildfoundry/dataplicity-agent*",".{0,1000}wildfoundry\/dataplicity\-agent.{0,1000}","greyware_tool_keyword","Dataplicity","enables connecting local systems to dataplicity cloud for remotely accessing them over the internet.","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/wildfoundry/dataplicity-agent","1","1","N/A","N/A","9","2","167","32","2024-06-10T20:17:43Z","2016-07-27T14:23:01Z","62605"
"*Win32.PUA.AmmyyAdmin*",".{0,1000}Win32\.PUA\.AmmyyAdmin.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","0","#Avsignature","N/A","10","10","N/A","N/A","N/A","N/A","62628"
"*Win32/FileZilla_BundleInstaller*",".{0,1000}Win32\/FileZilla_BundleInstaller.{0,1000}","greyware_tool_keyword","FileZilla","FileZilla admintool used by threat actors for persistence and data exfiltration","T1505 - T1041","TA0003 - TA0009 -TA0010","N/A","Dispossessor - Akira - Karakurt - AvosLocker - LockBit - Nokoyawa - Diavol - Scattered Spider* - Unit 29155","Data Exfiltration","https://filezilla-project.org/","1","0","N/A","PUA risk of legitimate usage","8","9","N/A","N/A","N/A","N/A","62632"
"*Win32/UniversalVirusSniffer*",".{0,1000}Win32\/UniversalVirusSniffer.{0,1000}","greyware_tool_keyword","Universal Virus Sniffer","Universal Virus Sniffer detect and remove malware - including rootkits but is also abused by attackers to disable antivirus","T1562 - T1055 - T1070","TA0005 - TA0004","N/A","Phobos","Defense Evasion","https://www.majorgeeks.com/files/details/universal_virus_sniffer.html","1","0","#Avsignature","N/A","8","10","N/A","N/A","N/A","N/A","62646"
"*Win32_Shadowcopy | ForEach-Object {$_.Delete();*",".{0,1000}Win32_Shadowcopy\s\|\sForEach\-Object\s\{\$_\.Delete\(\)\;.{0,1000}","greyware_tool_keyword","wmic","VSS is a feature in Windows that allows for the creation of snapshots of a volume capturing its state at a specific point in time. Adversaries may abuse the wmic shadowcopy command to interact with these shadow copies for defense evasion purposes.","T1490 - T1562.002","TA0040 - TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62651"
"*Windows\System32\Tasks\MEGA*",".{0,1000}Windows\\System32\\Tasks\\MEGA.{0,1000}","greyware_tool_keyword","MEGAsync","synchronize or backup your computers to MEGA","T1567.002 - T1537 - T1020 - T1030","TA0010 - TA0040","N/A","Akira - Phobos - BlackCat - Karakurt - Scattered Spider* - LockBit - BianLian - Hive - Trigona - Quantum - INC Ransom - EvilCorp* - Avaddon - EMBER BEAR","Data Exfiltration","https://mega.io/en/desktop","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62737"
"*WindowsStoreAppExporter.exe*",".{0,1000}WindowsStoreAppExporter\.exe.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62770"
"*winget install schollz.croc*",".{0,1000}winget\sinstall\sschollz\.croc.{0,1000}","greyware_tool_keyword","croc","croc is a tool that allows any two computers to simply and securely transfer files and folders","T1567.002 - T1090.002 - T1573.002 - T1102.003","TA0010 - TA0005 - TA0008 - TA0011","N/A","N/A","Data Exfiltration","https://github.com/schollz/croc","1","0","N/A","N/A","8","10","29989","1197","2025-04-16T23:30:54Z","2017-10-17T15:20:18Z","62777"
"*winpty restic *",".{0,1000}winpty\srestic\s.{0,1000}","greyware_tool_keyword","restic","backup program used by threat actors for data exfiltration","T1567","TA0009 - TA0010","N/A","INC Ransom - Lynx","Data Exfiltration","https://github.com/restic/restic","1","0","N/A","N/A","8","10","28342","1599","2025-04-14T18:02:41Z","2014-04-27T14:07:58Z","62808"
"*WinRing0*WinRing0x64.sys*",".{0,1000}WinRing0.{0,1000}WinRing0x64\.sys.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","62817"
"*winrs -r:*cmd /c *",".{0,1000}winrs\s\-r\:.{0,1000}cmd\s\/c\s.{0,1000}","greyware_tool_keyword","winrs","WinRS for Lateral Movement","T1021.006 - T1028","TA0008 ","N/A","N/A","Lateral Movement","N/A","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","62824"
"*winrs -r:*powershell -*",".{0,1000}winrs\s\-r\:.{0,1000}powershell\s\-.{0,1000}","greyware_tool_keyword","winrs","WinRS for Lateral Movement","T1021.006 - T1028","TA0008 ","N/A","N/A","Lateral Movement","N/A","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","62825"
"*winrs -r:*whoami*",".{0,1000}winrs\s\-r\:.{0,1000}whoami.{0,1000}","greyware_tool_keyword","winrs","WinRS for Lateral Movement","T1021.006 - T1028","TA0008 ","N/A","N/A","Lateral Movement","N/A","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","62826"
"*winscp.com /command ""open sftp://*",".{0,1000}winscp\.com\s\/command\s\""open\ssftp\:\/\/.{0,1000}","greyware_tool_keyword","WinSCP","SFTP connexion with winscp - legit tool abused by threat actors to exfiltrate data","T1105","TA0010","N/A","Akia - Unit 29155","Data Exfiltration","N/A","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","62827"
"*winst64.exe* /q /q /ex /i*",".{0,1000}winst64\.exe.{0,1000}\s\/q\s\/q\s\/ex\s\/i.{0,1000}","greyware_tool_keyword","NetSupport","NetSupport Manager is a remote access tool that can be used legitimately for IT management but has also been abused  by adversaries for remote system control and surveillance","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Cuba - EvilCorp* - Black Basta - Moskalvzapoe","RMM","https://www.netsupportmanager.com/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62833"
"*WinVNC.exe*",".{0,1000}WinVNC\.exe.{0,1000}","greyware_tool_keyword","UltraVNC","UltraVNC remote access software usage","T1021.001 - T1219 - T1076 - T1563.002","TA0008 - TA0009 - TA0010 - TA0011","N/A","Dispossessor - Gamaredon Group - APT39","RMM","https://uvnc.com/downloads/ultravnc.html","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62834"
"*WireGuard/wireguard-go*",".{0,1000}WireGuard\/wireguard\-go.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","1","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62840"
"*wireproxy --*",".{0,1000}wireproxy\s\-\-.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#linux","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","62856"
"*wireproxy -c *",".{0,1000}wireproxy\s\-c\s.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#linux","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","62857"
"*wireproxy -n *",".{0,1000}wireproxy\s\-n\s.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#linux","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","62858"
"*wireproxy -s*",".{0,1000}wireproxy\s\-s.{0,1000}","greyware_tool_keyword","wireproxy","Wireguard client that exposes itself as a socks5 proxy","T1572 - T1090 - T1071.004","TA0011 - TA0005","N/A","N/A","C2","https://github.com/pufferffish/wireproxy","1","0","#linux","N/A","10","10","4893","299","2025-04-16T22:58:51Z","2022-03-11T12:32:10Z","62859"
"*Wireshark*",".{0,1000}Wireshark.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","62860"
"*wireshark*.deb*",".{0,1000}wireshark.{0,1000}\.deb.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","62861"
"*Wireshark*.dmg*",".{0,1000}Wireshark.{0,1000}\.dmg.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","#macos","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","62862"
"*wireshark-*.tar.xz*",".{0,1000}wireshark\-.{0,1000}\.tar\.xz.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","62863"
"*wireshark-common*",".{0,1000}wireshark\-common.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","62864"
"*wireshark-dev*",".{0,1000}wireshark\-dev.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","62865"
"*wireshark-gtk*",".{0,1000}wireshark\-gtk.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","62866"
"*WiresharkPortable64*",".{0,1000}WiresharkPortable64.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","62867"
"*wireshark-qt*",".{0,1000}wireshark\-qt.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","62868"
"*Wireshark-win*.exe*",".{0,1000}Wireshark\-win.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","wireshark","Wireshark is a network protocol analyzer.","T1040 - T1052.001 - T1046","TA0001 - TA0002 - TA0007","N/A","Black Basta","Sniffing & Spoofing","https://www.wireshark.org/","1","1","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","62869"
"*wiretap add client --port *",".{0,1000}wiretap\sadd\sclient\s\-\-port\s.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62872"
"*wiretap add server --*",".{0,1000}wiretap\sadd\sserver\s\-\-.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62873"
"*wiretap configure --*",".{0,1000}wiretap\sconfigure\s\-\-.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62874"
"*wiretap expose --dynamic*",".{0,1000}wiretap\sexpose\s\-\-dynamic.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62875"
"*wiretap expose list*",".{0,1000}wiretap\sexpose\slist.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62876"
"*wiretap expose --local *",".{0,1000}wiretap\sexpose\s\-\-local\s.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62877"
"*wiretap serve -f *",".{0,1000}wiretap\sserve\s\-f\s.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62878"
"*WIRETAP_E2EE_INTERFACE_API*",".{0,1000}WIRETAP_E2EE_INTERFACE_API.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62879"
"*WIRETAP_E2EE_PEER_ENDPOINT*",".{0,1000}WIRETAP_E2EE_PEER_ENDPOINT.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62880"
"*WIRETAP_E2EE_PEER_PUBLICKEY*",".{0,1000}WIRETAP_E2EE_PEER_PUBLICKEY.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62881"
"*WIRETAP_RELAY_INTERFACE_IPV4*",".{0,1000}WIRETAP_RELAY_INTERFACE_IPV4.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62882"
"*WIRETAP_RELAY_INTERFACE_IPV6*",".{0,1000}WIRETAP_RELAY_INTERFACE_IPV6.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62883"
"*WIRETAP_RELAY_PEER_ALLOWED*",".{0,1000}WIRETAP_RELAY_PEER_ALLOWED.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62884"
"*WIRETAP_RELAY_PEER_PUBLICKEY*",".{0,1000}WIRETAP_RELAY_PEER_PUBLICKEY.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","62885"
"*WizTreeMutex*",".{0,1000}WizTreeMutex.{0,1000}","greyware_tool_keyword","wiztree","legitimate tool abused by threat actors to obtain network files and directory listings","T1083","TA0007","N/A","Fox Kitten - Faust - Bitlocker - Akira - Cactus - BlackSuit - Royal","Discovery","N/A","1","0","#mutex","N/A","3","6","N/A","N/A","N/A","N/A","62889"
"*wmic /* /user:administrator process call create *cmd.exe /c *",".{0,1000}wmic\s\/.{0,1000}\s\/user\:administrator\sprocess\scall\screate\s.{0,1000}cmd\.exe\s\/c\s.{0,1000}","greyware_tool_keyword","wmic","Lateral Movement with wmic","T1078 - T1028 - T1106 - T1105","TA0002 - TA0004","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Reconnaissance","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Anti-Forensics.md","1","0","N/A","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","62912"
"*wmic /node:* /user:* /password:* process call create ""\\*\*.exe*",".{0,1000}wmic\s\/node\:.{0,1000}\s\/user\:.{0,1000}\s\/password\:.{0,1000}\sprocess\scall\screate\s\""\\\\.{0,1000}\\.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","wmic","Execute file hosted over SMB on remote system with specified credential","T1021.002 - T1047","TA0002 - TA0008","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Lateral Movement","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62915"
"*wmic /node:* path Win32_TerminalServiceSetting where AllowTSConnections=""0"" call SetAllowTSConnections ""1""*",".{0,1000}wmic\s\/node\:.{0,1000}\spath\sWin32_TerminalServiceSetting\swhere\sAllowTSConnections\=\""0\""\scall\sSetAllowTSConnections\s\""1\"".{0,1000}","greyware_tool_keyword","wmic","Remotely start RDP with wmic","T1021.006 - T1112 - T1562.001","TA0002 - TA0008","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Lateral Movement","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62916"
"*wmic /node:*.*.*.*computersystem get username*",".{0,1000}wmic\s\/node\:.{0,1000}\..{0,1000}\..{0,1000}\..{0,1000}computersystem\sget\susername.{0,1000}","greyware_tool_keyword","wmic","get the currently logged user with wmic","T1047 - T1033","TA0002 - TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","5","10","N/A","N/A","N/A","N/A","62917"
"*wmic /node:*localhost*computersystem get username*",".{0,1000}wmic\s\/node\:.{0,1000}localhost.{0,1000}computersystem\sget\susername.{0,1000}","greyware_tool_keyword","wmic","get the currently logged user with wmic","T1047 - T1033","TA0002 - TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","5","10","N/A","N/A","N/A","N/A","62918"
"*wmic /node:{1} process call create ""rundll32.exe C:\ProgramData\*",".{0,1000}wmic\s\/node\:\{1\}\sprocess\scall\screate\s\""rundll32\.exe\sC\:\\ProgramData\\.{0,1000}","greyware_tool_keyword","wmic","Executing a dll from Programdata folder with wmic - seen in Dispossessor ransomware group ","T1218.011 - T1047 - T1059.005","TA0005","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR - Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62919"
"*wmic computersystem get domain*",".{0,1000}wmic\scomputersystem\sget\sdomain.{0,1000}","greyware_tool_keyword","wmic","get domain name with wmic","T1016 - T1087.002","TA0007 - TA0009","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","5","10","N/A","N/A","N/A","N/A","62920"
"*wmic process call create*ntdsutil *ac i ntds* ifm*create full*",".{0,1000}wmic\sprocess\scall\screate.{0,1000}ntdsutil\s.{0,1000}ac\si\sntds.{0,1000}\sifm.{0,1000}create\sfull.{0,1000}","greyware_tool_keyword","wmic","The actor has executed WMIC commands [T1047] to create a copy of the ntds.dit file and SYSTEM registry hive using ntdsutil.exe","T1047 - T1005 - T1567.001","TA0002 - TA0003 - TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Credential Access","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","0","N/A","N/A","N/A","N/A","N/A","N/A","N/A","N/A","62923"
"*wmic process get commandline -all*",".{0,1000}wmic\sprocess\sget\scommandline\s\-all.{0,1000}","greyware_tool_keyword","wmic","list all running processes and their command lines on a Windows system","T1057 - T1082 - T1518","TA0007 - TA0009","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Discovery","https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a","1","0","N/A","greyware tool - risks of False positive !","9","10","N/A","N/A","N/A","N/A","62924"
"*wmic process get commandline*",".{0,1000}wmic\sprocess\sget\scommandline.{0,1000}","greyware_tool_keyword","wmic","Use WMIC to retrieve process command-line arguments","T1057","TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Discovery","N/A","1","0","N/A","N/A","6","8","N/A","N/A","N/A","N/A","62925"
"*wmic product where ""name like '%Malwarebytes%'"" call uninstall /nointeractive*",".{0,1000}wmic\sproduct\swhere\s\""name\slike\s\'\%Malwarebytes\%\'\""\scall\suninstall\s\/nointeractive.{0,1000}","greyware_tool_keyword","wmic","uninstall Malwarebytes","T1070.004","TA0005","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62926"
"*wmic product where ""name like 'Malwarebytes%'"" call uninstall /nointeractive*",".{0,1000}wmic\sproduct\swhere\s\""name\slike\s\'Malwarebytes\%\'\""\scall\suninstall\s\/nointeractive.{0,1000}","greyware_tool_keyword","wmic","uninstall Malwarebytes","T1070.004","TA0005","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#c01","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62927"
"*wmic service brief*",".{0,1000}wmic\sservice\sbrief.{0,1000}","greyware_tool_keyword","wmic","wmic discovery commands abused by attackers","T1007","TA0007 ","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","N/A","4","N/A","N/A","N/A","N/A","62928"
"*wmic service where ""caption like '%Sophos%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""caption\slike\s\'\%Sophos\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","Stop All Sophos Services","T1562.001","TA0005 - TA0040","N/A","Dispossessor","Defense Evasion","https://vx-underground.org/Archive/Dispossessor%20Leaks","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62929"
"*wmic service where ""name like '%veeam%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'\%veeam\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62930"
"*wmic service where ""name like 'acronisagent%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'acronisagent\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62931"
"*wmic service where ""name like 'acrsch2svc%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'acrsch2svc\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62932"
"*wmic service where ""name like 'agntsvc%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'agntsvc\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62933"
"*wmic service where ""name like 'arsm%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'arsm\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62934"
"*wmic service where ""name like 'backp%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'backp\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62935"
"*wmic service where ""name like 'backup%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'backup\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62936"
"*wmic service where ""name like 'cbservi%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'cbservi\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62937"
"*wmic service where ""name like 'cbvscserv%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'cbvscserv\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62938"
"*wmic service where ""name like 'shadowprotectsvc%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'shadowprotectsvc\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62939"
"*wmic service where ""name like 'spxservice%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'spxservice\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62940"
"*wmic service where ""name like 'sqbcoreservice%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'sqbcoreservice\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62941"
"*wmic service where ""name like 'stc_endpt_svc%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'stc_endpt_svc\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62942"
"*wmic service where ""name like 'storagecraft imagemanager%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'storagecraft\simagemanager\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62943"
"*wmic service where ""name like 'veeam%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'veeam\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62944"
"*wmic service where ""name like 'vsnapvss%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'vsnapvss\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62945"
"*wmic service where ""name like 'vssvc%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'vssvc\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62946"
"*wmic service where ""name like 'wbengine%'"" call stopservice*",".{0,1000}wmic\sservice\swhere\s\""name\slike\s\'wbengine\%\'\""\scall\sstopservice.{0,1000}","greyware_tool_keyword","wmic","stopping backup service","T1562.002 - T1489","TA0005 - TA0040","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/TheParmak/conti-leaks-englished/blob/45d49307f347aff10e0f088af25142f8929b4c4f/anonfile_dumps/31.txt#L236","1","0","N/A","N/A","10","7","611","143","2022-03-16T23:17:08Z","2022-02-28T06:56:06Z","62947"
"*wmic SHADOWCOPY /nointeractive*",".{0,1000}wmic\sSHADOWCOPY\s\/nointeractive.{0,1000}","greyware_tool_keyword","wmic","VSS is a feature in Windows that allows for the creation of snapshots of a volume capturing its state at a specific point in time. Adversaries may abuse the wmic shadowcopy command to interact with these shadow copies for defense evasion purposes.","T1490 - T1562.002","TA0040 - TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","62948"
"*wmic shadowcopy delete*",".{0,1000}wmic\sshadowcopy\sdelete.{0,1000}","greyware_tool_keyword","wmic","VSS is a feature in Windows that allows for the creation of snapshots of a volume capturing its state at a specific point in time. Adversaries may abuse the wmic shadowcopy command to interact with these shadow copies for defense evasion purposes.","T1490 - T1562.002","TA0040 - TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62950"
"*wmic useraccount get /ALL /format:csv*",".{0,1000}wmic\suseraccount\sget\s\/ALL\s\/format\:csv.{0,1000}","greyware_tool_keyword","wmic","User Enumeration","T1087 - T1033","TA0006","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Reconnaissance","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Anti-Forensics.md","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","62952"
"*wmic volume list brief*",".{0,1000}wmic\svolume\slist\sbrief.{0,1000}","greyware_tool_keyword","wmic","wmic discovery commands abused by attackers","T1082","TA0007 ","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","N/A","4","N/A","N/A","N/A","N/A","62953"
"*wmic*/Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName*",".{0,1000}wmic.{0,1000}\/Namespace\:\\\\root\\SecurityCenter2\sPath\sAntiVirusProduct\sGet\sdisplayName.{0,1000}","greyware_tool_keyword","wmic","list AV products with wmic","T1518.001 - T1082","TA0007 - TA0005","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Discovery","N/A","1","0","N/A","greyware tool - risks of False positive !","2","9","N/A","N/A","N/A","N/A","62954"
"*wmic.exe process call create *.txt:*.exe*",".{0,1000}wmic\.exe\sprocess\scall\screate\s.{0,1000}\.txt\:.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","wmic","Execute a .EXE file stored as an Alternate Data Stream (ADS)","T1105 - T1027.001 - T1096 - T1036","TA0002 - TA0008","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Anti-Forensics.md","1","0","N/A","N/A","N/A","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","62955"
"*wmic.exe process call create *cmd /c *",".{0,1000}wmic\.exe\sprocess\scall\screate\s.{0,1000}cmd\s\/c\s.{0,1000}","greyware_tool_keyword","wmic","call cmd.exe with wmic","T1047 - T1059","TA0002 - TA0009","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Collection","N/A","1","0","N/A","greyware tool - risks of False positive !","5","10","N/A","N/A","N/A","N/A","62956"
"*wmic.exe SHADOWCOPY /nointeractive*",".{0,1000}wmic\.exe\sSHADOWCOPY\s\/nointeractive.{0,1000}","greyware_tool_keyword","wmic","VSS is a feature in Windows that allows for the creation of snapshots of a volume capturing its state at a specific point in time. Adversaries may abuse the wmic shadowcopy command to interact with these shadow copies for defense evasion purposes.","T1490 - T1562.002","TA0040 - TA0007","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","N/A","1","0","N/A","greyware tool - risks of False positive !","10","10","N/A","N/A","N/A","N/A","62957"
"*wmic.exe shadowcopy delete*",".{0,1000}wmic\.exe\sshadowcopy\sdelete.{0,1000}","greyware_tool_keyword","wmic","VSS is a feature in Windows that allows for the creation of snapshots of a volume capturing its state at a specific point in time. Adversaries may abuse the wmic shadowcopy command to interact with these shadow copies for defense evasion purposes.","T1490 - T1562.002","TA0040 - TA0005","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62958"
"*WMIC.exe shadowcopy where *ID=* delete*",".{0,1000}WMIC\.exe\sshadowcopy\swhere\s.{0,1000}ID\=.{0,1000}\sdelete.{0,1000}","greyware_tool_keyword","wmic","VSS is a feature in Windows that allows for the creation of snapshots of a volume capturing its state at a specific point in time. Adversaries may abuse the wmic shadowcopy command to interact with these shadow copies for defense evasion purposes.","T1490 - T1562.002","TA0040 - TA0005","N/A","MAZE - Conti - Hive - Quantum - TargetCompany - PYSA - AvosLocker - COZY BEAR","Defense Evasion","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","62959"
"*wormhole.tunnelto.dev*",".{0,1000}wormhole\.tunnelto\.dev.{0,1000}","greyware_tool_keyword","tunnelto.dev","Expose your local web server to the internet with a public URL","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/agrinman/tunnelto","1","1","N/A","N/A","10","10","2167","118","2022-09-24T21:28:44Z","2020-03-22T05:39:49Z","63047"
"*Write Wireguard server configuration to disk.*",".{0,1000}Write\sWireguard\sserver\sconfiguration\sto\sdisk\..{0,1000}","greyware_tool_keyword","tunnel","Tunnel is a server/client package that enables to proxy public connections to your local machine over a tunnel connection from the local machine to the public server. What this means is, you can share your localhost even if it doesn't have a Public IP or if it's not reachable from outside","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/koding/tunnel","1","0","N/A","N/A","10","10","328","72","2023-10-20T13:43:58Z","2015-05-28T07:26:42Z","63065"
"*Write Wireguard server configuration to disk.*",".{0,1000}Write\sWireguard\sserver\sconfiguration\sto\sdisk\..{0,1000}","greyware_tool_keyword","tunnel","SSL-terminated ephemeral HTTP tunnels to your local machine","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://gitlab.com/pyjam.as/tunnel","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63066"
"*Write-Nessus-Finding(*",".{0,1000}Write\-Nessus\-Finding\(.{0,1000}","greyware_tool_keyword","adaudit","Powershell script to do domain auditing automation","T1482 - T1087","TA0007","N/A","N/A","Discovery","https://github.com/phillips321/adaudit","1","0","#content","N/A","8","4","389","106","2025-04-08T06:17:54Z","2018-04-20T11:29:06Z","63082"
"*wss://*.tunnels.api.visualstudio.com/api/v1/Connect/*",".{0,1000}wss\:\/\/.{0,1000}\.tunnels\.api\.visualstudio\.com\/api\/v1\/Connect\/.{0,1000}","greyware_tool_keyword","dev-tunnels","Dev tunnels allow developers to securely share local web services across the internet. Enabling you to connect your local development environment with cloud services and share work in progress with colleagues or aid in building webhooks","T1021.003 - T1105 - T1090","TA0002 - TA0005 - TA0011","N/A","N/A","C2","https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview","1","0","N/A","N/A","8","10","N/A","N/A","N/A","N/A","63107"
"*wss://meshcentral.com*",".{0,1000}wss\:\/\/meshcentral\.com.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","63108"
"*www.1secmail.com/api/v1/?action=*",".{0,1000}www\.1secmail\.com\/api\/v1\/\?action\=.{0,1000}","greyware_tool_keyword","1secmail.com","using the API of 1secmail (temporary email service) could be abused by malicious actors - observed in SafeBreach-Labs/DoubleDrive tool","T1071.003","TA0005 - TA0001","N/A","N/A","Defense Evasion","https://www.1secmail.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63139"
"*www.ammyy.com/files/v*",".{0,1000}www\.ammyy\.com\/files\/v.{0,1000}","greyware_tool_keyword","Ammyy Admin","Ammyy Admin is a remote desktop software application abudsed by attackers","T1021 - T1219 - T1563 - T1608","TA0002 - TA0008 - TA0011 - TA0040","N/A","Anunak","RMM","https://www.ammyy.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63141"
"*www.anyplace-control.com/install*",".{0,1000}www\.anyplace\-control\.com\/install.{0,1000}","greyware_tool_keyword","AnyplaceControl","access your unattended PC from anywhere","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","www.anyplace-control[.]com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63143"
"*www.autohotkey.com/download/*",".{0,1000}www\.autohotkey\.com\/download\/.{0,1000}","greyware_tool_keyword","AutoHotkey","AutoHotkey - macro-creation and automation-oriented scripting utility for Windows","T1056.001 - T1027 - T1059.001 - T1140","TA0005 - TA0002","N/A","N/A","Defense Evasion","https://github.com/AutoHotkey/AutoHotkey","1","1","N/A","abused by multiple threat actors https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html - False positives expected","6","10","10188","1001","2025-03-29T02:12:26Z","2009-11-25T11:08:21Z","63144"
"*www.dwservice.net*",".{0,1000}www\.dwservice\.net.{0,1000}","greyware_tool_keyword","dwagent","The DWService to remotly control your machine - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Black Basta","RMM","https://github.com/dwservice/agent","1","1","N/A","N/A","10","5","471","83","2023-03-22T08:45:16Z","2019-01-23T10:40:24Z","63147"
"*www.ip-api.com*",".{0,1000}www\.ip\-api\.com.{0,1000}","greyware_tool_keyword","ip-api.com","get public ip address","T1016 - T1071.001","TA0005 - TA0002","N/A","Volt Typhoon","Reconnaissance","https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF","1","1","N/A","greyware_tools high risks of false positives","N/A","N/A","N/A","N/A","N/A","N/A","63150"
"*www.ired.team*",".{0,1000}www\.ired\.team.{0,1000}","greyware_tool_keyword","ired.team","Red Teaming Tactics and Techniques","T1593.003","TA0043","N/A","N/A","Reconnaissance","https://github.com/mantvydasb/RedTeaming-Tactics-and-Techniques","1","1","N/A","N/A","7","10","4234","1071","2024-08-22T07:17:31Z","2019-03-02T13:33:33Z","63151"
"*www.mediafire.com/api/1.5/upload/*",".{0,1000}www\.mediafire\.com\/api\/1\.5\/upload\/.{0,1000}","greyware_tool_keyword","mediafire","uploading to mediafire","T1105 - T1114","TA0010","N/A","Black Basta","Data Exfiltration","N/A","1","1","#filehostingservice","N/A","10","10","N/A","N/A","N/A","N/A","63154"
"*www.mediafire.com/file/*",".{0,1000}www\.mediafire\.com\/file\/.{0,1000}","greyware_tool_keyword","mediafire","downloading from mediafire","T1105 - T1114 - T1083","TA0009","N/A","Black Basta","Collection","N/A","1","1","#filehostingservice","N/A","7","8","N/A","N/A","N/A","N/A","63155"
"*www.mediafire.com/file/*.rar/file*",".{0,1000}www\.mediafire\.com\/file\/.{0,1000}\.rar\/file.{0,1000}","greyware_tool_keyword","mediafire","downloading from mediafire - rar archive","T1105 - T1083 - T1560","TA0009 ","N/A","Black Basta","Collection","N/A","1","1","#filehostingservice","N/A","7","8","N/A","N/A","N/A","N/A","63156"
"*www.mediafireuserupload.com/api/upload/*",".{0,1000}www\.mediafireuserupload\.com\/api\/upload\/.{0,1000}","greyware_tool_keyword","mediafire","uploading to mediafire","T1105 - T1114","TA0010","N/A","Black Basta","Data Exfiltration","N/A","1","1","#filehostingservice","N/A","10","10","N/A","N/A","N/A","N/A","63157"
"*www.pulseway.com/download/*",".{0,1000}www\.pulseway\.com\/download\/.{0,1000}","greyware_tool_keyword","Pulseway","Pulseway - remote monitoring and management tool designed for IT administrators to monitor and manage their IT systems and infrastructure remotely - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider* - Back Basta","RMM","https://www.pulseway.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63160"
"*www.splashtop.com/remotecaRemoveVRootsISCHECKFORPRODUCTUPDATES*",".{0,1000}www\.splashtop\.com\/remotecaRemoveVRootsISCHECKFORPRODUCTUPDATES.{0,1000}","greyware_tool_keyword","Splashtop","control remote machines- abused by threat actors","T1021.001 - T1078 - T1133 - T1112","TA0008 - TA0003 - TA0004 - TA0005 - TA0011 - TA0010","N/A","Black Basta - LockBit - AvosLocker - BianLian - Scattered Spider* - Hive - Quantum - Conti - Trigona - RansomHub - Cactus","RMM","https://hybrid-analysis.com/sample/18c10b0235bd341e065ac5c53ca04b68eaeacd98a120e043fb4883628baf644e/6267eb693836e7217b1a3c72","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63163"
"*www.tightvnc.com/download/*=",".{0,1000}www\.tightvnc\.com\/download\/.{0,1000}\=","greyware_tool_keyword","tightvnc","TightVNC is a free and Open Source remote desktop software that lets you access and control a computer over the network - often abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://www.tightvnc.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63164"
"*www1.remotepc.com*",".{0,1000}www1\.remotepc\.com.{0,1000}","greyware_tool_keyword","RemotePC","RemotePC Remote administration tool","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotepc.com/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63169"
"*xargs -a /dev/null sh -p*",".{0,1000}xargs\s\-a\s\/dev\/null\ssh\s\-p.{0,1000}","greyware_tool_keyword","AutoSUID","automate harvesting the SUID executable files and to find a way for further escalating the privileges","T1548.003 - T1069.001 - T1068","TA0004 - TA0003 - TA0005","N/A","N/A","Discovery","https://github.com/IvanGlinkin/AutoSUID","1","0","N/A","N/A","9","4","375","77","2024-04-29T12:30:35Z","2021-11-28T19:44:18Z","63194"
"*xcopy /Y /C /Q C:\Windows\system32\*.exe *Ie4uinit.exe*",".{0,1000}xcopy\s\/Y\s\/C\s\/Q\sC\:\\Windows\\system32\\.{0,1000}\.exe\s.{0,1000}Ie4uinit\.exe.{0,1000}","greyware_tool_keyword","xcopy","copying Ie4uinit.exe in another folder for dll sideloading","T1070.009 - T1574 - T1556.001","TA0005 - TA0004","N/A","Akira - FIN6","Defense Evasion","https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/","1","0","#lolbin","N/A","10","10","N/A","N/A","N/A","N/A","63198"
"*xcopy c:\* \\*\c$*",".{0,1000}xcopy\sc\:\\.{0,1000}\s\\\\.{0,1000}\\c\$.{0,1000}","greyware_tool_keyword","xcopy","command abused by attackers - exfiltraiton to remote host with xcopy","T1059.003 - T1053.005 - T1105 - T1012 - T1057 - T1083 - T1041 - T1036 - T1035 - T1562.001 - T1564.001 - T1564.005 - T1564.002 - T1564.003 - T1027 - T1070.001 - T1112 - T1136","TA0003 - TA0007 - TA0008 - TA0010 - TA0006 - TA0002","N/A","N/A","Data Exfiltration","N/A","1","0","N/A","greyware_tools high risks of false positives","N/A","6","N/A","N/A","N/A","N/A","63200"
"*XEOX Agent for Windows*",".{0,1000}XEOX\sAgent\sfor\sWindows.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","#servicename","N/A","10","10","N/A","N/A","N/A","N/A","63210"
"*XEOX Agent Service*",".{0,1000}XEOX\sAgent\sService.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","N/A","application name","10","10","N/A","N/A","N/A","N/A","63211"
"*xeox.com/ui/download/*",".{0,1000}xeox\.com\/ui\/download\/.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63212"
"*xeox_service_windows.exe*",".{0,1000}xeox_service_windows\.exe.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63213"
"*xeox-agent_*.exe*",".{0,1000}xeox\-agent_.{0,1000}\.exe.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63214"
"*xeox-agent_x64.exe*",".{0,1000}xeox\-agent_x64\.exe.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63215"
"*xeox-agent_x86.exe*",".{0,1000}xeox\-agent_x86\.exe.{0,1000}","greyware_tool_keyword","xeox","Easily access and manage Windows devices remotely within XEOX - RMM abused by threat actors","T1021 - T1078 - T1219 - T1105 - T1046","TA0011 - TA0010 - TA0003 - TA0005","N/A","Dispossessor","RMM","https://xeox.com/remote-access/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63216"
"*xmrig-*-bionic-x64.tar.gz*",".{0,1000}xmrig\-.{0,1000}\-bionic\-x64\.tar\.gz.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","63239"
"*xmrig-*-focal-x64.tar.gz*",".{0,1000}xmrig\-.{0,1000}\-focal\-x64\.tar\.gz.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","63240"
"*xmrig-*-freebsd-static-x64.tar.gz*",".{0,1000}xmrig\-.{0,1000}\-freebsd\-static\-x64\.tar\.gz.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","63241"
"*xmrig-*-gcc-win64.zip*",".{0,1000}xmrig\-.{0,1000}\-gcc\-win64\.zip.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","63242"
"*xmrig-*-linux-static-x64.tar.gz*",".{0,1000}xmrig\-.{0,1000}\-linux\-static\-x64\.tar\.gz.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","#linux","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","63243"
"*xmrig-*-linux-x64.tar.gz*",".{0,1000}xmrig\-.{0,1000}\-linux\-x64\.tar\.gz.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","#linux","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","63244"
"*xmrig-*-macos-arm64.tar.gz*",".{0,1000}xmrig\-.{0,1000}\-macos\-arm64\.tar\.gz.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","63245"
"*xmrig-*-macos-x64.tar.gz*",".{0,1000}xmrig\-.{0,1000}\-macos\-x64\.tar\.gz.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","63246"
"*xmrig-*-msvc-win64.zip*",".{0,1000}xmrig\-.{0,1000}\-msvc\-win64\.zip.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","63247"
"*xmrig.exe -*",".{0,1000}xmrig\.exe\s\-.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","0","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","63248"
"*xmrig.service*",".{0,1000}xmrig\.service.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708","1","0","N/A","N/A","9","10","N/A","N/A","N/A","N/A","63249"
"*xmrig.tar.gz*",".{0,1000}xmrig\.tar\.gz.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","63250"
"*xmrig.zip*",".{0,1000}xmrig\.zip.{0,1000}","greyware_tool_keyword","xmrig","Auto setup scripts and pre-compiled xmr miner for c3pool.com pool","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","63251"
"*xmrminer.cc*",".{0,1000}xmrminer\.cc.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","63252"
"*xmrpool.de*",".{0,1000}xmrpool\.de.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","63253"
"*xmrpool.eu*",".{0,1000}xmrpool\.eu.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","63254"
"*xmrpool.eu:3333*",".{0,1000}xmrpool\.eu\:3333.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/xmrig/xmrig/","1","1","N/A","N/A","9","10","9173","3602","2025-04-17T09:12:31Z","2017-04-15T05:57:53Z","63255"
"*xmrpool.me*",".{0,1000}xmrpool\.me.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","63256"
"*xmrpool.net*",".{0,1000}xmrpool\.net.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","63257"
"*xmrpool.xyz*",".{0,1000}xmrpool\.xyz.{0,1000}","greyware_tool_keyword","xmrig","CPU/GPU cryptominer often used by attackers on compromised machines","T1496 - T1057","TA0004 - TA0007","N/A","Pacha Group - APT4","Cryptomining","https://github.com/C3Pool/xmrig_setup/","1","1","N/A","N/A","9","1","27","21","2024-11-05T05:34:20Z","2020-05-16T13:01:30Z","63258"
"*XWolfOverride/DuckDNS*",".{0,1000}XWolfOverride\/DuckDNS.{0,1000}","greyware_tool_keyword","duckdns.org","A simple C# DuckDNS updater - free dynamic DNS hosted on AWS - often used by threat actors for contacting C2","T1568.002 - T1071.001","TA0011 - TA0005","N/A","N/A","Defense Evasion","https://www.duckdns.org/install.jsp","1","1","N/A","N/A","5","10","N/A","N/A","N/A","N/A","63320"
"*xxd -p -c 4 /* | while read line* do ping -c 1 -p *",".{0,1000}xxd\s\-p\s\-c\s4\s\/.{0,1000}\s\|\swhile\sread\sline.{0,1000}\sdo\sping\s\-c\s1\s\-p\s.{0,1000}","greyware_tool_keyword","xxd","ICMP Tunneling One Liner","T1090 - T1002 - T1016","TA0011 - TA0009","N/A","N/A","Data Exfiltration","https://github.com/RoseSecurity/Red-Teaming-TTPs/blob/main/Linux.md","1","0","N/A","N/A","10","10","1594","198","2025-04-16T21:16:51Z","2021-08-16T17:34:25Z","63323"
"*Yakit-*-windows-amd64.exe*",".{0,1000}Yakit\-.{0,1000}\-windows\-amd64\.exe.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","1","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","63333"
"*Yakit/1.0.0*",".{0,1000}Yakit\/1\.0\.0.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","1","#useragent","user-agent","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","63334"
"*YAKIT_MITM*",".{0,1000}YAKIT_MITM.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","63335"
"*yakit-remote.json*",".{0,1000}yakit\-remote\.json.{0,1000}","greyware_tool_keyword","yakit","security platform with fuzzers - webshell and MITM (chinese burp)","T1557 - T1557.003 - T1569.002","TA0001 - TA0040","N/A","N/A","Sniffing & Spoofing","https://github.com/Gerenios/AADInternals","1","0","N/A","N/A","7","10","1404","231","2025-04-18T11:41:23Z","2018-10-25T17:35:16Z","63336"
"*yarn add localtunnel*",".{0,1000}yarn\sadd\slocaltunnel.{0,1000}","greyware_tool_keyword","localtunnel","localtunnel exposes your localhost to the world","T1021 - T1090 - T1573 - T1219 - T1562.001","TA0001 - TA0005 - TA0008 - TA0011","N/A","N/A","C2","https://github.com/localtunnel/localtunnel","1","0","N/A","N/A","10","10","20558","1428","2024-03-20T17:04:54Z","2012-06-18T02:33:30Z","63339"
"*yarn add localxpose*",".{0,1000}yarn\sadd\slocalxpose.{0,1000}","greyware_tool_keyword","localxpose","LocalXpose is a reverse proxy that enables you to expose your localhost to the internet","T1090 - T1102 - T1043 - T1071","TA0010 - TA0005 - TA0011","N/A","N/A","Data Exfiltration","https://localxpose.io/","1","0","N/A","N/A","10","1","N/A","N/A","N/A","N/A","63340"
"*ylAo2kAlUS2kYkala!*",".{0,1000}ylAo2kAlUS2kYkala!.{0,1000}","greyware_tool_keyword","Quasar","Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.","T1548.002 - T1547.001 - T1059.003 - T1555 - T1005 - T1573.001 - T1564.001 - T1564.003 - T1105 - T1056.001 - T1112 - T1095 - T1571 - T1090 - T1021.001 - T1053.005 - T1553.002 - T1082 - T1614 - T1016 - T1033 - T1552.001 - T1125","TA0002 - TA0003 - TA0005 - TA0006 - TA0008 - TA0009 - TA0011 - TA0040","N/A","Patchwork - LazyScripter - Gorgon Group - menuPass - BackdoorDiplomacy - Earth Berberoka - APT33 - APT32 - Operation C-Major - QUILTED TIGER - Molerats","RMM","https://github.com/quasar/Quasar","1","0","#content","N/A","N/A","10","9187","2551","2024-02-29T06:37:37Z","2014-07-08T12:27:59Z","63357"
"*Ylianst/MeshAgent*",".{0,1000}Ylianst\/MeshAgent.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshAgent","1","1","N/A","N/A","10","3","264","96","2025-03-19T18:43:56Z","2017-10-12T21:26:52Z","63358"
"*Ylianst/MeshCentral*",".{0,1000}Ylianst\/MeshCentral.{0,1000}","greyware_tool_keyword","meshcentral","MeshCentral is a full computer management web site - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","N/A","RMM","https://github.com/Ylianst/MeshCentral","1","1","N/A","N/A","10","10","4874","640","2025-04-21T16:50:06Z","2017-08-28T16:21:11Z","63359"
"*You must specify the local host:port to expose*",".{0,1000}You\smust\sspecify\sthe\slocal\shost\:port\sto\sexpose.{0,1000}","greyware_tool_keyword","tunneller","Tunneller allows you to expose services which are running on localhost or on your local network to the public internet.","T1572 - T1048","TA0011 - TA0010 - TA0005","N/A","N/A","C2","https://github.com/skx/tunneller","1","0","N/A","N/A","10","10","487","41","2024-08-13T07:36:22Z","2019-04-21T11:05:11Z","63375"
"*yum install *wireguard-*",".{0,1000}yum\sinstall\s.{0,1000}wireguard\-.{0,1000}","greyware_tool_keyword","wiretap","Wiretap is a transparent - VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.","T1572","TA0011 - TA0003","N/A","N/A","Defense Evasion","https://github.com/sandialabs/wiretap","1","0","N/A","N/A","10","10","939","41","2025-04-16T21:54:13Z","2022-11-19T00:19:05Z","63410"
"*yum.repos.d/tailscale.repo*",".{0,1000}yum\.repos\.d\/tailscale\.repo.{0,1000}","greyware_tool_keyword","tailscale","Tailscale connects your team's devices and development environments for easy access to remote resources.","T1021 - T1573 ","TA0005 - TA0001 - TA0010 ","N/A","Scattered Spider*","Defense Evasion","https://github.com/tailscale/tailscale","1","0","N/A","N/A","9","10","22196","1771","2025-04-22T19:46:43Z","2020-01-31T22:00:03Z","63411"
"*ZA_Connect.exe *",".{0,1000}ZA_Connect\.exe\s.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63424"
"*ZA_Connect.exe.ApplicationCompany*",".{0,1000}ZA_Connect\.exe\.ApplicationCompany.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63425"
"*ZAFileTransfer.exe *",".{0,1000}ZAFileTransfer\.exe\s.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63430"
"*ZAService.exe *",".{0,1000}ZAService\.exe\s.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63433"
"*zema1/suo5*",".{0,1000}zema1\/suo5.{0,1000}","greyware_tool_keyword","suo5","http proxy tunneling tool","T1071 - T1073 - T1075 - T1105 - T1571","TA0008 - TA0011","N/A","N/A","C2","https://github.com/zema1/suo5","1","1","N/A","N/A","10","10","2332","217","2025-04-14T03:33:51Z","2022-11-22T11:45:26Z","63439"
"*zenmap.exe*",".{0,1000}zenmap\.exe.{0,1000}","greyware_tool_keyword","nmap","When Nmap is used on Windows systems. it can perform various types of scans such as TCP SYN scans. UDP scans. and service/version detection. These scans enable the identification of open ports. services running on those ports. and potential vulnerabilities in target systems.","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","N/A","1","0","N/A","greyware tool - risks of False positive !","8","10","N/A","N/A","N/A","N/A","63440"
"*ZeroLogonScanner.*",".{0,1000}ZeroLogonScanner\..{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner and Earth Lusca Operations Tools and commands","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf https://github.com/vletoux/pingcastle","1","1","N/A","N/A","10","","N/A","","","","63456"
"*zmap -*",".{0,1000}zmap\s\-.{0,1000}","greyware_tool_keyword","nmap","ZMap is a fast single packet network scanner designed for Internet-wide network surveys. On a typical desktop computer with a gigabit Ethernet connection. ZMap is capable scanning the entire public IPv4 address space in under 45 minutes. With a 10gigE connection and PF_RING. ZMap can scan the IPv4 address space in under 5 minutes. ZMap operates on GNU/Linux. Mac OS. and BSD. ZMap currently has fully implemented probe modules for TCP SYN scans. ICMP. DNS queries. UPnP. BACNET. and can send a large number of UDP probes. If you are looking to do more involved scans. e.g.. banner grab or TLS handshake. take a look at ZGrab. ZMaps sister project that performs stateful application-layer handshakes.","T1595 - T1592 - T1589 - T1590 - T1591 - T1190 - T1059 - T1046 - T1016 - T1049 - T1007","TA0001 - TA0007 - TA0043","N/A","Qilin - Cactus - EMBER BEAR - ENERGETIC BEAR - MUSTANG PANDA - TA2101 - FIN13 - Black Basta","Vulnerability Scanner","https://github.com/zmap/zmap","1","0","N/A","greyware tool - risks of False positive !","8","10","5747","937","2025-04-16T15:43:04Z","2013-01-23T01:30:09Z","63478"
"*ZOHO CORPORATION PRIVATE LIMITED*",".{0,1000}ZOHO\sCORPORATION\sPRIVATE\sLIMITED.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63485"
"*ZohoMeeting.exe*",".{0,1000}ZohoMeeting\.exe.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63486"
"*ZohoMeeting\FileTransferSettings.conf*",".{0,1000}ZohoMeeting\\FileTransferSettings\.conf.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63487"
"*ZohoMeeting\Service.Conf*",".{0,1000}ZohoMeeting\\Service\.Conf.{0,1000}","greyware_tool_keyword","Zoho Assist","Zoho Assist Remote access software - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","LockBit - Scattered Spider*","RMM","https://www.zoho.com/assist/","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63488"
"*zrockify_func(*",".{0,1000}zrockify_func\(.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#content","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63491"
"*zrok admin bootstrap*",".{0,1000}zrok\sadmin\sbootstrap.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63492"
"*zrok configuration updated*",".{0,1000}zrok\sconfiguration\supdated.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63493"
"*zrok environment disabled*",".{0,1000}zrok\senvironment\sdisabled.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63494"
"*zrok share public *",".{0,1000}zrok\sshare\spublic\s.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63495"
"*zrok share reserved *",".{0,1000}zrok\sshare\sreserved\s.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63496"
"*zrok test loop public*",".{0,1000}zrok\stest\sloop\spublic.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63497"
"*zrok.environment.root*",".{0,1000}zrok\.environment\.root.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63498"
"*zrok.environment.root.Load*",".{0,1000}zrok\.environment\.root\.Load.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63499"
"*zrok.proxy.v1*",".{0,1000}zrok\.proxy\.v1.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63500"
"*zrok.share.CreateShare(*",".{0,1000}zrok\.share\.CreateShare\(.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","#content","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63501"
"*zrok_api.configuration*",".{0,1000}zrok_api\.configuration.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63502"
"*ZROK_BACKEND_MODE*",".{0,1000}ZROK_BACKEND_MODE.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63503"
"*ZROK_RESERVED_TOKEN*",".{0,1000}ZROK_RESERVED_TOKEN.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63504"
"*zrok-share.service*",".{0,1000}zrok\-share\.service.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63505"
"*zrokSvcId=*",".{0,1000}zrokSvcId\=.{0,1000}","greyware_tool_keyword","zrok","zrok allows users to share tunnels for HTTP TCP and UDP network resources. zrok additionally allows users to easily and rapidly share files - web content and custom resources in a peer-to-peer manner.","T1572","TA0011 - TA0003","N/A","N/A","C2","https://github.com/openziti/zrok","1","0","N/A","N/A","10","10","3132","125","2025-04-22T18:36:51Z","2022-07-18T19:14:51Z","63506"
"https://*.xyz/*.ps1","http.*\.(country|stream|gdn|mom|xin|kim|men|loan|download|racing|online|science|ren|gb|win|top|review|vip|party|tech|xyz|date|faith|cricket|space|info|vn|cm|am|cc|asia|ws|tk|biz|su|st|ge|pk|nu|me|ph|to|tt|name|tv|kz|tc|mobi|study|click|link|trade|accountant|cf|gq|ml|ga|pw)\/.*\.(exe|vbs|bat|rar|ps1|doc|docm|xls|xlsm|pptm|rtf|hta|dll|ws|wsf|sct|zip|bin)$","greyware_tool_keyword","_","Suspicious tlds with suspicious file types","T1204 - T1212 - T1562","TA0001 - TA0003 - TA0005","N/A","N/A","Phishing","N/A","0","1","N/A","N/A","8","10","N/A","N/A","N/A","N/A","63564"
"ldapsearch -h * -x*","ldapsearch\s\-h\s.{0,1000}\s\-x.{0,1000}","greyware_tool_keyword","ldapsearch","ldapsearch to enumerate ldap","T1018 - T1087 - T1069","TA0007 - TA0002 - TA0008","N/A","N/A","Reconnaissance","https://man7.org/linux/man-pages/man1/ldapsearch.1.html","1","0","#linux","greyware tool - risks of False positive !","6","10","N/A","N/A","N/A","N/A","63571"
"setenforce 0","setenforce\s0","greyware_tool_keyword","shell","Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes* deleting Registry keys so that tools do not start at run time* or other methods to interfere with security tools scanning or reporting information.","T1055 - T1070.004 - T1218.011","TA0007 - TA0005 - TA0040","N/A","N/A","Defense Evasion","https://attack.mitre.org/techniques/T1562/001/","1","0","#linux","greyware tool - risks of False positive !","N/A","N/A","N/A","N/A","N/A","N/A","63590"
"ss -lntp*","ss\s\-lntp.{0,1000}","greyware_tool_keyword","ss","replace netstat command - service listening","T1049 - T1040","TA0007 - TA0009","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","6","10","N/A","N/A","N/A","N/A","63593"
"*remotedesktop-pa.googleapis.com*",".{0,1000}remotedesktop\-pa\.googleapis\.com.{0,1000}","greyware_tool_keyword","Google Remote Desktop","Google Chrome Remote Desktop to access remote computers - abused by attackers","T1021 - T1071 - T1090","TA0003 - TA0008 - TA0011","N/A","Scattered Spider*","RMM","https://remotedesktop.google.com","1","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63712"
"*Get-Process lsass*",".{0,1000}Get\-Process\slsass.{0,1000}","greyware_tool_keyword","PowerShell LSASS dump reconnaissance via Get-Process","powershell","T1003 - T1057 - T1082","TA0007 - TA0009 - TA0001","N/A","N/A","Discovery","N/A","1","0","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63713"
"*anynet%20relay%0*",".{0,1000}anynet\%20relay\%0.{0,1000}","greyware_tool_keyword","anydesk","Anydesk RMM usage","T1021 - T1071 - T1090","TA0008 - TA0011","N/A","BlackSuit - Royal - Akira - BlackCat - Karakurt - LockBit - Rhysida - AvosLocker - Conti - Dagon Locker - Nokoyawa - Quantum - Diavol - Trigona - BlackByte - Cactus - Lapsus$ - Black Basta - MONTI - Karakurt - Dispossessor","RMM","https://anydesk.com/","0","1","N/A","N/A","10","10","N/A","N/A","N/A","N/A","63717"
"*/invoices.hta*",".{0,1000}\/invoices\.hta.{0,1000}","greyware_tool_keyword","_","suspicious file name often used by attackers in phishing attempts (threat hunting only)","T1059.005 - T1204.002","TA0002 - TA0001","N/A","N/A","Phishing","N/A","0","1","N/A","N/A","6","8","N/A","N/A","N/A","N/A","63718"
"*PingCastleAutoUpdater.exe*",".{0,1000}PingCastleAutoUpdater\.exe.{0,1000}","greyware_tool_keyword","pingcastle","active directory weakness scan Vulnerability scanner and Earth Lusca Operations Tools and commands","T1016 - T1069.002 - T1087.002 - T1485","TA0007 - TA0008","N/A","MAZE - BianLian - Scattered Spider* - DragonForce","Vulnerability Scanner","https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf https://github.com/vletoux/pingcastle","1","1","N/A","N/A","10","","N/A","","","","63719"
"*index.php?controller=<?php+system(*",".{0,1000}index\.php\?controller\=\<\?php\+system\(.{0,1000}","greyware_tool_keyword","php","PHP-based system command injection through vulnerable parameters - commonly used for remote code execution","T1059.003 - T1505.003","TA0003 - TA0002","N/A","N/A","Persistence","N/A","1","1","N/A","I have also seen this technique used on already compromised websites to maintain persistence each time the homepage is visited","10","10","N/A","N/A","N/A","N/A","63724"
"*www.browserling.com/browse/*",".{0,1000}www\.browserling\.com\/browse\/.{0,1000}","greyware_tool_keyword","browserling","web-based online browser testing tool that allows users to browse the internet through virtual machines","T1090.003 - T1219 - T1560.002","TA0005 ","N/A","N/A","Defense Evasion","www.browserling.com","1","1","N/A","N/A","7","6","N/A","N/A","N/A","N/A","63725"
"*[Windows.ApplicationModel.DataTransfer.Clipboard]::GetHistoryItemsAsync*",".{0,1000}\[Windows\.ApplicationModel\.DataTransfer\.Clipboard\]\:\:GetHistoryItemsAsync.{0,1000}","greyware_tool_keyword","powershell","interacts with the Windows Clipboard API to retrieve clipboard history","T1115  - T1059.001","TA0009  - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","63731"
"*ApplicationModel.DataTransfer.Clipboard*GetHistoryItemsAsync*",".{0,1000}ApplicationModel\.DataTransfer\.Clipboard.{0,1000}GetHistoryItemsAsync.{0,1000}","greyware_tool_keyword","powershell","interacts with the Windows Clipboard API to retrieve clipboard history","T1115  - T1059.001","TA0009  - TA0002","N/A","N/A","Credential Access","N/A","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","63732"
"*Set-ItemProperty -Path HKCU:\Software\Microsoft\Clipboard -Name EnableClipboardHistory -Value 1*",".{0,1000}Set\-ItemProperty\s\-Path\sHKCU\:\\Software\\Microsoft\\Clipboard\s\-Name\sEnableClipboardHistory\s\-Value\s1.{0,1000}","greyware_tool_keyword","powershell","enable clipboard history on a Windows system","T1115 - T1547.001 - T1059.001","TA0009 - TA0003 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","63733"
"*Set-ItemProperty*HKCU:\Software\Microsoft\Clipboard*",".{0,1000}Set\-ItemProperty.{0,1000}HKCU\:\\Software\\Microsoft\\Clipboard.{0,1000}","greyware_tool_keyword","powershell","enable clipboard history on a Windows system","T1115 - T1547.001 - T1059.001","TA0009 - TA0003 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","63734"
"*Set-ItemProperty*HKCU:\Software\Microsoft\Clipboard*",".{0,1000}Set\-ItemProperty.{0,1000}HKCU\:\\Software\\Microsoft\\Clipboard.{0,1000}","greyware_tool_keyword","powershell","enable clipboard history on a Windows system","T1115 - T1547.001 - T1059.001","TA0009 - TA0003 - TA0002","N/A","N/A","Defense Evasion","N/A","1","0","N/A","N/A","8","9","N/A","N/A","N/A","N/A","63735"